India To Get Data Protection Board: Here’s How DPDP Rules Shake Things Up

India To Get Data Protection Board: Here’s How DPDP Rules Shake Things Up

Board Set Up Under DPDP Act, Head Office Placed In NCR

MeitY’s notification marks the official establishment of the new body empowered to investigate data breaches, conduct inquiries and determine penalties for violations under the DPDP Act.

The government stated, “In exercise of the powers conferred by sub-sections (1) and (3) of section 18 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby establishes, the Data Protection Board of India, to exercise the powers conferred on, and to perform the functions assigned to it under the said Act, with effect from the date of publication of this notification in the Official Gazette. The head office of the Data Protection Board of India shall be in the National Capital Region of India.”

According to MeitY, the Board will consist of four members. The DPDP Rules, 2025, lay out the framework for their appointment, tenure, and service conditions. The notifications also reiterate the Board’s mandate as an independent adjudicatory authority empowered to oversee enforcement of personal data protection norms across digital platforms.

Rules Finalised After Months Of Consultation

The government has been working on the operational rulebook for nearly a year. Draft rules were opened for public consultation in January 2025, drawing inputs from industry, civil society, and government departments. MeitY released the finalised rules on November 14 after several rounds of review and internal consultations.

The rules now complete the implementation pipeline for the DPDP Act, which was passed by Parliament in August 2023 but required a clear regulatory framework before enforcement could begin.

Clearer Obligations For Platforms And Stricter Compliance Norms

With the rules now in force, companies in sectors such as e-commerce, gaming, social media and digital services will have to comply with a wide range of obligations. These include issuing clear and detailed notices to users about how their data will be handled, obtaining verifiable consent before processing personal information, and adhering to firm limits on data retention.

Rules around children’s data have been tightened, requiring stronger verification and safeguarding measures. Major digital platforms will also be required to erase user data within specified deadlines, ensuring companies cannot hold on to personal information indefinitely.

The release of the DPDP Rules marks a major milestone for India’s digital governance ecosystem, paving the way for the country’s first comprehensive personal data protection regime to become operational.