Board-Level Privacy Governance Under DPDPA

The DPDPA extends personal liability to directors and officers through Section 36, creating a governance imperative that transforms data protection from an IT function into a board-level strategic concern. When any DPDPA contravention is committed with the consent, connivance, or attributable neglect of a director, manager, secretary, or other officer, that individual is personally deemed guilty. This is not theoretical — it mirrors the Companies Act 2013 officer liability provisions that have been actively enforced. Combined with Section 10's Significant Data Fiduciary obligations for appointing Data Protection Officers and conducting audits, the DPDPA creates a governance framework that demands active board engagement, not passive delegation.

Section 36 of the DPDPA establishes three distinct bases for personal liability of directors and officers: consent, connivance, and attributable neglect. Consent implies active approval of the contravening conduct. Connivance suggests awareness without active prevention — turning a blind eye to non-compliance. Attributable neglect is the broadest ground: it captures failures of oversight, inadequate governance structures, and insufficient attention to compliance obligations. For board directors, the attributable neglect ground is the most significant because it does not require knowledge of the specific violation — it requires only that the violation resulted from inadequate governance that the director should have prevented. This creates an affirmative duty to ensure that compliance structures, resources, and oversight mechanisms are in place. A director who delegates data protection entirely to the IT department without establishing governance oversight, compliance reporting, or resource allocation may face personal liability under the neglect ground if violations occur.

Section 10 creates enhanced governance obligations for organisations designated as Significant Data Fiduciaries by the Central Government based on volume, sensitivity, or risk of processing. These organisations must: (a) appoint a Data Protection Officer based in India; (b) appoint an independent data auditor; and (c) conduct periodic Data Protection Impact Assessments. The DPO must report directly to the board or a board-level committee — not to the IT department or Chief Information Officer. This reporting line is critical because it ensures that compliance information reaches the governance level without operational filtering. The independent data auditor provides external assurance that the organisation's processing activities comply with the Act. Together, these requirements create a governance infrastructure — DPO appointment, independent audit, and impact assessment — that establishes the minimum standard of care against which director diligence under Section 36 will be measured. Boards that fail to establish these structures cannot claim reasonable diligence.

Best governance practice under the DPDPA involves constituting a dedicated Board Privacy Committee or integrating privacy governance into an existing Risk or Audit Committee with defined terms of reference. The committee should: (a) receive quarterly compliance reports from the DPO including grievance trends, breach incidents, and regulatory developments; (b) review and approve the annual data protection budget and resource allocation; (c) oversee Data Protection Impact Assessments for high-risk processing activities; (d) review and approve material changes to data processing practices, particularly those involving Significant Data Fiduciary obligations; and (e) maintain minutes that document governance decisions, risk assessments, and compliance directives. Documentation is the director's primary defence under Section 36: contemporaneous records of governance engagement, questioning, and decision-making demonstrate active oversight rather than passive delegation. The committee structure should include at least one member with data protection expertise or access to independent expert advice.

Board-level privacy governance extends beyond structural compliance into organisational culture. Directors must ensure that data protection is integrated into strategic planning, product development, M&A due diligence, and vendor management. A board that approves a new product launch without considering DPDPA implications — notice requirements under Section 5, consent architecture under Section 6, processor obligations under Section 8 — demonstrates the kind of neglect that Section 36 targets. Similarly, M&A transactions must include DPDPA compliance assessment as part of due diligence: acquiring an entity with significant non-compliance creates successor liability that the acquiring board should have identified. The compliance culture extends to resource allocation: boards that underfund data protection relative to their processing scale and risk profile may face attributable neglect arguments if violations occur. The DPDPA, through the combined effect of Section 36 and Section 10, effectively requires boards to treat data protection with the same strategic seriousness as financial reporting, anti-money laundering, and securities compliance.