--- title: "DPDP Act 2023: Director Liability, Board Responsibilities and Data Privacy Compliance for Indian Companies" date: 2026-06-22 author: "Dhruv Kaushal" url: https://ksandk.com/data-protection-and-data-privacy/dpdp-act-director-liability-board-responsibilities-data-privacy-compliance/ --- India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) represents one of the most significant regulatory developments affecting corporate governance, data privacy compliance and risk management in recent years. While many organisations initially viewed the legislation as a technology or legal compliance issue, the DPDP Act has rapidly emerged as a boardroom concern requiring active involvement from directors, chief executive officers, managing directors and senior management. [toc] ### Are you a Significant Data Fiduciary? Answer 25 questions to see your DPDPA risk level and whether the DPO obligation applies to you — free, instant, with a branded PDF. [Check your compliance score →](https://ksandk.com/privacy-review/scorecard) ## **Can Directors Be Liable Under the DPDP Act?** As businesses increasingly rely on digital ecosystems, customer analytics, artificial intelligence, cloud infrastructure and data-driven decision making, the collection and processing of personal data have become central to commercial operations. Consequently, questions relating to DPDP Act compliance, director liability, board responsibilities and data breach management are becoming increasingly important for corporate leadership. One of the most common questions raised by boards and senior executives is whether directors can be held personally liable for violations of the DPDP Act. While the legislation primarily imposes obligations on organisations acting as Data Fiduciaries, directors and senior management cannot afford to treat data privacy compliance as solely an operational issue. The DPDP Act introduces a governance framework where privacy failures, inadequate oversight and weak compliance systems may create significant legal, regulatory, financial and reputational risks for organisations and their leadership. ## **Why the DPDP Act Is a Board-Level Governance Issue** Historically, privacy compliance was often delegated to legal, information technology or cybersecurity teams. However, the DPDP Act fundamentally changes the nature of data protection obligations in India. Data privacy is now closely linked with: - Enterprise risk management; - Corporate governance; - Regulatory compliance; - Cybersecurity preparedness; - Investor confidence; - Customer trust; and - Business continuity. The legislation empowers regulators to impose substantial penalties for non-compliance. Depending on the nature of the contravention, penalties may extend up to INR 250 crore for certain violations. For large corporations, financial institutions, healthcare providers, technology companies, e-commerce platforms and multinational enterprises processing substantial volumes of personal data, the consequences of non-compliance can be significant. As a result, boards are increasingly expected to exercise oversight over data governance frameworks and privacy risk management programmes. ## **DPDP Act Compliance Requirements for Companies** The DPDP Act applies to the processing of digital personal data by entities that determine the purpose and means of such processing. These entities, referred to as “Data Fiduciaries,” are required to comply with several obligations, including: - Providing clear and accessible privacy notices; - Obtaining valid consent where required; - Implementing reasonable security safeguards; - Ensuring data accuracy where necessary; - Facilitating data principal rights; - Establishing grievance redressal mechanisms; - Reporting personal data breaches; and - Maintaining accountability throughout the data processing lifecycle. For organisations, compliance extends beyond drafting privacy policies. It requires a structured governance framework supported by technology, processes and executive oversight. ## **Can Directors Be Personally Liable for DPDP Act Violations?** A critical concern for boards is whether directors, CEOs and managing directors can be personally liable under the DPDP Act. Unlike certain regulatory statutes that expressly impose vicarious liability upon officers in default, the DPDP Act does not generally provide for automatic personal liability of directors for every violation committed by the company. The primary obligations under the Act are imposed upon the Data Fiduciary itself. Accordingly, regulatory penalties are generally expected to be imposed upon the organisation rather than individual directors. However, this should not be interpreted as providing complete insulation from risk. The absence of express statutory liability does not eliminate governance obligations or accountability expectations imposed upon directors under broader corporate law principles. ## **Indirect Risks Facing Directors, CEOs and Managing Directors** Although direct personal liability may not arise in every case, directors and senior executives face several forms of indirect exposure when significant privacy failures occur. ### **Fiduciary Duty and Governance Obligations** Under the Companies Act, 2013, directors are required to exercise due care, skill, diligence and independent judgment in carrying out their responsibilities. Where a significant privacy incident occurs due to inadequate oversight, regulators, shareholders and stakeholders may question whether the board discharged its governance responsibilities appropriately. In many cases, scrutiny focuses less on the occurrence of the incident itself and more on whether adequate governance mechanisms existed before the incident occurred. ### **Regulatory Investigations** A major personal data breach may trigger investigations by multiple regulators depending upon the industry involved. Apart from privacy-related scrutiny, organisations may also face examination from sector-specific regulators, consumer protection authorities, financial regulators and other governmental agencies. Senior management may be required to demonstrate that appropriate privacy compliance frameworks and cybersecurity safeguards were implemented. ### **Shareholder and Investor Concerns** Institutional investors increasingly assess cybersecurity and data governance risks when evaluating companies. A significant privacy incident may affect investor confidence, corporate valuation and governance ratings. As environmental, social and governance (ESG) considerations continue to evolve, data privacy is increasingly viewed as an important governance metric. ### **Executive Accountability** Globally, major cybersecurity and privacy incidents have often resulted in increased scrutiny of CEOs, CIOs, CISOs and other senior executives. Although liability may not necessarily be personal under the DPDP Act, executive accountability expectations continue to rise. ## **DPDP Act Responsibilities of CEOs, Managing Directors and Senior Management** Chief executive officers and managing directors occupy a particularly important position within the DPDP compliance framework. While privacy obligations may be operationally implemented by legal, compliance and technology teams, executive leadership remains responsible for ensuring that sufficient resources, oversight and governance mechanisms are in place. Following a significant data breach, regulators and stakeholders may ask: - Was privacy compliance adequately funded? - Were known vulnerabilities addressed? - Were internal warnings ignored? - Were cybersecurity safeguards proportionate to the risk? - Was incident response planning effective? - Were breach reporting obligations complied with? These questions inevitably place executive decision-making under scrutiny. Accordingly, CEOs and managing directors should treat data privacy as a strategic business risk rather than merely a compliance requirement. ## **Board Responsibilities Under the DPDP Act** Effective DPDP Act compliance requires active board engagement. Directors should ensure that privacy and cybersecurity risks form part of the organisation’s enterprise risk management framework. **Key governance measures include:** ### ***Establishing Board-Level Oversight*** Boards should periodically review: - Data protection programmes; - Privacy compliance frameworks; - Cybersecurity preparedness; - Regulatory developments; - Vendor risks; and - Data breach trends. Many organisations are increasingly assigning responsibility to Audit Committees, Risk Committees or dedicated Technology and Cybersecurity Committees. ### ***Implementing Reporting Mechanisms*** Management should provide periodic updates on: - Compliance status; - Security incidents; - Vendor assessments; - Privacy complaints; - Regulatory developments; and - Emerging technology risks. Meaningful reporting enables directors to make informed governance decisions. ### ***Approving Data Governance Policies*** Boards should ensure that organisations maintain documented policies governing: - Personal data protection; - Information security; - Data retention and deletion; - Incident response; - Third-party risk management; and - Employee awareness and training. Documented governance measures may prove important when responding to regulatory inquiries. ## **Third-Party Vendor Risks Under the DPDP Act** Many organisations depend on cloud service providers, payroll processors, software vendors, consultants and outsourcing partners. However, outsourcing a function does not necessarily outsource accountability. A privacy incident involving a third-party service provider may still expose the Data Fiduciary to regulatory scrutiny and reputational damage. Accordingly, organisations should establish robust vendor management frameworks incorporating: - Due diligence procedures; - Contractual safeguards; - Security assessments; - Audit rights; and - Ongoing monitoring mechanisms. Third-party risk management is likely to become a key area of regulatory focus under India’s evolving privacy regime. ## **Data Breach Response and Incident Management** An organisation’s preparedness is often tested during a data breach rather than during routine compliance reviews. Boards should ensure that management maintains: - Incident response plans; - Escalation procedures; - Internal investigation protocols; - Regulatory notification mechanisms; - Communication strategies; and - Business continuity arrangements. The effectiveness of these measures may significantly influence how regulators assess an organisation’s compliance posture following an incident. ## **DPDP Act Compliance Checklist for Boards and Corporate Leadership** Boards and executive management should consider the following immediate action points: ### ***1. Conduct a DPDP Act Compliance Assessment*** Review existing practices relating to: - Consent management; - Privacy notices; - Data retention; - Security safeguards; - Vendor oversight; and - Data subject rights management. ### ***2. Create a Personal Data Inventory*** Identify: - What personal data is collected; - Why it is collected; - Where it is stored; - Who has access; and - How long it is retained. ### ***3. Establish Accountability Structures*** Clearly allocate responsibilities across: - Legal; - Compliance; - Information security; - Human resources; - Marketing; and - Business operations. ### ***4. Strengthen Data Breach Preparedness*** Conduct tabletop exercises and periodically test incident response procedures. ### ***5. Review Insurance Coverage*** Evaluate cyber insurance, technology liability coverage and directors and officers insurance policies. ### ***6. Train Directors and Senior Management*** Privacy governance awareness should extend beyond operational teams and include board members and executive leadership. ## **Frequently Asked Questions on Director Liability Under the DPDP Act** ### ***Can directors be personally liable under the DPDP Act?*** The DPDP Act primarily imposes obligations on Data Fiduciaries rather than directors personally. However, directors may still face scrutiny regarding governance failures, oversight responsibilities and fiduciary duties where significant privacy incidents occur. ### ***Can a CEO be held responsible for a data breach under the DPDP Act?*** Although regulatory penalties are generally directed at the organisation, CEOs are expected to ensure that appropriate compliance programmes, cybersecurity safeguards and governance frameworks are implemented. ### ***What is the maximum penalty under the DPDP Act?*** Depending on the nature of the violation, penalties under the DPDP Act may extend up to INR 250 crore for certain contraventions. ### ***What are the key board responsibilities under the DPDP Act?*** Boards should oversee privacy compliance programmes, cybersecurity preparedness, vendor risk management, incident response planning and ongoing regulatory compliance efforts. ### ***What should companies do to prepare for DPDP Act compliance?*** Organisations should conduct privacy assessments, map personal data, strengthen security controls, review vendor arrangements, establish governance frameworks and train employees and management teams. ## **Conclusion** The Digital Personal Data Protection Act, 2023 has transformed data privacy from a technical compliance issue into a critical corporate governance priority. While directors, CEOs and managing directors may not automatically incur personal liability for every violation, the DPDP Act creates an environment in which privacy governance failures can generate substantial regulatory, financial and reputational consequences. For boards, the question is no longer whether data privacy deserves attention. The real challenge is demonstrating that appropriate governance structures, compliance frameworks and oversight mechanisms are in place. As enforcement under the DPDP Act evolves, organisations that proactively integrate privacy governance into their broader risk management framework will be better positioned to navigate regulatory scrutiny, maintain stakeholder confidence and build long-term resilience in an increasingly data-driven economy. **Co – Authored by – Aniket Ghosh** ### Explore KSK Data Privacy Hub Free compliance tools and expert guidance covering 75+ jurisdictions. [Global Regulation Finder](/privacy-review/map/)[DPDPA Scorecard](/privacy-review/scorecard/)[DPDPA Guide](/privacy-review/guides/dpdpa/)[GDPR Guide](/privacy-review/guides/gdpr/)[Cross-Border Transfers](/privacy-review/guides/cross-border/) --- ## Office Locations - [New Delhi](https://ksandk.com/locations/top-corporate-law-firm-in-delhi/) (HQ): +91-11-41318190 | info@ksandk.com - [Mumbai](https://ksandk.com/locations/top-corporate-law-firm-in-mumbai/): 3 offices (Nariman Point, Lower Parel, Andheri) | mumbai@ksandk.com - [Bangalore](https://ksandk.com/locations/top-corporate-law-firm-in-bangalore/): bangalore@ksandk.com - [Chennai](https://ksandk.com/locations/chennai/): chennai@ksandk.com - [Hyderabad](https://ksandk.com/locations/hyderabad/): hyderabad@ksandk.com - [Pune](https://ksandk.com/locations/pune/): pune@ksandk.com - [Kochi](https://ksandk.com/locations/kochi/): kochi@ksandk.com ## Contact - [Contact Page](https://ksandk.com/contact-us/) - General: info@ksandk.com | +91-11-41318190 - WhatsApp: +91-7428567444 - [Privacy Statement](https://ksandk.com/privacy-statement/) - [Terms of Use](https://ksandk.com/terms-of-use/)