In most organisations, data privacy lives inside the legal team. The General Counsel or compliance head owns the policy, a lawyer manages the implementation, and the board receives an update once a year — usually after something has gone wrong.

This structure made some sense when privacy was primarily a legal risk. It makes considerably less sense today, when data privacy is simultaneously a regulatory obligation, a customer trust issue, a technology problem, an HR matter, and increasingly, a competitive differentiator.

Under India’s DPDP Act, the expectation is shifting. Here is why privacy governance needs to reach the boardroom — and what that actually looks like in practice.

Why legal ownership alone is not enough

Legal teams are essential to privacy governance. They understand the law, they manage regulatory relationships, and they are often the first to identify compliance gaps. But they cannot own the entire function.

Privacy affects every part of the business that touches personal data. In most organisations, that means HR (employee data), IT (systems and access controls), marketing (customer data and consent), sales (CRM and prospect data), procurement (vendor contracts), product (data collected through digital products), and finance (payment and transaction data). Each of these functions makes daily decisions that affect the organisation’s privacy posture.

When privacy is owned exclusively by legal, those decisions happen without adequate governance. The marketing team launches a new campaign without a consent review. The product team ships a feature that collects new categories of data without a privacy impact assessment. The procurement team onboards a vendor without a data processing agreement. These are not hypothetical scenarios — they happen routinely in organisations where privacy has not been embedded beyond the legal function.

What DPDP expects from leadership

While the DPDP Act does not prescribe a specific governance structure for most organisations, it does create accountability that flows upward. Data Fiduciaries are responsible for compliance — which means the board and senior leadership cannot credibly claim that privacy is entirely a legal team matter.

For Significant Data Fiduciaries, the obligations are more explicit. A Data Protection Officer must be appointed, reporting to the board. Periodic audits must be conducted. Data Protection Impact Assessments must be completed for high-risk processing activities. These are governance structures, not just legal tasks.

Even for organisations that do not fall into the Significant Data Fiduciary category, the direction of travel is clear. Regulators across every jurisdiction — and the DPDP Act follows this pattern — increasingly expect privacy to be a leadership-level governance function, not a back-office compliance task.

What board-level privacy governance actually looks like

Elevating privacy to the board does not mean the board needs to become experts in data protection law. It means establishing the right structures so that privacy risk is visible, accountable, and acted upon at the right level.

A Data Privacy Steering Committee. A cross-functional committee — typically chaired by the General Counsel or a senior compliance officer, with representation from IT, HR, marketing, and product — that reviews privacy risk, approves significant processing activities, and escalates material issues to the board. This is the governance layer that connects legal oversight to operational reality.

A quarterly privacy dashboard. Board members need information in a format they can act on. A quarterly dashboard covering key metrics — consent rates, data subject requests received and resolved, incidents and near-misses, third-party audit findings, training completion rates — gives the board the visibility it needs without requiring deep technical knowledge.

Privacy by design as a process gate. New products, features, campaigns, and vendor relationships should pass through a privacy review before launch, not after. This does not need to be a lengthy process — a structured checklist managed by the cross-functional committee is sufficient for most decisions.

Clear escalation paths. Every function that handles personal data should know what decisions they can make independently and what decisions require escalation. Ambiguity about escalation paths is one of the most common causes of privacy incidents.