
DPDPA Rule 21: The Machinery Behind the Data Protection Board of India
Ensure your business meets DPDP Act compliance requirements. Discover key obligations for data fiduciaries, penalty risks, and steps to protect user privacy.
Written by
Himanshu Jotwani
Date
Read time
5 min

What Rule 21 Says
A privacy law without enforcers is just a well-written suggestion. DPDPA Rule 21 is where the theory of compliance meets the reality of enforcement. It dictates exactly how the Data Protection Board of India will staff itself.
The rule is short, but it defines the pipeline for the people who will actually read your breach reports and issue your fines.
- The Board can appoint the officers and employees it deems necessary to discharge its functions under the Act.
- But they cannot do it alone. Every appointment requires the previous approval of the Central Government.
- The terms and conditions of service for these officers are not left to internal policy notes. They are specified in the Sixth Schedule.
That is the entire rule. It tells you who controls the hiring, and where the binding rules of employment live.
Why This Matters
The Board is the operational core for enforcement and adjudication under the DPDPA. Rule 21 determines how quickly and predictably it can build capacity, and who has the final say on the people doing the work.
Three takeaways:
- The Board proposes, the Government disposes. The Board has the discretion to decide what staffing it needs, but Central Government approval comes first.
- Standardized service. Service conditions are locked into the Sixth Schedule, not negotiated case by case. That gives structure to roles, pay, tenure, and processes.
- Tied to the statute. Hiring is not open-ended. It must connect directly to operational needs under the Act.
Scope and Boundaries
This rule governs only the Board’s internal appointments. It does not impose direct obligations on data fiduciaries or processors. But it defines the apparatus that will.
- Decision rights: The Board identifies staffing needs and candidates. The Central Government’s previous approval is the prerequisite.
- Terms of service: The Sixth Schedule is the authoritative source. Rule 21 does not permit deviation through ad hoc orders.
The result is a two-level control. The Board plans the machinery. The Central Government plugs it in.

Reading “Previous Approval” Practically
“Previous approval” is a gating requirement. It is not a rubber stamp applied after the fact. The Board cannot regularize an appointment first and seek ratification later.
In practice, this implies a strict sequence:
- The Board prepares staffing proposals with justifications linked to functional needs under the Act.
- The Central Government reviews and either approves or withholds approval.
- Appointment instruments reflect that approval has been obtained.
This sequence matters for timing, onboarding, and authority to act. An officer without a validly approved appointment would not have clear standing to carry out statutory tasks.
The Sixth Schedule as the Control Point
Rule 21 places service conditions in the Sixth Schedule. While the rule does not reproduce those conditions, the placement itself is the point.
- Officers and employees of the Board are subject to uniform, predefined terms.
- Matters like categories of posts, pay, allowances, leave, conduct, and disciplinary processes are addressed in the Schedule.
- Amendments to service conditions will follow the formal route for Schedule changes, not informal HR memos.
For organizations interacting with the Board, this translates to consistent points of contact and predictable procedural behavior. Internal discretion on terms is strictly limited by the Schedule.
Implications for Enforcement Capacity
Although Rule 21 does not quantify staffing, it directly affects the Board’s ability to scale its operations.
- Capacity growth is enabled by the Board’s discretion to determine staffing needs.
- The Central Government’s approval role introduces oversight,and sequencing,in hiring.
- Stability of service conditions helps retain trained officers and sustain institutional knowledge.
Regulated entities should expect the Board to formalize roles for investigations, hearings support, order drafting, data handling, and communications. The rule provides the legal foundation for those roles to exist and operate under consistent terms.
What Changes for Organizations in Practice
You will not just be talking to the Members of the Board. You will be dealing with the apparatus.
- Points of interaction: Expect to engage with appointed officers who manage notices, evidence, hearings coordination, and compliance monitoring.
- Procedural clarity: Because service conditions are standardized, processes handled by officers should follow defined internal protocols rooted in the Sixth Schedule and the Act.
- Document readiness: Efficient officers will expect efficient responses. Maintain clear records, verifiable data trails, and named contacts on your side.
- Expectation management: Appointment approvals can influence how quickly the Board scales. Do not assume uniform capacity across regions or functions at all times. Plan for variability without relying on it.
None of this changes your legal obligations. It informs how you prepare for operational interactions with an empowered administrative body.
Governance, Accountability, and Independence
Rule 21 balances institutional independence with governmental oversight.
- Independence in needs assessment: The Board decides what it needs to discharge statutory functions effectively.
- Accountability through approval: The Central Government must agree before appointments take effect.
- Predictability through the Schedule: Officers operate under published terms, which support fair process and mitigate arbitrary internal changes.
For compliance teams, this means decisions from Board officers will sit within a clear authority chain. Challenge processes, escalation routes, and record keeping will benefit from that structure.

Practical Steps for Compliance Teams
How do you prepare for an administrative body that is still building itself?
- Track official communications: Monitor notifications about Board appointments and office coordinates. Use official channels for submissions and queries.
- Map interaction points: Identify exactly who in your organization handles Board notices, data requests, and hearing logistics. Document this in your incident and inquiry runbooks.
- Standardize evidence handling: Prepare templates for response letters, annexures, chain-of-custody logs, and data extracts. When the regulator knocks, you shouldn’t be formatting a Word document.
- Calibrate timelines: Build buffers into your internal SLAs to accommodate procedural steps on the regulator’s side. Do not wait for confirmations to start gathering records when a notice is likely.
Risks and Friction to Anticipate
- Timing dependencies: Appointment approval cycles can affect the Board’s operational bandwidth at certain periods. Maintain readiness regardless of perceived delays.
- Authority validation: Verify that communications come from designated Board officers or official channels before sharing sensitive data.
- Process integrity: Because service conditions are standardized, deviations in handling should be rare. If they occur, document the variance and seek clarification promptly.
Closing
DPDPA Rule 21 is about machinery. It tells you who the Board can hire, who must approve it, and where the rules of employment live. That machinery will be the interface you deal with during notices, audits, and adjudication. Treat it as a structured system with predictable roles and documented authority.
Real execution is where organizations stumble. The challenge is not understanding the rule,it is converting it into mapped contacts, response playbooks, and evidence pipelines that stand up under scrutiny.
At Regodit, we help teams turn regulatory text into coordinated action, with clear ownership, timelines, and artifacts. Because compliance isn’t just about knowing the law,it’s about being ready when the enforcers show up. Explore how Regodit can help you operationalize DPDPA requirements, and schedule a call to walk through your posture and gaps together.
Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.
Keep reading
All blogs →DPDPA Rule 23: Government Requests for Information from Data Fiduciaries and Intermediaries
Handling a notice under DPDP Act Rule 23 requires strict confidentiality. Discover how to respond to government data requests and ensure full compliance.
DPDPA Rule 22: Appeals to the Appellate Tribunal
Lost at the Data Protection Board? DPDPA Rule 22 governs the digital-first appeals process. Read our complete guide to filing an appeal with the Tribunal.
DPDPA Rule 20: Functioning of the Board as a Digital Office
Ensure your business meets DPDP Act compliance requirements. Discover key obligations for data fiduciaries, penalty risks, and steps to protect user privacy.
