Enforcement and Penalties under the DPDPA, 2023 and Draft DPDP Rules, 2025

Introduction

The Digital Personal Data Protection Act (DPDP Act), enacted on August 11, 2023, represents a landmark development in India’s data protection landscape. It lays down a comprehensive framework for safeguarding personal data, holding Data Fiduciaries accountable, and ensuring that individual privacy rights are respected. A central component of this Act is its robust enforcement mechanism, which includes the establishment of the Data Protection Board of India (DPBI) and the penalties for non-compliance.

Enforcement Mechanisms

The enforcement of the DPDP Act relies heavily on the Data Protection Board of India (DPBI), which serves as a critical body in overseeing compliance with the Act’s provisions. Established under Chapter V of the DPDP Act, the Board is an independent corporate entity empowered to handle complaints, investigate violations, direct corrective actions, and impose penalties on entities that fail to comply with the law.

Composition and Structure of the DPBI

The DPBI consists of a chairperson and other members who serve renewable terms of two years. To prevent conflicts of interest, the Chairperson and any other Member shall not, for one year after leaving office, accept employment without prior approval of the Central Government and must disclose any subsequent employment with a Data Fiduciary against whom they initiated or oversaw proceedings. The chairperson holds significant administrative authority, overseeing the functioning of the Board, assigning tasks, and delegating responsibilities among members. In the chairperson’s absence, the senior-most member assumes these duties.

To ensure transparency and accountability, the members, officers, and employees of the Board are classified as public servants under Section 21 of the Indian Penal Code, 1860 (Section 2 (28) of the Bharatiya Nyaya Sanhita, 2023 also defines Public Servant). This designation subjects them to strict accountability standards in the performance of their duties.

Key Responsibilities of the DPBI

Response to Data Breaches:

The DPBI plays a crucial role in addressing personal data breaches. Upon notification of a breach, the Board is empowered to immediately direct remedial or mitigation actions to minimize the impact of the breach. An inquiry is then initiated, and if necessary, penalties are imposed on the Data Fiduciary responsible for the breach.

Handling of Complaints:

Upon receiving any complaints, the Board is required to act as per S. 27 of the Act and must first decide on the validity of the complaint. If the Board decides that the grounds for the complaint are insufficient, then the reasons must be recorded in writing.

Complaints by Data Principals:

If a Data Principal (the individual whose data is affected) files a complaint regarding a breach or failure of a Data Fiduciary to meet their obligations under the Act, the DPBI is authorized to investigate the issue and take corrective actions, which may include imposing financial penalties. The DPDPA however, requires the Data Principal to firstly exhaust the Grievance Redressal Mechanism provided by the Data Fiduciary or Consent Manager before filing a complaint with the Board.

Complaints Regarding Consent Managers:

The Board also handles complaints against consent managers, entities that manage consent for the processing of personal data. If these consent managers fail to fulfil their obligations, the DPBI can investigate and impose penalties.

Read Full Blog Here — Enforcement and Penalties under the DPDPA, 2023 and Draft DPDP Rules, 2025