Skip to main content
Compliance Guides
DPBI
Data Protection Board
DPDPA
Penalties
DPDP Act 2023
India
Compliance

What Is the Data Protection Board of India (DPBI)? Powers, Penalties, and How to Be Ready for It

The Data Protection Board of India is the body that will actually fine you under the DPDP Act — up to ₹250 crore per instance. Yet most Indian businesses can't say what it is, how it works, or what it will ask for. A plain-language explainer on the DPBI: composition, powers, penalty schedule, appeals, and the evidence you should be able to produce.

Consently Team
5 June 2026
9 min read

The Regulator Most Indian Businesses Haven't Met Yet

Every conversation about the Digital Personal Data Protection (DPDP) Act eventually arrives at the same body: the Data Protection Board of India (DPBI). It is the institution that receives your breach reports, hears complaints from Data Principals, conducts inquiries, and — when it finds non-compliance — imposes penalties that go up to ₹250 crore per instance.

For all that weight, the Board remains poorly understood. This guide explains what the DPBI is, what powers the DPDP Act gives it, how proceedings work, and — most practically — what your organisation should be able to produce when the Board comes asking.

What the Data Protection Board of India Is

The DPBI is the adjudicatory body established by the central government under the DPDP Act, 2023. It is worth being precise about what it is not:

  • It is not a rule-making regulator in the style of SEBI or RBI — the rules come from the central government via the DPDP Rules. The Board adjudicates against them.
  • It is not a court — though it has civil-court-like powers for inquiries (summoning persons, examining on oath, inspecting documents).
  • It is not optional — every Data Fiduciary processing digital personal data of individuals in India falls within its remit, regardless of size or sector.

The Board consists of a Chairperson and members appointed by the central government, drawn from fields including data governance, law, and technology. Members serve fixed terms and function independently in adjudication.

A Digital-First Body by Design

The DPDP Act explicitly designs the Board as a digital office: filing of complaints, hearings, and the issuing of decisions are intended to happen through digital means, without parties needing to appear physically in Delhi. For businesses this cuts both ways — proceedings are more accessible, and they move faster than traditional litigation. The "we need time to dig out the records" defence does not survive a digital-first process.

What the Board Has the Power to Do

1. Direct Urgent Remediation After a Breach

On receiving a personal data breach intimation, the Board can direct urgent remedial or mitigation measures and inquire into the breach. This is why breach notification is not a formality: your report is the opening document of a potential inquiry. Under the DPDP Rules, affected Data Fiduciaries must intimate the Board without delay and follow with a detailed report within 72 hours — the full mechanics are in our 72-hour breach notification guide, and a ready-to-adapt notification format is in our breach notification template and playbook.

2. Inquire Into Complaints From Data Principals

Any individual whose personal data you process can complain to the Board — about consent taken invalidly, rights requests ignored, data used beyond the stated purpose. The Board can dismiss frivolous complaints, but a substantiated complaint triggers an inquiry with civil-court powers.

3. Impose Financial Penalties

After inquiry, the Board determines whether non-compliance is significant and imposes monetary penalties under the Act's Schedule. The headline tiers:

  • Up to ₹250 crore — failure to take reasonable security safeguards to prevent a personal data breach
  • Up to ₹200 crore — failure to notify the Board or affected Data Principals of a breach
  • Up to ₹200 crore — breach of obligations relating to children's personal data
  • Up to ₹150 crore — breach of additional obligations applying to Significant Data Fiduciaries
  • Up to ₹50 crore — breach of any other provision of the Act or rules

Penalties are assessed per instance, weighing the nature, gravity, and duration of the breach, the type of data affected, and whether the organisation acted to mitigate. A full breakdown is in our DPDPA penalties and fines guide.

4. Accept Voluntary Undertakings

The Board can accept a voluntary undertaking from an organisation at any stage — a commitment to take or stop specific actions — and accepting one bars further proceedings on that matter. For a business caught mid-stumble, this is the most underrated provision in the Act: it converts a potential penalty into a remediation plan. But the Board accepts undertakings from organisations that can show their house is fundamentally in order, not from those with nothing to show.

How to Challenge a Board Decision

Orders of the Board are appealable to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), generally within 60 days of the order. From TDSAT, the route runs to the Supreme Court. Practically: the appeal stage is where evidence quality decides outcomes. An organisation that can produce dated, immutable consent and processing records argues from documents; one that can't argues from affidavits.

What the Board Will Actually Ask You For

Strip away the legal machinery and DPBI-readiness reduces to whether you can answer four questions with evidence, quickly:

  1. "Show us the consent." For a named Data Principal: what they consented to, when, through which notice version, in which language, and whether it was itemised per purpose. This is exactly what an immutable, queryable consent record exists for.
  2. "Show us the notice." The exact consent notice text the user saw on that date — which requires notice versioning, not a single overwritten page.
  3. "Show us the rights handling." Access, correction, and erasure requests received, and proof each was actioned within your stated timelines.
  4. "Show us the breach response." If you reported a breach: the timeline from detection to intimation to the 72-hour detailed report, with the supporting record of which Data Principals were affected.

Key Insight: None of these can be reconstructed after the Board's letter arrives. They exist because your consent infrastructure recorded them at the moment they happened — or they don't exist at all.

Getting Ready Before You're Asked

A consent management platform built for the DPDP Act — itemised purpose-level consent, 22-language notices, notice versioning, Data Principal rights workflows, and an immutable audit trail — is the difference between treating a DPBI inquiry as document production versus crisis management. Our guide to choosing a consent management platform for India covers the full evaluation, and you can see Consently's audit-ready consent records live.

Share this article
TwitterLinkedIn

Related Articles

Compliance Guides

Rule 3 Decoded: How to Write a DPDP-Compliant Consent Notice (That Users Actually Understand)

Rule 3 of the DPDP Rules 2025 sets out exactly what a consent notice must contain. Most existing cookie banners and privacy pop-ups fail it. Here is how to build one that passes.

14 May 20268 min
Compliance Guides

DPDPA vs GDPR: Key Differences Every Indian Business Must Know (2026)

DPDPA vs GDPR — how are India's data protection law and Europe's GDPR different? This authoritative side-by-side comparison covers legal basis, consent standards, penalties, enforcement, cross-border transfers, and what Indian businesses with EU customers must do.

3 Mar 20269 min
Compliance Guides

Cookie Consent Laws in India 2026: DPDPA Requirements Explained

Do Indian websites need cookie consent? Yes — under DPDPA 2023 and DPDP Rules 2025. This guide explains exactly what cookie consent you need, which cookies require consent, what the consent notice must say, and the penalties for non-compliance.

2 Mar 20268 min