Data Protection Board of India

The Data Protection Board of India (DPBI) is the adjudicatory body established under Section 18 of the DPDP Act, 2023. It operates as a digital office with the power to inquire into complaints of data breaches and non-compliance, impose monetary penalties, and issue binding directions to Data Fiduciaries.

A Data Principal must first exhaust the grievance redressal mechanism provided by the Data Fiduciary (Section 13(3)). If the grievance remains unresolved within the prescribed period, the Data Principal may then file a complaint with the Board in the form and manner prescribed, typically through a digital portal. In practice, it helps to retain a clear record of the grievance submission, responses, timelines, and supporting evidence (such as correspondence or incident documentation); many teams centralize these materials in a system like WatchDog Security's Compliance Center so they are ready if escalation is needed.

The Board can conduct inquiries into complaints and references from the Central Government, impose monetary penalties as per the Schedule (up to INR 250 crore), issue directions including urgent remedial measures, and accept voluntary undertakings from Data Fiduciaries (Section 32).

Yes. Under Section 29, any person aggrieved by an order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days of receiving the order.

The Data Protection Board is an independent government regulatory body that adjudicates complaints and imposes penalties. A Data Protection Officer (DPO) is an internal role within an organization responsible for overseeing the company's data protection strategy and compliance. They operate at entirely different levels — the DPO ensures internal compliance while the Board enforces the law externally.

Under Section 33(2), the Board considers the nature and gravity of the breach, the type and nature of personal data affected, repetitive nature of the breach, whether the person made financial gain from the breach, and what mitigation actions were taken by the person.

The DPDP Act, 2023 received presidential assent on August 11, 2023. In November 2025, the Central Government notified the Digital Personal Data Protection (Establishment of Data Protection Board) Rules, 2025, which set out the framework for constituting and operating the Board. Operational rollout (appointments, portal processes, and procedures) may still be phased through subsequent notifications, so organizations should monitor official updates and ensure their internal grievance redressal and breach response processes are well-documented; tools like WatchDog Security's Policy Management can help maintain controlled, versioned procedures and evidence of governance.

The maximum penalty under the Schedule is INR 250 crore (approximately USD 30 million) for failure to take reasonable security safeguards to prevent a personal data breach under Section 8(5). Penalties are per instance and can accumulate for repeated violations.