Authority Guides7 min read

DPDP Act Penalties and Board Inquiries: A Defensibility Guide for General Counsels

Analyze the statutory powers of the Data Protection Board of India under Sections 27 and 33. Learn how to align enterprise incident response with the 72-hour breach reporting mandates in the DPDP Rules, 2025 to minimize legal liability.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

Executive Summary

With exactly 308 days remaining until the 13 May 2027 DPDP hard compliance deadline, enterprise General Counsels must transition from theoretical risk assessments to operational defensibility. The Digital Personal Data Protection Act, 2023 establishes the Data Protection Board of India as the primary adjudicatory authority for compliance failures. Under the notified DPDP Rules, 2025, the Board commands strict operational timelines, including a 72-hour window for detailed breach reporting.

Failing to meet these evidentiary standards exposes organizations to penalties reaching INR 250 crore per instance. This briefing outlines the statutory powers of the Board and the exact artifacts legal teams require to defend against regulatory inquiries and control outside counsel spend.

Statutory Framework and Board Powers

Section 18 of the DPDP Act, 2023 establishes the Data Protection Board of India. Under Section 18(2), the Board is constituted as a body corporate possessing perpetual succession and a common seal. It is explicitly vested with the power, subject to the Act's provisions, to acquire, hold, and dispose of property - both movable and immovable - and to contract, sue, or be sued in its own name. Section 18(3) notes that the headquarters of the Board shall be at such place as the Central Government may notify. The core of the Board's regulatory authority over enterprises resides in Section 27.

Under Section 27(1)(a), upon receipt of an intimation of a personal data breach under sub-section (6) of Section 8, the Board is empowered to direct urgent remedial or mitigation measures. It is further authorized to inquire into such personal data breaches and impose penalties as provided in the Act.

Section 27(1)(b) also permits the Board to inquire into compliance failures based on complaints made by a Data Principal in respect of a personal data breach or a breach in observance by a Data Fiduciary of its obligations or data rights. The Board can also initiate inquiries upon a reference made to it by the Central Government or a State Government, or in compliance with the directions of any court. Under Section 33(1), if the Board determines on conclusion of an inquiry that a breach of the provisions of the Act or its rules is significant, it may impose monetary penalties, strictly after giving the person an opportunity of being heard. Because criminal liability is absent from the Act, these financial penalties serve as the primary enforcement mechanism.

Section 33(2) mandates the Board to evaluate specific statutory factors when determining the exact amount of the monetary penalty to be imposed. Legal teams must prepare to defend their actions against these parameters. The Board shall have regard to the nature, gravity, and duration of the breach, alongside the type and nature of the personal data affected. It will also scrutinize the repetitive nature of the breach to determine if the issue is systemic. Crucially, the Board will assess whether the person, as a result of the breach, realized a gain or avoided any loss. Finally, the Board must evaluate whether the person took any action to mitigate the effects and consequences of the breach, specifically weighing the timeliness and effectiveness of those mitigation efforts.

Rules 2025 Operational Layer

The DPDP Rules, 2025 translate these statutory powers into exact compliance workflows that directly impact liability allocation. For personal data breaches, Data Fiduciaries must notify affected Data Principals without delay and submit a detailed report to the Board within 72 hours. General Counsels must ensure their organizational response protocols can gather necessary facts and generate the mandated reports well within this window.

The Rules also specify mechanics for presenting itemised notices, securing verifiable parental consent, and maintaining grievance redressal mechanisms. Consent is the primary basis for processing, except where Section 7 legitimate uses apply. Defending an inquiry requires automated evidence trails to document consent validity and map exact processing activities at the time of the incident.

Enforcement Trajectory and DPBI Readiness

The enforcement model under the DPBI will likely prioritize significant data breaches and systemic failures in grievance redressal. Because Section 33(2) explicitly directs the Board to consider mitigation effectiveness, your immediate post-incident response is your primary legal defense. General Counsels must prepare for inquiries where the burden of proof rests entirely on the Data Fiduciary to demonstrate that reasonable security safeguards were active and mitigation was swift.

Comparative Context

Unlike the GDPR, which grants European data protection authorities broad, proactive inspection capabilities, the DPDP Act positions the Board primarily as an adjudicatory body. The Indian framework relies heavily on a complaint-driven and breach-driven enforcement model. While European frameworks assess adequate levels of protection for cross-border transfers, the DPDP Act permits transfers globally unless the Central Government restricts specific countries via a negative list.

This India-first approach simplifies cross-border transfer mechanics but concentrates regulatory risk entirely on incident response, user complaints, and verifiable documentation.

Decision Matrix: Inquiry Preparedness

Scenario: Data Principal complaint escalation. Obligation: Investigate and respond within Rule-specified timelines. Owner: Grievance Officer. Artifact: Time-stamped dispute resolution log.

Scenario: Personal data breach identification. Obligation: Notify Data Principals and report to DPBI within 72 hours. Owner: Legal and CISO. Artifact: DPBI incident report and mitigation evidence detailing the timeliness and effectiveness of the response.

Scenario: DPBI Section 27 inquiry. Obligation: Furnish processing records and consent artifacts. Owner: General Counsel. Artifact: Consent logs, itemised notices, and data flow maps.

Scenario: Penalty quantification defense. Obligation: Prove mitigation steps under Section 33(2). Owner: Outside Counsel. Artifact: Remediation timeline, financial impact analysis proving no gain was realized, and root cause analysis showing the breach was not repetitive.

What to Ask Any Compliance Provider

When evaluating compliance software or advisory services, General Counsels must scrutinize the vendor's ability to support regulatory defensibility. Ask providers how their platform exports evidence formats suitable for DPBI submission or privileged legal review. Question their service level agreements regarding data subject rights requests to ensure they align with statutory response windows.

Require clarity on the vendor's own data residency practices and limitation of liability clauses if their automated consent logging fails during a regulatory inquiry. Verify if the platform provides direct support workflows for the 72-hour breach reporting requirement mandated by the Rules, 2025.

Implementation Roadmap

1. 30 Days: Audit existing incident response playbooks against the 72-hour reporting rule and identify gaps in automated evidence collection.

2. 60 Days: Review vendor contracts and update indemnity clauses to reflect the penalty ceilings and mitigation requirements outlined in Section 33.

3. 90 Days: Deploy compliance tooling capable of generating itemised notices and exporting complete processing logs for legal review.

Further Reading

Consult our legal desk guide on vendor liability allocation and indemnity structures under the DPDP Act. Review the General Counsel handbook for verifiable parental consent mechanics and grievance redressal documentation.

Prepare your defensibility strategy before a regulatory inquiry forces your hand. Book a consultation with ComplyDP to evaluate your enterprise risk exposure, or establish your compliance baseline today at freescan.complydp.com.

Sources

Frequently asked questions

Does the Data Protection Board of India conduct random audits?

The DPDP Act 2023 positions the Board primarily as an adjudicatory body rather than a proactive inspection agency. Under Section 27, Board inquiries are triggered by personal data breach intimations, user complaints, court directions, or references from the Central or State Governments.

How are monetary penalties calculated if we experience a data breach?

Under Section 33(2), the Board evaluates a specific set of criteria: the nature, gravity, and duration of the breach; the type and nature of the personal data affected; the repetitive nature of the breach; whether your business realized a gain or avoided a loss; and the timeliness and effectiveness of your actions to mitigate consequences.

What is the exact timeline for reporting a personal data breach in India?

The DPDP Rules, 2025 require organizations to intimate affected Data Principals without delay. Simultaneously, a detailed incident report must be filed with the Data Protection Board within 72 hours of identifying the breach, which the Board may use to direct urgent remedial measures under Section 27.

How can legal teams reduce liability during a Board inquiry?

Defensibility relies on automated, time-stamped evidence trails that prove compliance. General Counsels must present clear records of valid consent, issued itemised notices, and immediate, effective mitigation efforts to minimize penalties under Section 33(2).

When is the final deadline to comply with the DPDP Act 2023?

Organizations have exactly 308 days remaining until the 13 May 2027 DPDP hard compliance deadline. Legal teams should use this window to implement compliant grievance mechanisms and deploy rapid breach reporting workflows.