Data Protection Board of India (DPBI): Powers, Functions, and What It Means for Your Business

If you have been following India's data protection developments, you have likely encountered the term "Data Protection Board of India" without fully understanding what it does, how it operates, or how it might affect your business. You are not alone. Despite becoming operational in November 2025, the DPBI remains one of the least understood institutions in Indian technology regulation.

This article explains what the Data Protection Board actually is, what powers it holds, and what it means in practice for businesses operating in India.

Key Takeaways

• The Data Protection Board of India (DPBI) is the enforcement authority under the DPDP Act 2023. It became operational in November 2025.
• The DPBI is an adjudicatory body. It investigates complaints, conducts inquiries, and imposes penalties. It does not make rules or issue guidelines.
• Penalties the Board can impose range from ₹10,000 to ₹250 crore per violation.
• The Board operates as a "digital by design" institution. Proceedings, filings, and hearings are conducted primarily through digital infrastructure.
• Appeals against DPBI decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), not regular courts.

What is the Data Protection Board of India?

The Data Protection Board of India (DPBI) is the independent statutory body established under Sections 18 through 26 of the Digital Personal Data Protection Act, 2023. Its primary function is to enforce the DPDP Act by adjudicating complaints, investigating data breaches, and imposing financial penalties on non-compliant organisations.

The Board was constituted and became operational on November 13, 2025, when the DPDP Rules 2025 were notified. This marked the first phase of the Act's enforcement timeline.

It is important to understand what the DPBI is not. Unlike the UK's ICO or France's CNIL, the Data Protection Board of India is purely an adjudicatory body. It does not issue regulations, publish guidelines, or conduct proactive audits. Rule-making authority stays with the Central Government, operating through the Ministry of Electronics and Information Technology (MeitY). The Board only acts when a complaint is filed or a breach is reported to it.

How is the DPBI Structured?

The Board consists of a Chairperson and members appointed by the Central Government. Section 19 of the DPDP Act specifies that:

• The Chairperson and members are appointed for a two-year term, eligible for re-appointment
• Members must have expertise in data protection, information technology, or related fields
• The Board operates through benches. Different matters can be heard by different benches simultaneously, allowing the Board to handle multiple complaints in parallel

The DPDP Rules 2025 established the Board's operational framework, including how benches are constituted, hearing procedures, and timelines for resolution.

What Powers Does the DPBI Have?

Complaint Investigation

When a Data Principal (an individual whose data is processed) files a complaint, the Board can:

• Summon the Data Fiduciary (the organisation processing the data) and require them to respond
• Direct the production of documents, records, and data processing logs
• Examine witnesses and receive evidence
• Appoint independent technical experts to assist in the inquiry

Breach Investigation

When a Data Fiduciary reports a personal data breach (which must be done within 72 hours under the DPDP Rules 2025), the Board can:

• Investigate the circumstances of the breach
• Assess whether the Data Fiduciary had implemented reasonable security safeguards
• Determine whether the breach notification to affected Data Principals was adequate
• Impose penalties if security safeguards were insufficient

Penalty Imposition

The Board's penalty powers are defined in Section 33 and the Schedule to the DPDP Act:

Violation	Maximum Penalty
Security failure leading to a data breach	₹250 crore
Failure to notify the Board and affected individuals of a breach	₹200 crore
Violations related to children's data processing	₹200 crore
Significant Data Fiduciary non-compliance	₹150 crore
Other obligation failures (consent, notice, retention)	₹50 crore
False complaints by Data Principals	₹10,000

These are maximum amounts per violation. The Board has discretion to set penalties within these limits based on the severity of the breach, the harm caused, whether the Data Fiduciary took voluntary corrective action, and other mitigating or aggravating factors.

For a full breakdown of the penalty framework, see our DPDP Act 2023 complete guide.

Remedial Directions

Beyond penalties, the Board can issue directions requiring a Data Fiduciary to:

• Take specific corrective actions to address non-compliance
• Implement particular security measures
• Modify their data processing practices
• Provide redress to affected Data Principals

How to File a Complaint with the DPBI

The process for filing a complaint with the Data Protection Board follows a two-step escalation:

Step 1: Exhaust internal remedies first. Before approaching the Board, the Data Principal must first raise the issue directly with the Data Fiduciary's grievance redressal mechanism. Every Data Fiduciary is required under Section 13 of the DPDP Act to provide an accessible grievance system.

Step 2: Escalate to the DPBI. If the Data Fiduciary does not respond within a reasonable time, or the response is unsatisfactory, the Data Principal can file a complaint with the Board through its digital platform.

The entire process is designed to be digital-first. The DPBI does not operate through physical courtrooms or paper filings. Complaints, responses, hearings, and orders are handled through an online infrastructure.

How Does the DPBI Differ from Other Regulators?

Feature	DPBI (India)	ICO (UK)	DPAs (EU/GDPR)
Role	Adjudicatory only	Regulatory + enforcement	Regulatory + enforcement
Can issue guidelines?	No	Yes	Yes
Proactive audits?	No	Yes	Yes
Penalty authority	Yes (up to ₹250 Cr)	Yes (up to £17.5M/4% turnover)	Yes (up to €20M/4% turnover)
Appeal mechanism	TDSAT	Courts	Courts
Digital-first proceedings	Yes (by design)	Partially	Varies by country

The most significant implication for businesses: unlike European DPAs, the DPBI will not publish detailed guidance notes or best-practice recommendations. For understanding how to comply, businesses must rely on the text of the Act, the DPDP Rules, and resources like the DPDP compliance checklist.

What This Means for Your Business

If you are a Data Fiduciary operating in India:

1. Your grievance mechanism must work. The Board will check whether the Data Principal attempted internal resolution first. If you have no grievance system or it is non-functional, the Board will treat this as a compliance failure in itself.

2. Breach reporting is non-negotiable. The 72-hour notification window to the DPBI is strict. Late reporting compounds the violation, and the Board can impose separate penalties for the breach itself and for failing to report it on time.

3. Keep compliance records. When the Board investigates, it will ask for documentation: consent records, data processing agreements, security audit logs, and breach response procedures. Having these organised before an inquiry begins is the difference between a manageable process and a catastrophic one.

4. Plan for digital proceedings. If you receive a complaint or investigation notice from the DPBI, your response will be through their digital platform. Ensure your compliance and legal teams are prepared for this workflow.

If you are a Data Principal (an individual):

You have a clear path to enforcement. If a company mishandles your personal data and does not resolve your complaint internally, you can escalate to the DPBI. The digital-first approach is designed to make this process accessible without requiring physical presence or legal representation.

Current Status of the DPBI (March 2026)

As of March 2026:

• The Board is operational with appointed members and functioning digital infrastructure
• The full penalty regime activates on May 13, 2027, alongside all substantive Data Fiduciary obligations
• No public penalty orders have been issued yet, as the full enforcement provisions are not yet in force
• The Board is currently handling the operational setup phase, including establishing processes for complaint intake and breach notification

The critical date for businesses is May 2027. From that point, the Board will have the authority and infrastructure to receive complaints, investigate breaches, and impose the full range of penalties specified in the Act. Businesses that have not achieved DPDP compliance by then face real enforcement risk.

Frequently Asked Questions

Is the Data Protection Board of India the same as the Data Protection Authority?

No. Early drafts of India's data protection legislation (the Personal Data Protection Bill, 2019) proposed a "Data Protection Authority of India" with broader regulatory powers, including rule-making and proactive oversight. The DPDP Act 2023 replaced this concept with the Data Protection Board, which has a narrower, adjudicatory-only mandate.

Can the DPBI conduct raids or inspect my offices?

The DPDP Act does not grant the Board powers to conduct physical raids or surprise inspections as some sector regulators (like SEBI or the Income Tax department) can. The Board's investigation powers are exercised through its digital platform - it can summon documents, require written explanations, and conduct hearings.

What happens if I disagree with a DPBI order?

Appeals against DPBI orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29 of the DPDP Act. Further appeals from TDSAT go to the Supreme Court of India on questions of law.