Data Protection Board of India

India's data protection regulator: its powers, the complaint process, and what it means for your business
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

What Is the Data Protection Board of India?

The Data Protection Board of India (DPBI) is the adjudicating body created under the DPDP Act 2023. Think of it as India's data protection referee: it receives complaints, investigates data breaches, and imposes penalties on businesses that mishandle personal data.

Unlike Europe's model of a separate regulator in every member state, India has a single central Board. It has been active since November 2025, when the DPDP Rules 2025 were notified, and it operates as a digital office: complaints, hearings, and orders are handled online through its portal, without physical visits.

For business owners, the key point is simple: the regulator with the power to fine you up to ₹250 crore per violation already exists and is already taking complaints.

What Powers Does the Board Have?

Investigate

The Board can inquire into complaints from individuals and investigate data breaches. Every breach must reach it within 72 hours via a detailed report from the affected business.

Impose Penalties

Up to ₹250 Cr for security safeguard failures, ₹200 Cr for unreported breaches or misuse of children's data, ₹150 Cr for SDF failures, and ₹50 Cr for other violations, per violation, with no size discount.

Direct Mediation

The Board can refer disputes to mediation, giving businesses and individuals a path to resolve matters without a full adjudication.

When setting a penalty, the Board weighs the gravity and duration of the violation, the type of data affected, whether it was repeated, and what the business did to reduce harm. Fines go to the Consolidated Fund of India. One serious incident can stack multiple violations, roughly ₹650 crore of cumulative exposure.

How the Complaint Process Works

StepWhat Happens
1. Grievance to the business firstThe individual must first complain to the Data Fiduciary, which has up to 90 days to resolve the grievance
2. Escalation to the BoardIf unresolved, the individual files a complaint through the Board's digital complaints portal
3. Inquiry and orderThe Board reviews, investigates, may direct mediation, and can impose penalties on the business
4. AppealEither side can appeal the Board's order to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT)

Note for individuals: the Act also imposes duties on Data Principals. A false or frivolous complaint can attract a fine of ₹10,000.

What the Board Means for Your Business

  • Your grievance process is your first defence: a working redressal system that resolves complaints within 90 days keeps most issues from ever reaching the Board
  • Breach readiness matters: the 72-hour report to the Board is only achievable with a prepared response playbook
  • Evidence wins cases: consent records, logs, and documented safeguards are what the Board looks at when weighing penalties
  • Penalties are already live: understand your exposure with our DPDP penalties guide and close the gaps before a complaint lands

The Regulator Is Live. Are Your Systems?

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, so the time to start is now.

Book Your Free DPDP Audit

Want the Complete DPDP Picture?

The Board is one piece of the puzzle. Our main guide covers the Act, Rules, deadlines, penalties, and the full compliance checklist.

Learn Everything About DPDP Compliance

Data Protection Board of India: Frequently Asked Questions

What is the Data Protection Board of India?

The DPBI is the adjudicating body under the DPDP Act 2023. It investigates complaints and breaches, imposes penalties of up to ₹250 crore per violation, and can direct mediation. It works as a digital office with an online complaints portal.

Don't Meet the Board Through a Penalty Notice

Find your compliance gaps before a complaint or a breach does. It starts with one free audit.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.