Data Protection Board of India (DPBI): Powers, Process & What to Expect in 2026

Introduction

The Data Protection Board of India (DPBI) is the enforcement authority established under the Digital Personal Data Protection Act, 2023. Formally constituted on November 13, 2025, the DPBI represents India's first dedicated adjudicatory body for data protection — a critical milestone for a nation with over 800 million internet users. Unlike traditional regulatory bodies, the DPBI is designed as a digital-first institution: all proceedings are conducted electronically, complaints are filed online, and hearings happen via digital modes. This guide covers everything organisations and individuals need to know about the Board's structure, powers, complaint process, and enforcement approach.

What is the Data Protection Board of India?

The DPBI is established under Sections 18–26 of the DPDP Act. It is an adjudicatory body — not a regulator in the traditional sense. Its primary function is to receive complaints, conduct inquiries, and impose penalties for violations of the Act. The Board is headed by a Chairperson and comprises members appointed by the Central Government. IT Secretary S. Krishnan has confirmed that the process to identify and nominate members is underway, with the Board expected to be fully operational in the coming months (Whalesbook).

• Nature: Adjudicatory body (not a regulator — it doesn't make rules, it enforces them)
• Headquarters: National Capital Region (NCR), India
• Operations: Entirely digital — online filing, electronic hearings, digital orders
• Established: November 13, 2025, alongside the DPDP Rules notification
• Jurisdiction: Pan-India, covering all Data Fiduciaries processing personal data of Indian citizens

Powers of the DPBI

The Board wields significant enforcement powers under Sections 27–28 of the Act. These powers are designed to ensure effective investigation and adjudication of data protection violations.

• Receive and investigate complaints from Data Principals whose rights have been violated
• Conduct inquiries into potential violations, including suo motu (on its own initiative)
• Summon organisations and demand evidence, documents, and testimony
• Issue binding directions — order organisations to stop unlawful processing, implement corrective measures, or improve security safeguards
• Impose monetary penalties of up to ₹250 crore per violation (Section 33)
• Accept references from the Central or State Government, or comply with court directions
• Mandate breach reporting — Data Fiduciaries must report breaches to the Board within the prescribed timeframe

How to File a Complaint with the DPBI

The complaint process follows a two-stage approach, as outlined in the DPDPA grievance framework. Data Principals must first seek redressal through the organisation's internal grievance mechanism before escalating to the Board.

• Stage 1 — Organisational grievance: Every Data Fiduciary must provide a clear channel for Data Principals to raise grievances (email, online form, or designated contact). The organisation must respond within a reasonable timeframe
• Stage 2 — Escalation to DPBI: If the Data Fiduciary fails to resolve the grievance satisfactorily, the Data Principal can file a complaint with the DPBI through the digital complaint portal or mobile application
• Board inquiry: The DPBI must complete its inquiry within 6 months of receiving the complaint, extendable by up to 3 months at a time with recorded reasons (IAPP)
• Order and penalties: The Board issues its decision with written reasons and may impose penalties as prescribed under the Act's Schedule
• Appeal: Orders of the DPBI can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT)

Penalty Framework

The DPBI enforces a tiered penalty structure under Section 33 of the Act. Critically, as noted by DPO India, penalties can be triggered even without an actual data breach — the mere failure to implement adequate security measures is sufficient.

• ₹250 crore — failure to implement reasonable security safeguards (Section 8(5))
• ₹200 crore — non-compliance with children's data obligations (Section 9)
• ₹150 crore — failure to notify the DPBI and affected individuals of a breach
• ₹50 crore — other violations including failure to honour Data Principal rights
• ₹10,000 — maximum penalty for individual Data Principals for frivolous complaints

What Organisations Should Prepare For

With the DPBI now established and building capacity, organisations should proactively prepare rather than waiting for the first enforcement actions. According to EY India's survey, over 83% of organisations have not started end-to-end DPDP implementation — leaving them vulnerable to complaints once the Board is fully operational.

• Establish a grievance redressal mechanism — this is a prerequisite for the two-stage complaint process. Without it, complaints go directly to the Board (Section 13)
• Implement breach notification workflows — you need to detect, assess, and report breaches within the prescribed window
• Document everything — the Board can demand evidence of compliance efforts, consent records, data processing logs, and security measures
• Train your team — designate individuals responsible for DPBI interactions and ensure they understand the process
• Automate compliance monitoring — platforms like Kraver.ai provide continuous compliance posture monitoring and audit-ready reporting

DPBI vs. Other Global Data Protection Authorities

The DPBI differs from its global counterparts in several important ways. Unlike the EU's Data Protection Authorities (DPAs) which serve both regulatory and adjudicatory functions, the DPBI is purely adjudicatory — it enforces the law but doesn't create it. Unlike the UK's ICO which can issue guidance and codes of practice, the DPBI's mandate is focused on complaints and penalties. Its digital-first design is unique globally — most DPAs still rely on physical proceedings. The Board also has a defined timeline for completing inquiries (6+3 months), which many international authorities lack.

Conclusion

The Data Protection Board of India is not a future concern — it exists today and is building operational capacity. Once fully staffed, it will begin processing complaints and the enforcement machinery will be in motion. For organisations, the strategic imperative is clear: build your compliance infrastructure now, establish grievance redressal mechanisms, and be ready to demonstrate compliance on demand. The cost of preparing is measured in weeks of effort; the cost of non-compliance is measured in crores of penalties. Schedule a free assessment with Kraver.ai to evaluate your readiness.