The Data Protection Board of India does not issue notices to individuals. It issues notices to organisations. When that notice arrives, it does not land on the CISO's desk or the DPO's inbox. It lands on the organisation — which means the Board of Directors bears ultimate governance accountability.
Most Board members in India have not read the DPDPA. Most have not been briefed on its implications. Most do not know that penalties of up to ₹250 Crores attach to the organisation, and that the governance failure that enabled the contravention will be examined during proceedings.
This briefing is designed for a fifteen-minute read that equips every Board Director with the knowledge required for informed governance.
What the Board of Directors must understand
1. DPDPA creates statutory obligations for Data Fiduciaries. Under Section 2(i), a Data Fiduciary is any person who determines the purpose and means of processing personal data. Every company that collects customer data, employee data, or vendor data is a Data Fiduciary. The obligations under Sections 4 through 10 are not optional. They are statutory. Non-compliance is not a business decision. It is a legal contravention.
2. The penalty structure is designed to be existential for mid-market companies. The maximum penalty under The Schedule is up to ₹250 Crores for failure to implement reasonable security safeguards. For a company with annual revenue of ₹500 Crores, this penalty represents 50% of revenue. Unlike GDPR's revenue-based cap (4% of global turnover), DPDPA's absolute caps can be proportionally devastating for Indian mid-market companies. The Board must understand that DPDPA non-compliance is a material business risk that belongs on the risk register.
3. Significant Data Fiduciary obligations create enhanced accountability. If the Central Government notifies your organisation as a Significant Data Fiduciary under Section 10, the obligations multiply: mandatory DPO appointment, mandatory Data Protection Impact Assessment, mandatory periodic audits by independent auditors, and mandatory algorithmic transparency for automated decision-making. The Board must know whether the organisation is likely to be notified as an SDF and prepare accordingly.
4. Breach notification is a Board-level event. Under Section 8(6), a personal data breach must be reported to the Data Protection Board of India and to affected Data Principals without delay. The Board of Directors should establish a protocol where any personal data breach above a defined threshold triggers immediate Board notification. The response timeline is measured in hours, not weeks. A Board that learns about a breach from a newspaper has failed its governance obligation.
Five questions the Board must ask management quarterly
- What is our current DPDPA compliance status? Require a quantified answer. Not "we are working on it." A specific maturity score across consent management, breach response, vendor compliance, data subject rights, and security safeguards. Track progress quarter over quarter.
- Have we appointed a qualified DPO? Not "have we assigned someone the title." A qualified DPO with direct Board access, documented authority to pause non-compliant processing, and formal training in Indian data protection law. If the DPO reports through the CISO or General Counsel, the independence required under Rule 11 is compromised.
- What is our breach response time? Measure it. If the answer is "we have not tested it," that is the answer the Data Protection Board will hear. A breach simulation should be conducted at least annually, with results reported to the Board.
- What is our vendor compliance status? How many vendors process personal data on our behalf? How many have signed Data Processing Agreements? How many have been audited? Section 8(2) makes the Data Fiduciary responsible for the entire chain. An uncompliant vendor is your exposure.
- What is the investment required to close remaining gaps? DPDPA compliance requires investment — in technology, personnel, legal architecture, and training. The Board must ensure the investment is adequate, not minimal. The Data Protection Board will distinguish between organisations that invested in compliance and those that budgeted for the bare minimum.
The governance record that protects the boardroom
When the Data Protection Board examines an organisation, it examines governance. The question is not just "were you compliant?" but "was the Board of Directors aware, engaged, and directing compliance?" Board minutes that record DPDPA discussions, DPO reports to the Board, quarterly compliance status reviews, and investment approvals create a governance trail that demonstrates institutional commitment. That trail matters in penalty adjudication. The Board that discussed DPDPA quarterly and invested in compliance receives different treatment than the Board that never discussed it until the notice arrived.
"The difference between a ₹10 Crore penalty and a ₹250 Crore penalty is not the severity of the breach. It is the quality of the governance that preceded it."
— Anandaday Misshra
Do this now
Forward this briefing to every member of your Board. Add "DPDPA Compliance Status" as a standing agenda item for the next Board meeting. Request the DPO or CISO to present within 30 days. The governance clock starts the moment the Board acknowledges awareness. Make that moment documented, deliberate, and defensible.