The Data Protection Board: What Businesses Need to Know

September 5, 2024

Anahad Narain

Founder's Office

Summary

  • The Data Protection Board (DPB) is the key regulatory authority under the DPDP Act, responsible for enforcing data protection regulations.
  • The DPB has the power to investigate, adjudicate, and impose penalties of up to ₹250 Crore for violations of the DPDP Act.
  • The DPB can address complaints from individuals (Data Principals) regarding data breaches and mishandling by Data Fiduciaries and issue mandatory corrective actions.
  • The DPB will operate as a digital office, enabling faster complaint resolution and requiring businesses to maintain thorough digital records.
  • Businesses should proactively review data practices, manage consents, and prepare for DPB investigations to remain compliant.

The Digital Personal Data Protection (DPDP) Act 2023 is set to revolutionize India's approach to data privacy, and at the heart of this transformation will be the Data Protection Board of India (DPB). This powerful regulatory body is tasked with ensuring compliance with the DPDP Act and safeguarding personal data. If your business processes personal data, understanding the role and authority of the DPB is crucial for navigating this emerging regulatory landscape. 

What is the Data Protection Board?

The DPB is the central authority established under the DPDP Act to oversee the enforcement of data protection regulations. Functioning as an independent body, the DPB operates with the power of a civil court to investigate, adjudicate, and impose penalties for breaches of the DPDP Act.

The DPB is not merely an oversight body; it is the enforcement arm of the DPDP Act, equipped with powers to investigate breaches, adjudicate disputes, and impose penalties that can reach up to ₹250 Crore per violation. This level of authority makes the DPB a critical entity that businesses must engage with proactively.

Key Powers and Functions

The DPB’s role is not just supervisory, it is proactive. The Board has the authority to:

  • Investigate and Enforce: The DPB is empowered to investigate and penalize breaches of the DPDP Act, including violations related to consent, data security, and rights of Data Principals. Penalties can be substantial, reaching up to ₹250 Crore per violation. Additionally, the DPB can require businesses to modify their practices or take specific actions to prevent future violations. Your business could receive tailored directives to rectify issues, with strict timelines to ensure compliance.
  • Data Breach Management In case of data breaches, DPB has sweeping powers to investigate the breach, direct remedial measures, and enforce penalties. Any business that faces a breach to disclose it to the DPB within 72 hours of gaining knowledge of the breach. The DPB may extend the intimation period upon a written request made by the fiduciary. 
  • Adjudicate complaints: The Board will address complaints from Data Principals, state or central governments or courts regarding breaches by Data Fiduciaries (entities responsible for processing personal data) or Consent Managers. This could involve anything from mishandling user consents to failure in preventing breach of personal data. 
The Data Protection Board is tasked with investigating breaches, adjudicating complaints and imposing fines

As part of the adjudication process the board can pass interim orders, refer disputes to mediation and accept voluntary undertakings from businesses to remedy breaches of the law. A voluntary undertaking is an agreement made by a business with the DPB that it will take specific corrective actions to rectify or prevent breaches of the data protection regulations. This allows a company to proactively address potential compliance issues before they escalate.

The Complaint and Adjudication Process

Businesses should be particularly aware of how the DPB handles complaints:

  1. Filing a Complaint: A Data Principal can file a complaint with the DPB if they believe their data rights have been violated. However, they must first seek redressal through the Data Fiduciary’s grievance mechanism. The complaint may be initiated not only by the Data Principal but also through a reference by the Central or State Government, or in compliance with the directions of any court. 
  2. Investigation: If the complaint is found to be legitimate, the DPB will conduct a thorough investigation, ensuring that the process does not disrupt the daily operations of the business involved. This investigation will follow principles of natural justice, ensuring fairness while maintaining the effectiveness of the inquiry.
  3. Adjudication and Penalties: After the investigation, the DPB can impose penalties if a breach is confirmed. The Board also has the authority to issue interim orders during the investigation to prevent further harm. Importantly, the DPB must provide reasons in writing for its decisions, ensuring transparency and accountability. 

The DPB will take into account several factors that ensure fairness and proportionality of the sanction. These factors include the nature and gravity of the breach, the sensitivity of the data involved, any financial gain from the breach, and whether there have been repeated violations. Additionally, the Board will consider mitigation efforts by the entity, such as immediate corrective actions and efforts to prevent future incidents, which can influence the severity of the penalties. Read more on DPDP Penalties on our blog. 

  1. Three-Tier Appeal Mechanism: The process for appealing DPB decisions is structured to allow for multiple levels of review: some text
    • First Appeal: Appeals against DPB orders will be handled by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), a specialized body familiar with regulatory and data protection issues.
    • Final Appeal: If necessary, a further appeal can be made to the Supreme Court of India, ensuring that the highest judicial authority can review critical cases.
Decisions of the board can be appealed to the TDSAT and a final review lies with the Supreme Court

The DPB also has the power to modify, suspend, or withdraw directions it has issued if circumstances change, providing flexibility in its approach to enforcement.

DPB’s Structure and Operations

Appointment and Removal of Members

The DPB will consist of a Chairperson and a team of Members, all appointed by the Central Government.  The Chairperson and Members are to serve a two-year term and are eligible for reappointment, providing continuity in the Board’s leadership. These individuals shall be selected for their expertise in areas such as data governance, technology, law, and consumer protection, ensuring that the Board is well-equipped to handle the complex issues that arise in the digital economy.

The DPB is structured to function independently, free from external influence. This independence is crucial for maintaining public trust and ensuring impartiality in its operation

Digital Operation

The DPB is set to operate primarily as a digital office, streamlining processes such as complaint filing, hearings, and decision-making. This digital-first approach aligns with the DPDP Act’s emphasis on modern, technology-driven governance.

What does this mean for your business? The digital functionality of the DPB will likely lead to quicker resolutions and greater transparency in handling complaints. Businesses will need to ensure that their digital records and compliance documentation are in order, as the DPB’s digital operations could accelerate the scrutiny process.

The DPB's digital-first approach aligns with the DPDP Act’s emphasis on technology-driven governance

While the official Digital Personal Data Protection Rules have not been notified yet, we have seen a couple of leaked drafts of the same. If these copies are anything to go by, the DPB will be required to adopt ‘techno legal measures’ to ensure it operates in a digital form. For instance, digital operations of the DPB means a person may not need to physically appear to provide evidence or give testimony. Other techno legal measures may include 

  • letting users file online complaints following the procedure published on the DPB website or app; 
  • Letting companies intimate the board of a data breach using a ‘Personal Data Breach Intimation Artifact’; and
  • In case of minor complaints and alternative dispute resolution, one can expect the entire hearing and decision making process to be done virtually. Moreover, the DPB can direct the parties to attempt resolving the dispute through mediation.

This offers a less adversarial, more collaborative approach to resolving conflicts, which could be beneficial for businesses looking to maintain positive relationships with regulators and customers alike.

Next Steps for Businesses

The Data Protection Board will be constituted soon and now is the right time to start preparing your business. A DPDP compliance storm approaches and the DPB lies at its very center. Here’s what you need to do to start preparing-  

  1. Review and update data practices: Ensure all data processing activities have a clear legal basis. For example, if you’re a fintech company collecting financial data, it’s crucial to demonstrate that this collection is directly related to your services and is legally justified. Read our piece on Grounds for Processing under DPDP Act to learn more.
  2. Manage Consents: Consent is the cornerstone of your compliance strategy. Make sure that consent is specific, informed, and documented. A digital marketing agency, for instance, must ensure that every user consents to receiving marketing communications, with records to prove it. Explore Leegality Consent Manager as a one stop solution for your consent compliances.
  3. Implement a grievance redressal mechanism: Establish clear and accessible grievance redressal systems. Consider setting up a dedicated compliance team to handle complaints and ensure quick resolutions, reducing the likelihood of escalation to the DPB.
  4. Prepare to be investigated: Be ready for a level of scrutiny never seen before. For example, an e-commerce platform should regularly audit its data protection practices to ensure they align with DPDP requirements, thus minimizing risks if an investigation occurs.
  5. Leverage voluntary undertakings: If your business identifies potential compliance issues, address them before they escalate. For instance, a healthcare provider could offer a voluntary undertaking to strengthen data security measures, potentially avoiding harsher penalties from the DPB.
  6. Conduct continuous monitoring: Regularly review your data protection practices to ensure ongoing compliance. Be ready to adapt to new directives from the DPB, ensuring that your business remains compliant as regulations evolve.
  7. Engage with experts: Consider consulting with legal and data protection experts to navigate the complexities of the DPDP Act and the DPB’s oversight. Integrate a consent management solution to ease your compliance burden.

The DPB is poised to be a pivotal force in India’s data protection regime. As this new landscape unfolds, businesses must stay informed, stay compliant, and stay prepared. While the DPDP Act mandates the creation of the DPB, it is important to note that the Board has not yet been officially established. This means businesses should stay updated on the timeline for its formation, as this will mark the beginning of the DPB's enforcement actions. 

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.