The Data Protection Board of India became operational in late 2025, and 2026 marks the start of active enforcement of the Digital Personal Data Protection (DPDP) Act — with maximum penalties of ₹250 crore per violation for failing to implement reasonable security safeguards that lead to a personal-data breach.
What changed
For two years DPDP was “coming.” Now there is a Board that can investigate and impose financial penalties. The single largest penalty bucket is the one most preventable: failure to take reasonable security safeguards. That reframes security spending from cost centre to penalty-avoidance.
Your obligations as a Data Fiduciary
- Lawful basis & consent — process personal data only for a clear, notified purpose.
- Reasonable security safeguards — encryption, access control, logging, and tested incident response.
- Breach notification — notify the Board and affected Data Principals (the Act’s 72-hour expectation), on top of CERT-In’s 6-hour rule for cyber incidents.
- Data Principal rights — access, correction, and erasure, which means you must know where personal data lives.
- Data minimisation & retention limits.
A 90-day readiness plan
- Data map. Inventory every system that touches personal data, including SaaS and shadow AI.
- Gap assessment against “reasonable security safeguards” — this is where penalties bite.
- Breach playbook that satisfies CERT-In (6h) and DPDP (72h) in one workflow.
- Rights workflow to action access/correction/erasure within statutory timelines.
- Evidence. Keep records — enforcement asks you to prove safeguards, not assert them.
RingSafe runs DPDP gap assessments and builds the evidence trail Indian Data Fiduciaries need. Explore DPDP services.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.