What DPDP enforcement will actually look like (and what it'll do to Indian data fiduciaries)

The Digital Personal Data Protection Act, 2023 has been the law in India for over a year. The Rules followed in 2025. The Data Protection Board has been notionally constituted. And yet, if you ask the average Indian Data Fiduciary how worried they are about enforcement, the answer is somewhere between "not very" and "we'll see what happens."

I want to make a different argument. I want to argue that enforcement is going to start sooner, hit harder, and reshape the Indian data economy more rapidly than most people are pricing in — and that the organisations who don't see this coming will end up writing very large cheques in 2027.

Let me walk you through it.

The boring reason enforcement hasn't started yet

The reason there hasn't been a high-profile DPDP penalty yet is operational, not philosophical. The Data Protection Board (Section 18) has had to be constituted, staffed, given a budget, given physical premises, given case-management software, and given a process for receiving and triaging complaints. None of that is complicated, but all of it takes time. The Board's first 12-18 months are about building the machine.

I've watched enough Indian regulators come online to know that the curve is always the same. There's a long, quiet ramp-up where the regulator looks ineffectual. Then there's an inflection point — usually triggered by a politically convenient headline — where the regulator starts issuing notices. Then there's a phase of escalating action where everyone in the sector suddenly remembers they had a compliance team. Then there's a long tail of enforcement actions that nobody remembers reading about, but each one quietly establishes the operational baseline for the next decade.

The Income Tax Department went through this curve. SEBI went through this curve. The CCI went through this curve. The RBI's enforcement of digital lending guidelines went through this curve. The DPB will go through this curve. The only question is how compressed the timeline will be — and the early signs (the speed of the Rules, the public posture of the Government, the political appetite for visible action) suggest the curve will be faster than the historical norm, not slower.

Three things that will be true

When enforcement starts, three things will be true that almost nobody is preparing for.

Thing 1 — Enforcement will be complaint-driven, not audit-driven

Western privacy regulators (GDPR's data protection authorities, the FTC under CCPA) lean heavily on audits and investigations they initiate themselves. Indian regulators, by contrast, almost always lean on complaints from the public. Read SEBI's enforcement record. Read the RBI's. Read the consumer fora's. The pattern is consistent: a complainant files, the regulator opens an investigation, the regulator finds something, the regulator imposes a penalty.

The DPB has been designed with this in mind. Section 13 of the Act gives every Data Principal the right to grievance redressal, and the 2025 Rules pin a specific timeline on the response. If the Fiduciary doesn't respond within the window, the Data Principal can escalate to the Board directly. The Board's complaint intake is designed to be easy — a simple online form, basic identity verification, a brief description of the alleged violation.

What this means operationally: enforcement will not look like a regulator showing up at your door with a search warrant. It will look like a single email landing in your grievance inbox, getting ignored by an overworked support team, and surfacing on the Board's docket six weeks later as a formal complaint. By the time you realise you had a problem, the Board has already started an investigation.

The Fiduciaries that prepare for this will treat their grievance inbox as a legal-grade workflow. The Fiduciaries that don't will treat it as a customer service inbox and will be blindsided by the first complaint that escalates.

Thing 2 — The first wave will target clean, undefendable cases

When a regulator is establishing precedent, they don't go for the hard cases. They go for the clean cases — the ones where the violation is obvious, the harm is tangible, and the defence is implausible. This is rational behaviour: the regulator is building credibility, and credibility is built on cases where the public reads the headline and nods.

What does that look like under DPDP? It looks like:

• A Fiduciary that ignored a deletion request and got caught
• A Fiduciary that suffered a breach and didn't notify within 72 hours
• A Fiduciary that processed children's data without verifiable parental consent
• A Fiduciary that used personal data for a purpose nobody consented to (e.g., targeting children with ads, sharing customer lists with a parent company without notice)
• A Fiduciary that said one thing in its public privacy notice and did another in practice

Notice what's missing from that list: complicated questions about the boundaries of "legitimate use," edge cases on cross-border transfer, ambiguous interpretations of the Act's definitions. The Board will get to those eventually, but not in the first 24 months. The first 24 months will be about clean cases that establish the principle that the Act has teeth.

If your organisation is on the wrong side of any of those clean-case categories — and most are — you are in the high-priority bucket without realising it.

Thing 3 — The penalty calculation will be adversarial

Section 33 of the Act gives the Board wide discretion in setting penalties, with maximums up to ₹250 crore per instance for the most serious violations. The factors the Board can consider include the nature, gravity, and duration of the violation; the type and amount of personal data affected; the actions taken to mitigate the breach; the gain from the breach; whether the breach was repeated; and the nature of the affected Data Principals.

The thing every Fiduciary needs to internalise is that the penalty calculation is adversarial. The Board does not start at zero and add up factors until they reach a number. The Board starts at the maximum and subtracts factors that the Fiduciary can demonstrate. If you have nothing to demonstrate — no incident response evidence, no audit trail, no remediation plan, no proof of training — the Board doesn't have anything to subtract from. You start at the maximum.

This is the part that compliance theatre fails to anticipate. Compliance theatre is good at producing documents that look impressive in a slide deck. It is bad at producing documents that hold up when an investigator asks "show me the evidence that this control was operating on the day of the violation." Theatre is what gets you a PDF policy. Operational compliance is what gets you the timestamps, the user IDs, the access logs, the email confirmations, and the change history that prove the control actually worked.

The difference between theatre and operations, in penalty terms, is the difference between ₹50 crore and ₹2 crore.

The Indian data economy in 2027

Let me skip ahead two years and describe what I think the Indian data economy looks like after the first wave of enforcement.

Most large consumer platforms will have a real DPO. Right now, the role exists at maybe a fifth of the organisations that should have it. By 2027, the number will be closer to 80% — driven not by the law, but by the fact that the first few enforcement actions will make it socially impossible for a board to explain why they didn't have one.

Privacy notices will get shorter and clearer. The current generation of Indian privacy notices was largely copied from US-style "we may use your information for any purpose we like" templates. Those notices will not survive a Board investigation. The notices that will replace them will be shorter, more itemised, more granular, and more honest. Marketers will hate this. Compliance teams will love it. Customers will mostly not notice, but the ones that do will trust those companies more.

Vendor stacks will get more Indian. The combination of Section 16 cross-border transfer restrictions, the operational pain of explaining cross-border vendor changes to the Board, and the simple economics of preferring vendors that are already DPDP-compliant will push Indian Fiduciaries toward Indian-resident infrastructure. Global vendors that don't open asia-south1 regions will lose market share. Local vendors that do will gain it.

Insurance will change. Cyber insurance policies in India will start carving out specific DPDP-related coverage, and underwriters will demand evidence of operational compliance before issuing policies. The companies that can demonstrate a real DPDP programme will get cheaper coverage. The companies that can't will either not get coverage at all or will pay punitive premiums.

M&A diligence will get harder. Every Indian acquisition or investment in 2027 onward will include a DPDP-specific diligence track. Acquirers will want to see your data inventory, your consent records, your DSR workflow, your incident history. Targets that can't produce those documents will see their valuations get cut. The time between the first major DPDP penalty and the first major M&A deal repricing because of DPDP gaps will be measured in months, not years.

The first sectoral guideline will arrive. I expect the Government to issue a sector-specific guideline (probably banking, possibly healthcare) within 18 months of the first major penalty, expanding on Section 10 SDF obligations. Once that guideline lands, every other regulator (RBI, IRDAI, SEBI, MoHFW) will follow with their own. The pile of compliance obligations will get heavier, not lighter.

What this means for your organisation

If you're reading this and you're a Data Fiduciary in India in 2026, the strategic question is not "should we comply?" The strategic question is "do we want to be in the early-cooperator group or the late-resister group when the curve hits?"

The early cooperators are the organisations that build their programme now, have real evidence by the time enforcement starts, and use their compliance posture as a competitive advantage in their RFP responses, their investor decks, and their hiring brand. When the Board does eventually look at them, they're presented as model citizens. The Board's penalty calculator subtracts heavily for "demonstrated good-faith compliance effort."

The late resisters are the organisations that wait for the first penalty headline, panic-build a programme in three months, and discover that three months is not enough time to retrofit operational compliance into a business that wasn't designed for it. Their compliance posture on the day of investigation is whatever existed before the panic, not whatever the panic produced. The Board's penalty calculator has nothing to subtract.

The gap between those two outcomes is, in my experience, between 5x and 50x in penalty exposure for the same underlying violation. Not because the law treats early cooperators preferentially in some unfair way — but because early cooperators have evidence and late resisters have intentions.

The thing that will change everything

There is one specific event I'm watching for, and when it happens I expect every board in India to suddenly find DPDP very interesting. That event is the first publicly named ₹50+ crore DPDP penalty against a recognisable company. Not a big tech platform — those are too easy to dismiss as "well, of course, they're big tech." A mid-sized, recognisable Indian company. A bank. A retailer. A healthcare provider. Someone who looks like every other Indian company, and who got a ₹50-crore enforcement notice for a Section 8(6) violation.

When that happens, three things will follow within 30 days:

1. Every board in India will hold an emergency session on DPDP
2. Every General Counsel will be asked, "what is our exposure?"
3. Every CEO will discover that the answer is "we don't know"

The companies that have already done the work will respond confidently and credibly. The companies that haven't will spend the next quarter scrambling, hiring, and writing very expensive cheques to consultancies. The market for senior privacy talent will contract overnight. The companies that hired their DPO in 2026 will have someone who's been embedded for a year. The companies that wait until that headline will be hiring into a market that no longer has anyone available at any reasonable price.

I don't know exactly when that headline will land. My best guess is the second half of 2026 or early 2027. I could be wrong by six months in either direction. What I'm not wrong about is that it will land, and the organisations that prepared in advance will look back at those six months as the most valuable lead-time of their compliance journey.

The honest closing

I'm aware that this post reads like I'm trying to sell you a compliance platform. I am — that's literally what AutoCops is for, and I make no apologies for that. But the case for acting now does not depend on which platform you use, whether you use a platform at all, or whether you build the controls in-house with an army of spreadsheets. The case for acting now depends only on the timeline of enforcement, and that timeline is not under your control.

You have two choices. You can spend the next six to twelve months quietly building the operational compliance posture that will protect you when the curve hits. Or you can spend it hoping the curve doesn't hit and discover that hope is not a strategy. The first choice is uncomfortable. The second choice is more uncomfortable, just later.

I know which one I'd rather make. I'd rather be the boring DPO who built a quiet, well-documented compliance programme in 2026 than the celebrity DPO who got hired in a panic in 2027 to clean up after someone else's enforcement headline. The boring DPO never makes the news. That's the entire point.

If you want to start, we built a free 5-minute assessment for exactly this purpose — same 40 questions, same scoring model, same gap-priority ranking we use in production engagements. No signup, no marketing chase. It will tell you, honestly, where you stand. The rest is execution.