Is DPDP compliance really enforceable on the ground?

There is a version of the DPDP-skeptic argument that goes like this. India has had data protection rules of various kinds for two decades. The IT Act 2000, the SPDI Rules 2011, the Aadhaar Act, the various sectoral regulators with their privacy-adjacent circulars. None of them led to a privacy-enforcement culture. The DPDP Act will be no different. The Board will be understaffed, slow-moving, and politically careful. Penalties will be theatre. Enforcement will be selective. The smart move is to do the minimum — a privacy policy, a few internal trainings, an updated cookie banner — and wait it out.

I want to argue, in some detail, that this argument is wrong. Not wrong in the abstract — wrong in the specific, mechanical sense that the people repeating it have not actually thought about how Indian regulators enforce once they decide to.

Let me show you what I mean.

What "enforcement" usually means in India

The skeptic's argument is built on a particular image of enforcement. It looks like a raid. A regulator sweeps in with a search warrant, finds something, levies a penalty, makes the front page. Because that doesn't happen often in Indian privacy — and because it doesn't seem like the DPB has the operational appetite for it — the conclusion is that enforcement will be cosmetic.

The conclusion would be correct if that was how Indian regulators actually exercised teeth. It isn't. Look at how SEBI builds enforcement records, or the CCI, or the RBI's enforcement of digital-lending guidelines, or the consumer fora's mass-claim cycles. The pattern is consistent and it has nothing to do with raids.

Indian regulatory enforcement looks like this: a complaint is received from the public. The regulator opens a formal investigation. The investigation produces an order. The order says, in technical language, that the entity violated a specific section by failing to do a specific thing on a specific date. The penalty attaches. The order goes into the public record. The order, now public, becomes the operational baseline for every similarly-situated entity for the next decade. Each individual order looks minor. The cumulative effect, two years in, is that the entire sector has been reshaped because every general counsel in the country has read the order and adjusted.

This is the playbook that the Data Protection Board is going to run. Reading the Act carefully, you can see that it has been designed for this playbook.

Why the DPB has the teeth, structurally

The complaint intake is being designed to be easy

Section 13 of the Act gives every Data Principal the right to grievance redressal. The 2025 Rules pin a specific timeline on the Fiduciary's response. If the Fiduciary doesn't respond within the window, the Data Principal can escalate to the Board directly. The Board's complaint intake is being designed to be a simple online form — basic identity verification, brief description of the alleged violation. No lawyers required to file.

This is a deliberate choice. It means the volume of complaints the Board can receive is not constrained by how many people can hire a privacy lawyer. It is constrained only by how many Data Principals are annoyed enough to fill out a form. That number, in a country of a billion mobile-internet users, is very, very large.

The evidence burden is on the Fiduciary, not the regulator

This is the part the skeptic argument almost never notices. When a complaint lands, the regulator does not have to prove the Fiduciary mishandled data. The Fiduciary has to prove they handled it correctly. The Act puts the burden of demonstrating compliance squarely on the Fiduciary — by requiring records of consent (Section 6), evidence of grievance handling (Section 13), proof of breach notification (Section 8(6)), demonstrable purpose limitation, and so on.

This shifts the operational reality enormously. The Board doesn't need to run an investigation in the conventional sense. The Board issues a notice asking the Fiduciary to produce the relevant records within a window. If the Fiduciary produces clean records — a consent ledger, a DSR fulfilment log, a breach incident file, a vendor inventory, training completion records — the case is dismissed. If the Fiduciary can't produce them, or produces records that don't withstand scrutiny, the Board finds a violation. Easy enforcement. Cheap to run. Scales to thousands of complaints a year.

What this means for any Indian Fiduciary: the question is not "will the Board investigate me?" The question is "if the Board sends me a notice tomorrow asking for evidence of my consent practice, grievance handling, breach response, vendor governance, and training, can I produce records that withstand the kind of scrutiny a regulator will apply?" If the answer is no, the enforcement risk is real today, not in 2027.

Section 33 penalties are large enough to fund enforcement itself

The Indian regulatory state has a quiet problem: enforcement agencies are typically underfunded. The DPDP Act's penalty structure (Section 33) is large enough — up to ₹250 crore per instance for the most serious failures — that even a handful of penalties imposed in the first eighteen months will generate revenue that more than covers the Board's operating costs. This matters more than people realise. It means the Board has an operational incentive to enforce — not just a statutory one. When the institution's continued existence depends on producing enforcement output, enforcement output happens.

The 2025 Rules removed the implementation ambiguity

For most of 2024, you could plausibly argue that DPDP enforcement was theoretical because the Rules hadn't been finalised. The 2025 Rules removed that argument. They specify the timelines, the channels, the registration mechanics, the breach notification structure, the children's-data treatment, and the grievance escalation path. There is no longer a "we'll wait for the Rules" answer that holds up in 2026.

The objection: "But there hasn't been a single major penalty yet"

The skeptic's strongest objection is that, as of writing, there hasn't been a high-profile DPDP penalty. This is true, and it is the source of most of the false security.

I'd suggest that the objection misreads the curve. Indian regulators almost always have a long, quiet ramp-up phase where they look ineffectual to anyone not paying close attention. The Income Tax Department went through it. SEBI went through it. The CCI went through it. The RBI's enforcement of digital lending went through it. The pattern is the same every time: 18–24 months of quiet during which the regulator builds the machine, then an inflection point — usually triggered by a politically convenient headline — when notices start landing, then a phase of escalating action.

By the time you can see enforcement happening, it's too late to prepare for it. The lead time is measured in quarters, not weeks. The organisations that look prepared in 2027 are the ones that took the quiet phase seriously in 2026.

What "ready for enforcement" looks like in operational terms

If the playbook is complaint-driven and evidence-burdened, the operational implication is specific. You need to be able to respond to a Board notice with clean, defensible, dated records across each of the obligation categories the Act covers. In rough order of how often a regulator will ask:

• Consent. Per individual, per purpose: what was shown, when it was agreed, in which channel, by whom, on whose authority. Withdrawals captured with the same fidelity. The ledger has to survive being inspected.
• Data Principal rights. Per request: when it was received, what the request was for, how the Fiduciary verified identity, what action was taken, across which systems, with what evidence, and what was communicated back to the Principal — all within the statutory window.
• Breach response. Per incident: when the Fiduciary became aware, the impact analysis, the decision rationale on notifiability, the timestamps of notification to the Board and to affected Principals, the templates used, the languages used, and the post-incident remediation.
• Vendor governance. Per processor: contracted purpose, signed DPA, expiry tracking, breach-notification SLA, risk classification, last review date, whether a DPIA was required.
• DPIA. Per high-risk processing activity: when assessed, by whom, the residual risk rationale, the mitigations applied, the approval trail.
• Training. Per employee: which module, when completed, what score, when due for refresh.
• Audit trail. End-to-end: who did what, when, under what authority, immutable enough that it survives an evidentiary challenge.

A Fiduciary that can answer all of these in production-grade records — not as a manual filing exercise but as something the privacy team can produce in hours on demand — is enforcement-ready. A Fiduciary that has the pieces in scattered spreadsheets, mailbox archives, and the memory of two senior people, is not.

The strategic question for the next six months

Most Indian organisations are going to use the next six months in one of two ways. The first group will treat the Act as a legal-review item: get the policy updated, brief the executives, hope for the best. The second group will treat the Act as an operational programme: build the consent ledger, build the DSR workflow, build the breach response, build the vendor inventory, build the audit trail, run the training. The first group will be the headline penalties of 2027. The second group will be the case studies of 2028 — the ones the DPB will publicly point at as examples of good practice.

The difference between the two groups, in capex and opex, is smaller than it looks. The difference in penalty exposure is enormous.

If the question your board is asking is "is enforcement really coming?", the answer is yes — and the people who will tell you it isn't are people whose professional incentive is to keep your privacy programme small. If the question your board is asking is "what would good preparedness look like in our operations specifically?", that is a much better question, and the cost of asking it now is the cost of a single hour of an executive's time.

The runway is real. So is the cliff at the end of it.