The Board Question Your DPO Cannot Answer Alone: DPDP Accountability and What ₹250 Crore Really Means

At a recent Board Risk Committee meeting, the chair asked a simple question: "Are we compliant with the DPDP Act?" The DPO said yes. The CISO said mostly. The CTO said it depends on what you mean by compliant. The board left the meeting without a clear answer — and without realising that under the Act, the board itself is accountable for that answer, not the DPO.

What the Act says about board accountability

DPDP §8(4) places obligations directly on the data fiduciary — the organisation, not the individual. The board cannot delegate its accountability to the DPO. The DPO advises, monitors, and reports. The board decides, funds, and is ultimately answerable. This mirrors the RBI banking regulation model where the board is responsible for compliance, not the compliance officer.

In practice, this means the board needs visibility into the organisation's data protection posture — not an annual presentation, but a current, measurable, auditable view. If the regulator asks "what is your current compliance status?" and the board cannot answer with specifics, the accountability gap is at the board level.

What ₹250 crore per breach actually means

The penalty ceiling under the DPDP Act is ₹250 crore per breach event. This is not per year. It is per breach. And "breach" is broader than a data leak — it includes failure to implement reasonable security safeguards, failure to notify, processing without valid consent, and failure to honour data principal rights. A single organisation could face multiple penalties for multiple breaches discovered in a single audit.

For BFSI organisations, the financial exposure is material. A mid-size bank processing KYC data for 10 million customers without a completed DPIA, without linked evidence, and without a current ROPA review has at least three potential breach events — each carrying up to ₹250 crore in penalties.

Three questions every CEO needs to answer

Before the next board meeting, every CEO at a BFSI organisation should be able to answer these three questions with specific, current data — not estimates or promises:

• What is our current assurance score? A single number that reflects the organisation's documented compliance posture across ROPA, PIA, DPIA, gap assessments, and evidence coverage. If you cannot produce this number, you do not have visibility.
• How many processing activities lack a completed DPIA? Every high-risk processing activity requires a DPIA. If the number is greater than zero and the board has not formally accepted the risk, the accountability gap is open.
• When was our ROPA last reviewed and by whom? A ROPA that has not been reviewed in the current quarter is a ROPA that may not reflect current processing activities. Regulators check the review timestamp.

The governance structure that works

Organisations that maintain compliance — not just achieve it once — follow a predictable governance cadence: monthly DPO report to the compliance committee with specific metrics (not narratives), quarterly ROPA review with evidence refresh, and annual independent audit with remediation tracking. The board receives a quarterly compliance assurance score and acts on deviations.

The alternative — annual compliance projects that produce a point-in-time snapshot — creates the illusion of compliance while leaving the organisation exposed for the other 11 months. Regulators have learned to check timestamps, not just documents.