Q6 - What happens if a Data Fiduciary fails to comply — does liability sit only with the company, or can directors and officers also be held responsible?
If a Data Fiduciary fails to comply with the Digital Personal Data Protection Act, 2023 (DPDPA), the organization can face significant monetary penalties imposed by the Data Protection Board of India. These penalties are outlined in Section 33(1) and the Schedule of the Act and may reach up to ₹250 crore, depending on the nature and severity of the breach.
1. Primary Liability
The liability primarily rests with the Data Fiduciary (the organization).
Under Section 8(1), the Data Fiduciary is responsible for ensuring compliance with all obligations under the Act — including lawful processing, consent management, breach notification, data retention, and security safeguards — even if processing is carried out by a Data Processor on its behalf.
2. Liability of Directors and Officers
The Act does not explicitly impose personal criminal liability on individual directors, officers, or employees for non-compliance.
However, the Data Protection Board may evaluate whether negligence, misconduct, or lack of due diligence by responsible personnel contributed to the violation.
In such cases:
- The Board’s inquiry process under Section 27 and 28 allows identification of the specific individuals accountable for operational lapses.
- If an officer’s actions are proven to have directly led to the breach, administrative penalties or disciplinary actions under other applicable laws (such as the Companies Act, 2013 or IT Act, 2000) may still apply.
Thus, while the Act itself enforces penalties against the entity, directors and officers remain accountable through internal governance duties, employment contracts, and other legal frameworks ensuring due diligence and oversight.
3. Types of Penalties (as per the Schedule)
| Nature of Breach | Maximum Penalty |
|---|---|
| Failure to prevent a personal data breach | ₹250 crore |
| Failure to notify the Board or affected individuals | ₹200 crore |
| Breach of obligations related to children’s data | ₹200 crore |
| Non-compliance by a Significant Data Fiduciary | ₹150 crore |
| Breach of duties by a Data Principal | ₹10,000 |
| Breach of any other provision of the Act | ₹50 crore |
If a financial institution acting as a Data Fiduciary fails to secure customer data and does not report the breach promptly, the organization may be penalized up to ₹250 crore under the DPDPA. While the fine applies to the entity, the Chief Information Security Officer (CISO) or Data Protection Officer (DPO) may still face internal disciplinary action or accountability under their governance duties if the breach occurred due to negligence or ignored policies.
Referenced Provisions:
- Section 8(1) – Responsibility of Data Fiduciary for compliance.
- Section 27 & 28 – Inquiry and enforcement powers of the Data Protection Board.
- Section 33(1) – Monetary penalties for significant breaches.
- The Schedule – Specifies penalty amounts for different violations.