Rapid digitalisation has transformed personal data into a critical economic resource for corporate entities, simultaneously increasing exposure to cyber threats and large-scale data breaches. Indian corporations now routinely collect, store, and process vast quantities of personal data, often without commensurate investment in cybersecurity governance. Persistent data breach incidents have exposed the inadequacy of India’s earlier legal framework, which relied primarily on the Information Technology Act, 2000 and subordinate rules. The Digital Personal Data Protection Act, 2023 (DPDP Act) represents a decisive shift towards acomprehensive rights-based regulatory regime governing digital personal data. This paper critically examines corporate liability for data breaches under the DPDP Act by analysing its constitutional foundations, statutory architecture, and enforcement mechanisms. It evaluates the extent to which the Act imposes fiduciary-style obligations on corporate data handlers and assesses whether its penalty regime effectively deters negligent data governance practices. Drawing upon Indian and international jurisprudence, including developments in the European Union, the United Kingdom, the United States, and Australia, the study identifies structural gaps and implementation challenges within the Indian framework. The paper arguesthat although the DPDP Act aligns Indian data protection law with global standards, its effectiveness depends on regulatory clarity, institutional independence, and the integration of cybersecurity oversight into corporate governance structures. The study concludes with policyoriented recommendations aimed at strengthening corporate accountability and safeguardinginformational privacy in India’s evolving digital economy.