DPDP Act Penalties: Fines Up to ₹250 Crore Explained
A detailed breakdown of DPDP Act penalty tiers — which violations attract which fines, how the Data Protection Board assesses penalties, and how to reduce your exposure.
- The highest penalty — ₹250 crore — applies to violations of children's data obligations and failures to implement adequate security safeguards.
- Failure to notify a data breach to the Data Protection Board attracts up to ₹200 crore.
- The Board considers mitigating factors including voluntary disclosure, remediation steps, and the number of affected individuals.
- Each Data Principal affected can file a complaint, making aggregate exposure significant for large-scale violations.
- Proactive compliance — not reactive penalty management — is the only reliable risk reduction strategy.
In this guide
The Penalty Schedule: A Tier-by-Tier Breakdown
Schedule 1 of the DPDP Act 2023 lists the maximum financial penalties for each category of violation. Unlike some older Indian statutes where penalties had not been updated for decades, the DPDP Act's penalty amounts are designed to be genuinely deterrent — comparable to GDPR fines as a proportion of turnover for large Indian tech companies.
The Schedule is structured as a list of items mapping offence categories to maximum penalty amounts. The Data Protection Board (DPB) has discretion to impose any amount up to the stated maximum, after conducting an inquiry and considering the factors listed in Section 33.
Penalties are per-violation, not per-year. A single data breach affecting a million users is one violation (the failure to implement security safeguards) subject to one penalty determination — though the number of affected individuals is a factor the Board weighs in setting the amount.
Highest-Risk Violations: ₹250 Crore Tier
Schedule 1, Item 1: breach of obligations relating to children's data under Section 9 — maximum penalty ₹250 crore. This includes processing children's data without verifiable parental consent, tracking children, targeting behavioural advertising at children, or processing data in ways that may harm a child's wellbeing. The high penalty reflects legislative intent to make child data protection a red-line obligation.
Schedule 1, Item 2: breach of the obligation to implement adequate security safeguards under Section 8(5) — maximum penalty ₹250 crore. This is the provision most relevant to cybersecurity incidents. If a data breach occurs and the Board determines you did not implement "reasonable security safeguards," this penalty tier applies. What constitutes "reasonable" will be defined in practice by the Board and in standards it may issue.
The ₹250 crore ceiling is approximately USD 30 million at current exchange rates. For a Series B startup or a mid-size Indian IT services company, a penalty at this level would be existential. Even a fraction of the maximum — say ₹50-100 crore — would constitute a material financial event for most companies.
Breach Notification Failure: ₹200 Crore
Schedule 1, Item 3: failure to notify the Data Protection Board and affected Data Principals of a personal data breach (Section 8(6)) — maximum penalty ₹200 crore. This is distinct from the penalty for the breach itself (Item 2). You can be penalised for both the inadequate security that caused the breach and the failure to notify.
The DPDP Act does not specify a notification timeframe in the statute itself — the timeline (expected to be 72 hours) will be specified in the Rules. Companies should build incident response playbooks that include: detection, internal escalation, Board notification, and Data Principal notification. Each of these steps needs an owner and a documented process.
Voluntary self-disclosure is a mitigating factor under Section 33(3). Companies that proactively notify the Board quickly — even before being compelled — are likely to receive more favourable treatment than those who attempt to conceal or delay notification.
Violations of Data Principal Rights
Schedule 1, Item 4: non-fulfilment of additional obligations by Significant Data Fiduciaries — maximum penalty ₹150 crore. This covers an SDF's failure to appoint a DPO, conduct DPIAs, or undergo annual audits.
Schedule 1, Item 5: failure to fulfil Data Principal rights and grievance redressal obligations under Sections 11-13 — maximum penalty ₹10,000 per violation (i.e., per Data Principal whose rights are violated). This appears low in isolation but scales dramatically: if 100,000 users' erasure requests are ignored, potential exposure is ₹100 crore.
Schedule 1, Item 6: breach of any other provision of the Act not specifically enumerated above — maximum penalty ₹50 crore. This is the catch-all provision covering violations of privacy notice requirements, consent formalities, data accuracy obligations, and other baseline obligations.
How the Data Protection Board Assesses Penalties
Section 28 of the DPDP Act empowers the Data Protection Board to conduct inquiries. The process begins with a complaint by a Data Principal (or a reference from the Central Government). The Board issues a notice to the Data Fiduciary, which has an opportunity to respond and be heard. The Board then makes a determination.
Section 33 lists factors the Board must consider in assessing the penalty amount: the nature, gravity, and duration of the breach; the type and sensitivity of personal data involved; the repetitive nature of the breach; whether the breach was intentional or negligent; actions taken to mitigate harm; whether the Data Fiduciary cooperated with the inquiry; and the financial capacity of the Data Fiduciary.
Appeals from Board orders go to the High Court under Section 29. The Board is intended to operate with a degree of independence from MEITY and the Central Government, though appointments are Central Government-controlled. Enforcement patterns will become clearer once the Board is constituted and begins adjudicating cases.
Mitigating Factors That Reduce Penalties
The Board has explicit direction under Section 33 to consider mitigating actions. The most impactful mitigator is proactive remediation: if you discover a breach, notify the Board promptly, implement fixes, and compensate affected individuals, the Board has reason to impose a penalty well below the maximum.
Documented compliance programmes are a second key mitigator. A company that can demonstrate it had a functioning data protection programme — policies, training, technical controls, vendor contracts, consent management — but suffered a one-off incident is in a materially better position than a company with no programme at all.
First-time violations where the company cooperated fully with the inquiry, voluntarily disclosed, and promptly remediated are likely to result in penalties towards the lower end of the applicable range. Repeat violations, concealment, or non-cooperation will attract penalties towards the maximum.
Practical Risk Reduction Strategy
The cheapest risk reduction strategy is not penalty insurance — it is compliance. The cost of building a DPDP compliance programme (data mapping, consent flows, security controls, DPO appointment if required, breach response plan) is a fraction of even a modest penalty. For most companies, a comprehensive compliance programme costs less than ₹1-2 crore; a single serious violation can cost 100x that.
Focus your risk reduction on the ₹250 crore tier first: children's data (if relevant) and security safeguards. Implement reasonable security measures — encryption at rest and in transit, access controls, vulnerability management, incident detection — and document them. The Board will look for documented evidence of your security programme, not just assertions.
Second priority: build your breach notification pipeline. Know your incident escalation chain, know who contacts the Board, and know your Data Principal notification process. Practice it with a tabletop exercise. AuditPath's compliance tracking tools help you maintain the evidence trail that demonstrates your programme was operational before any incident occurred.
Frequently Asked Questions
Can the Data Protection Board impose criminal penalties under the DPDP Act?
Are penalties under the DPDP Act per incident or per Data Principal affected?
What is the statute of limitations for complaints under the DPDP Act?
If we are also GDPR-compliant, does that protect us from DPDP Act penalties?
Can insurance cover DPDP Act penalties?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free