DPDP Penalties: Up to ₹250 Crore. Here is What You Risk.
A breakdown of every penalty provision in the DPDP Act 2023. Understand the financial exposure, the enforcement mechanism, and what triggers each penalty tier.
The Financial Architecture of Non-Compliance
The Digital Personal Data Protection Act, 2023 is not advisory legislation. It is an enforcement statute with monetary penalties that scale to ₹250 crore per violation. The Act establishes a tiered penalty framework administered by the Data Protection Board of India (DPBI), with adjudication powers that operate independent of civil courts.
If your organisation processes personal data of Indian residents, these numbers define your maximum financial exposure. Understanding the structure is not optional.
For a full overview of the Act itself, see our guide to the DPDP Act.
Penalty Tiers Under the DPDP Act
The Act prescribes penalties across four distinct violation categories. Each tier corresponds to a specific class of obligation. The amounts represent upper bounds; the DPBI retains discretion to impose lower amounts based on the nature and severity of the breach.
| Violation | Maximum Penalty | Section Reference |
|---|---|---|
| Failure to take reasonable security safeguards to prevent a data breach | ₹250 crore | Schedule, Item 1 |
| Failure to notify the DPBI and affected Data Principals of a breach | ₹200 crore | Schedule, Item 2 |
| Non-compliance with obligations related to children’s data | ₹150 crore | Schedule, Item 3 |
| Non-compliance with any other provision of the Act or its rules | ₹50 crore | Schedule, Item 4 |
These are per-instance penalties. A single data breach event that also involves delayed notification and children’s data could trigger multiple tiers simultaneously.
What Triggers Each Penalty Tier
₹250 Crore: Security Safeguard Failures
This is the highest penalty and it targets a specific obligation: Data Fiduciaries must implement “reasonable security safeguards” to protect personal data against breaches. The Act does not prescribe specific technical controls. Instead, reasonableness will be assessed by the DPBI on a case-by-case basis.
Factors likely to influence this assessment include whether the organisation maintained encryption at rest and in transit, implemented access controls, conducted regular security audits, and followed industry-standard practices for its sector.
The absence of a defined technical standard is intentional. It places the burden on the Data Fiduciary to demonstrate that their safeguards were proportionate to the data they held and the risks they faced.
₹200 Crore: Breach Notification Failures
When a personal data breach occurs, the Data Fiduciary must notify both the DPBI and each affected Data Principal. The Act requires this notification “without delay” but leaves the precise timeline to rules that are yet to be finalised.
The penalty targets two distinct failures: not reporting to the Board, and not informing the individuals whose data was compromised. Delayed notification is treated with the same severity as non-notification.
For a detailed walkthrough of notification obligations, see our breach notification guide.
₹150 Crore: Children’s Data Violations
Section 9 of the Act imposes additional obligations when processing data of individuals under 18 years of age. These include:
- Obtaining verifiable parental consent before processing
- Prohibiting behavioural tracking or targeted advertising directed at children
- Prohibiting processing that causes demonstrable harm to children
Organisations operating ed-tech platforms, gaming services, or any consumer-facing product with a user base that includes minors must treat this tier as a primary risk vector.
₹50 Crore: General Non-Compliance
This residual category covers all other violations. It includes failures related to:
- Purpose limitation (processing data beyond the stated purpose)
- Data retention (holding data longer than necessary)
- Data Principal rights (failing to respond to access, correction, or erasure requests)
- Consent management (collecting data without valid, informed consent)
- Appointing a Data Protection Officer when required
While ₹50 crore is the lowest tier, it applies to the broadest range of obligations. For most organisations, these operational compliance gaps represent the most probable enforcement exposure.
Review our DPDP compliance checklist to identify which obligations apply to your operations.
The Data Protection Board of India
The DPBI is the adjudicatory body established under Section 18 of the Act. It is not a regulator in the traditional sense. It does not issue licenses or conduct routine inspections. Its function is to receive complaints, conduct inquiries, and impose penalties.
Key characteristics of the Board:
- Digital-first proceedings. The Act mandates that proceedings before the Board will be conducted digitally. This lowers the barrier for complaints and accelerates adjudication timelines.
- Independent adjudication. Board decisions carry the weight of a civil court order. Appeals go to the Telecom Disputes Settlement Appellate Tribunal (TDSAT), not to lower courts.
- Complaint-driven enforcement. Any Data Principal may file a complaint. The Board may also initiate inquiries based on credible information, including media reports or whistleblower disclosures.
The Board has not yet commenced operations as of March 2026. However, the enforcement provisions apply from the date of notification, which means that compliance obligations are active even before the first penalty is imposed.
DPDP vs GDPR: Penalty Comparison
For organisations with cross-border operations, the comparison to the EU’s General Data Protection Regulation provides useful context.
| Parameter | DPDP Act 2023 | GDPR |
|---|---|---|
| Maximum penalty | ₹250 crore (~€27 million) | €20 million or 4% of global annual turnover, whichever is higher |
| Penalty calculation | Fixed maximum per violation category | Percentage-based, scaled to revenue |
| Adjudication body | Data Protection Board of India | National Data Protection Authorities (per EU member state) |
| Criminal liability | None (civil penalties only) | Varies by member state |
| Private right of action | Not provided | Yes, individuals can sue for damages |
The DPDP Act’s fixed-cap model means that for large enterprises, the maximum penalty may represent a smaller proportion of revenue than a GDPR fine. However, for mid-market and growth-stage companies, ₹250 crore is an existential figure. The Act does not scale penalties to organisational size, which means a 50-person company faces the same theoretical maximum as a conglomerate.
Enforcement Timeline
The Act received Presidential assent on 11 August 2023. The enforcement timeline depends on the notification of rules by the Central Government. As of March 2026:
- The Act has been passed and published
- Draft rules have been circulated for public comment
- The DPBI has not yet been formally constituted
- Compliance obligations are expected to become enforceable upon final notification of rules and constitution of the Board
This pre-enforcement window is narrowing. Organisations that treat it as a grace period rather than a preparation window will face compressed timelines once enforcement begins.
What This Means for Your Organisation
The penalty framework under the DPDP Act is designed to make non-compliance more expensive than compliance. The tiered structure signals legislative intent: security safeguards and breach notification are the highest-priority obligations, followed by children’s data protections, with general compliance as the baseline expectation.
The strategic response is not to wait for the Board to begin operations. It is to establish compliance infrastructure now, while the cost of remediation is lower and the operational disruption is minimal.
Run a free Gap Assessment to identify where your organisation stands against the DPDP Act’s requirements. The assessment maps your current data practices against each obligation category and highlights your areas of highest penalty exposure.