The DPDP Act 2023 carries some of the stiffest data protection penalties in Asia. Unlike the EU's GDPR — which is a percentage of global turnover — India's penalties are fixed amounts per violation category. Here's every number you need to know.
The Penalty Schedule (Schedule 1 to the DPDP Act)
The DPDP Act contains a Schedule that maps violation types to maximum penalty amounts. These are maximums — the Data Protection Board determines the actual amount based on factors including severity, intent, and past compliance history.
₹250 Crore — Data Security Failure
This is the highest penalty tier. It applies to:
- Failure to implement reasonable security safeguards to prevent personal data breaches (Section 8(5))
- A breach occurring because of inadequate security measures
This covers businesses that don't encrypt sensitive data, use weak passwords on systems holding customer data, or fail to implement basic access controls.
₹200 Crore — Breach Notification Failure
If a data breach occurs and you don't notify the Data Protection Board and affected individuals within 72 hours, the penalty is up to ₹200 Crore. This is separate from and in addition to the security failure penalty.
₹200 Crore — Children's Data Violations
Violations of the obligations for processing children's data under Rule 10:
- Processing a minor's data without verified parental consent
- Serving behavioural advertising to a child
- Tracking or monitoring a child's online behaviour without consent
₹50 Crore — Other Obligations
This tier covers general violations including:
- Collecting data without a proper consent notice (Section 5)
- Processing data beyond what was consented to
- Failing to respond to Data Subject Requests within the specified timeframe
- Not deleting data when purpose is fulfilled (Section 8(7))
- Violations by Data Processors that the Fiduciary is responsible for
How Does the DPB Determine the Actual Penalty?
The Data Protection Board considers several factors when deciding penalties within the maximum range:
- Nature and gravity of the breach — how many people affected, sensitivity of data
- Duration — how long the violation continued
- Type of data — financial, health, or children's data carries higher weight
- Repetition — previous violations by the same entity
- Gains made by the Data Fiduciary from the violation
- Actions taken to mitigate the harm after discovery
- Cooperation with the Board during investigation
Penalties Are Per Violation, Not Annual
Unlike GDPR (which caps at a percentage of annual turnover), DPDP penalties apply per violation category. A business that:
- Fails to get consent (₹50 Cr)
- Has a breach because of poor security (₹250 Cr)
- Fails to notify the breach within 72 hours (₹200 Cr)
...could theoretically face ₹500 Crore in total penalties from a single incident.
Who Can Complain?
Any individual (Data Principal) whose rights have been violated can complain to the Data Protection Board. The Board can also initiate suo motu investigations if it becomes aware of potential violations.
Is There Any Smaller Business Exemption?
The Act contains a provision for the government to exempt certain classes of Data Fiduciaries — potentially small businesses — from some obligations via notification. However, no such exemption notification has been issued as of the date of this article. Until one is, all businesses are subject to the full penalty schedule.
Real Risk for SMBs
A ₹50 Crore penalty for a small business is effectively a death sentence. But the risks aren't symmetrical — the Board will likely focus enforcement on larger entities first. That said, a complaint from even one customer can trigger an investigation against any business, regardless of size. Getting compliant is far cheaper than the alternative.