DPDP Act Penalties: What Non-Compliance Actually Costs
The DPDP Act 2023 carries penalties up to ₹250 crore per violation. But the penalty table in the Act's Schedule is only the starting point. The real picture involves multipliers, repeat offender consequences, and a Board with civil court powers.
Here is how the penalty framework actually works — every amount, every trigger, and every factor that determines what you pay.
The Penalty Table
The Act's Schedule defines six categories of breach, each with a specific maximum penalty:
| Violation | Act Section | Maximum Penalty |
|---|---|---|
| Failure to implement reasonable security safeguards | Section 8(5) | ₹250 crore |
| Failure to notify Board and Data Principals of a breach | Section 8(6) | ₹200 crore |
| Non-compliance with children's data obligations | Section 9 | ₹200 crore |
| Non-compliance with Significant Data Fiduciary obligations | Section 10 | ₹150 crore |
| Breach of any other provision of the Act or Rules | Various | ₹50 crore |
| Data Principal filing a false complaint or suppressing information | Section 15 | ₹10,000 |
These are maximums, not fixed fines. The Data Protection Board determines the actual amount based on the specific circumstances of each case.
Key Takeaway
A single data breach can trigger multiple penalty categories simultaneously. If a breach occurs because of inadequate security (₹250 crore) and you fail to notify the Board and affected individuals (₹200 crore), the total theoretical exposure is ₹450 crore from one incident.
The ₹250 Crore Ceiling Is Not the Real Ceiling
Section 33(2) of the Act gives the Central Government the power to increase any penalty by up to 2x through notification in the Official Gazette. This means the true maximum penalty for a security safeguard failure could be ₹500 crore once the government exercises this power.
No notification has been issued yet. But the provision exists specifically for situations where the government decides that existing penalties are insufficient to deter non-compliance — most likely in response to a high-profile breach or a pattern of wilful violations across an industry.
How the Board Decides What You Pay
The Data Protection Board does not apply penalties mechanically. Section 33(1) requires the Board to consider seven specific factors when determining the penalty amount:
1. Nature, Gravity, and Duration of the Breach
A brief accidental exposure of non-sensitive data will be treated differently from a months-long systematic failure to protect financial records. The Board looks at what happened, how serious it was, and how long it continued.
2. Type and Nature of Personal Data Affected
Not all personal data carries the same risk. A breach involving health records, financial data, or biometric information will attract heavier penalties than a breach of less sensitive data. The DPDP Act does not create a formal "sensitive data" category like the GDPR, but the Board considers this in practice.
3. Repetitive Nature of the Breach
Repeat offenders face higher penalties. If your organisation has been penalised before and the same type of breach occurs again, the Board will treat this as an aggravating factor. This is also connected to the blocking order provision — more on that below.
4. Whether the Person Made a Gain or Avoided a Loss
If the breach was profitable — for example, selling data without consent or avoiding the cost of proper security measures — the Board factors this in. The penalty should not be less than the gain, otherwise non-compliance becomes a rational economic choice.
5. Mitigation Actions Taken
Organisations that act quickly to contain a breach, notify affected individuals, and remediate the root cause can expect this to work in their favour. The Board is specifically directed to consider what you did after the breach, not just what caused it.
This factor creates a direct incentive for having an incident response plan. Organisations that can demonstrate rapid containment, transparent notification, and systematic remediation are in a materially better position before the Board.
6. Proportionality to Available Technology
The Board considers whether your data protection measures were proportionate to the technology available at the time. This is a reasonableness test — the Act does not expect you to deploy technology that does not exist, but it does expect you to use what is available and appropriate for your scale.
7. Any Other Relevant Factor
A catch-all that gives the Board discretion to consider circumstances not covered by the first six factors. This could include the organisation's size, the number of individuals affected, cooperation during the investigation, or the broader impact on public trust.
Beyond Fines: Blocking Orders
Financial penalties are significant, but the Act contains a more severe consequence for persistent violators.
Under Section 36, if the Data Protection Board has penalised an organisation two or more times, it can recommend that the Central Government block public access to their platform, website, or mobile app in India.
A blocking order is an existential threat for any digital business operating in India. Two penalty orders — not necessarily for the same type of breach — can trigger a recommendation to block your service entirely.
This is not a theoretical provision. The blocking mechanism uses India's existing IT Act infrastructure (Section 69A), which has been actively used for content and platform restrictions. The DPDP Act extends this power to data protection non-compliance.
How the Board Works
The Data Protection Board of India is not a traditional court. Key characteristics:
- Digital-first: All proceedings are conducted online. There are no physical hearings unless the Board decides otherwise.
- Civil court powers: The Board can summon individuals, require document production, and examine witnesses. Its orders are legally binding.
- No criminal penalties: The DPDP Act operates entirely through civil penalties. There is no imprisonment provision for data protection violations (unlike the earlier 2019 draft).
- Appeals go to TDSAT: If you disagree with a Board order, the appeal route is to the Telecom Disputes Settlement and Appellate Tribunal, and from there to the Supreme Court.
Board Decisions Are Public
The Board's orders become a matter of public record. This means a penalty is not just a financial cost — it is a publicly visible finding that your organisation failed to protect personal data. For B2B companies, enterprises, and regulated entities, the reputational impact can exceed the financial penalty.
What Triggers an Investigation
The Board does not proactively audit organisations (at least not under the current framework). Investigations are typically triggered by:
- A complaint from a Data Principal — An individual whose data was mishandled files a complaint with the Board after failing to get resolution through the organisation's grievance mechanism.
- A breach notification — When you report a breach to the Board under Section 8(6), the Board may investigate whether the breach resulted from a compliance failure.
- A reference from the Central Government — The government can direct the Board to investigate specific matters.
This means the organisations most at risk are those that (a) suffer a breach and report it, only for the Board to find systemic failures, or (b) ignore Data Principal complaints until they escalate to the Board.
Practical Implications
Security Investment Is the Highest-ROI Compliance Spend
The penalty for inadequate security safeguards (₹250 crore) is the highest in the Act. This is not an accident — the legislature deliberately placed the heaviest penalty on the obligation that prevents the most harm. Organisations should allocate compliance budgets accordingly.
Breach Response Plans Pay for Themselves
Factor 5 (mitigation actions) directly rewards preparedness. Having a documented, tested incident response plan — including Board notification templates, Data Principal communication templates, and containment procedures — is both a legal advantage and a practical one.
The ₹50 Crore Catch-All Is Broader Than It Looks
The "breach of any other provision" penalty at ₹50 crore covers everything from invalid consent mechanisms to failure to honour data deletion requests to non-compliance with the Rules. This is the penalty most organisations will face first, because it covers the widest range of operational failures.
Multiple Penalties Stack
A single incident can trigger penalties under multiple categories. A children's data breach (₹200 crore) that also involved inadequate security (₹250 crore) and delayed notification (₹200 crore) creates a theoretical exposure of ₹650 crore. While the Board has discretion to be proportionate, the legal exposure is real.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessThe Timeline
Penalty provisions are being phased in alongside the rest of the Act. Full enforcement — including the Board's power to impose all penalties in the Schedule — is expected by May 2027.
Organisations that begin compliance work now have roughly 12 months to close gaps before the Board gains full enforcement powers. Those that wait will be building compliance infrastructure under the pressure of live enforcement.
For a section-by-section breakdown of every obligation, see our DPDP Act 2023 — Complete Guide in Plain English.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness