Free — No signup required

DPDP Penalty Calculator
for Indian Businesses

Calculate your organisation's maximum penalty exposure under the DPDP Act 2023. See which penalty categories apply, how they stack, and what a single incident could cost.

Takes about 2 minutes

Not sure if DPDP applies to you? Check first

What You'll Learn

Maximum Exposure Amount

Your total penalty exposure in crore, calculated from the DPDP Act Schedule based on your specific gaps.

Which Categories Apply

Which of the 5 penalty categories your organisation triggers — from security safeguards to children's data.

Blocking Order Risk

Whether your profile puts you at risk of having your platform blocked across India under Section 36.

How It Works

Answer 8 Questions

Quick questions about your data processing, security measures, and compliance status. Each maps to a specific DPDP section.

See Your Exposure

Your maximum penalty exposure calculated instantly — broken down by category with Act section references.

Understand Your Risk

See how penalties stack from a single incident, whether blocking orders apply, and what to prioritise.

Key Facts About DPDP Penalties

From the DPDP Act 2023 Schedule and Section 33

₹250 crore

Maximum penalty for a single violation — failure to implement reasonable security safeguards under Section 8(5).

₹850 crore

Maximum combined exposure if all 5 penalty categories are triggered simultaneously from one incident.

2x

The Central Government can double any penalty amount through gazette notification under Section 33(2). Not yet exercised.

Section 36

After two or more penalty orders, the Board can recommend blocking your website or app across India.

Frequently Asked Questions

What is the maximum penalty under the DPDP Act?+
The highest single-category penalty is ₹250 crore for failure to implement reasonable security safeguards (Section 8(5)). However, penalties stack across categories — a single data breach can trigger multiple penalty categories simultaneously, with total theoretical exposure exceeding ₹850 crore.
Can multiple DPDP penalties apply to one incident?+
Yes. A single data breach can trigger penalties under multiple categories simultaneously. For example, a breach caused by inadequate security (₹250 crore) where notification was not provided (₹200 crore) creates a combined maximum exposure of ₹450 crore from one incident.
Can DPDP penalties be increased beyond the scheduled amounts?+
Yes. Section 33(2) of the Act gives the Central Government the power to increase any penalty by up to 2x through notification in the Official Gazette. This power has not been exercised as of June 2026, but it means the true maximum for a security safeguard failure could reach ₹500 crore.
What is a blocking order under the DPDP Act?+
Under Section 36, if the Data Protection Board has penalised an organisation two or more times, it can recommend that the Central Government block public access to their platform, website, or mobile app in India. This uses the existing IT Act Section 69A infrastructure.
How does the Data Protection Board decide the penalty amount?+
Section 33(1) requires the Board to consider seven factors: the nature and gravity of the breach, type of data affected, whether the breach is repetitive, whether the organisation gained financially, mitigation actions taken, proportionality to available technology, and any other relevant factor.
When do DPDP penalties come into force?+
Full enforcement of the DPDP Act, including the Board's power to impose all penalties in the Schedule, is expected by May 2027. Organisations that begin compliance work now have roughly 12 months to close gaps before enforcement begins.

Already Know Your Risk?

Check how ready your organisation is with our free DPDP Readiness Assessment — 15 questions, instant compliance score and remediation roadmap.

Take the Readiness AssessmentLearn more about Vratex