Understanding Penalties Under India’s DPDP Act, 2023: What Businesses Need to Know

The DPDP Act 

For years, organisations in India have treated data privacy primarily as a cybersecurity or IT concern. That approach is no longer sufficient. With the Digital Personal Data Protection Act, 2023, India now has its first comprehensive law governing how personal data is collected, stored, and used. Data protection has, as a result, moved beyond IT into the realm of legal compliance, governance, and financial risk. Grounded in the Supreme Court’s recognition of privacy as a fundamental right, the Act sets out obligations for “Data Fiduciaries” (entities that decide how and why personal data is processed), while giving “Data Principals” (the individuals concerned) a set of enforceable rights. 

Crucially, the Act does not impose automatic penalties. Instead, the Data Protection Board of India (DPBI) assesses each case individually and determines a proportionate penalty based on the nature and severity of the violation. With penalty caps reaching hundreds of crores of rupees, the framework is designed to drive privacy-by-design and stronger compliance rather than merely punish organisations. 

As of mid-2026, the DPDP Rules, 2025 have been notified and the Board has been constituted, with its full enforcement framework being implemented in phases through May 2027. Until then, the existing Information Technology Act framework continues to operate alongside the DPDP Act.  

This article examines the Act’s penalty framework, the legal provisions governing it, the prescribed penalty tiers, and the practical measures organisations can adopt to minimise regulatory risk.  

The Legal Framework Behind the Penalties 

The penalty mechanism sits in Section 33 of the DPDP Act, read together with the Schedule attached to it. Section 33 authorises the Data Protection Board of India to impose a monetary penalty once it concludes, after an inquiry, that a violation is “significant”, but only after giving the concerned organisation a reasonable opportunity to present its case. This reflects a basic principle of natural justice: penalties aren’t automatic on a complaint or breach but follow the Board examining the facts and hearing both sides. 

The Schedule supplements Section 33 by prescribing the maximum penalty for each category of violation. Section 33(4) clarifies that paying a penalty doesn’t shield an organisation from other consequences; criminal proceedings, civil suits, or sectoral regulatory action can proceed independently. Board orders can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), with a further appeal to the Supreme Court on questions of law.  

How the Board Determines the Final Penalty 

Many people assume that every violation automatically attracts the maximum amount listed in the Schedule. That isn’t how the Act works. The DPBI, the body responsible for deciding these cases, has considerable discretion. It can act on a complaint from an individual, or on its own, without waiting for one. The amounts in the Schedule are upper limits, not fixed penalties the Board must impose, and it may enhance or reduce a penalty up to twice the amount it initially considers appropriate. 

In arriving at the actual number, the Board weighs several statutory factors: 

  • the nature, gravity, and duration of the breach; 
  • the type and sensitivity of the personal data involved; 
  • whether the violation is repeated; 
  • whether the organisation gained a benefit or avoided a loss because of the breach; 
  • the timeliness and effectiveness of steps taken to contain the incident and mitigate harm; and 
  • whether the resulting penalty is proportionate to the violation while still serving as an effective deterrent. 

This cuts both ways. An organisation that discloses a lapse voluntarily, fixes the root cause quickly, and cooperates with the inquiry can expect the Board to lean toward the lower end, or even below its initial figure. Concealment, deliberate misuse, or repeat violations push in the opposite direction, potentially triggering the Board’s power to enhance the penalty beyond what it first considered.  

Understanding the Penalty Tiers 

The Schedule classifies violations into six categories, ranked broadly by how serious their potential impact on Data Principals can be. The heavier categories deal with systemic security and disclosure failures; the lighter ones deal with individual conduct.  

Category  Maximum Penalty  What It Covers 
Failure to implement reasonable security safeguards  ₹250 crore  Inadequate technical/organisational measures that lead to a personal data breach — the highest cap under the Act, reflecting the emphasis on prevention over after-the-fact remediation 
Failure to report a personal data breach  ₹200 crore  Delayed or concealed notification to the Board and affected individuals, undermining their ability to take protective steps 
Non-compliance with children’s data obligations  ₹200 crore  Unlawful processing or prohibited practices (e.g., behavioural advertising) involving minors, who require heightened protection 
Non-compliance by Significant Data Fiduciaries (SDFs)  ₹150 crore  Failure to meet enhanced obligations like audits, DPIAs, and risk governance 
Breach of duties by Data Principals  ₹10,000  Individual misconduct, such as knowingly furnishing false information or filing frivolous complaints 
Any other unlisted contravention  Up to ₹50 crore  Residual category for violations not separately addressed elsewhere in the Schedule 

 Because the Schedule treats each obligation separately rather than imposing one combined cap, a single incident that touches more than one category, say, poor security safeguards and a delayed breach report, can trigger separate assessments under each head. For organisations with genuinely systemic failures, this stacking effect is often what turns a large but survivable fine into an existential one.  

Illustrative Scenarios 

  • Weak security, major breach: A ride-hailing app stores driver and rider ID documents on an unsecured server, and a breach exposes millions of records. With no encryption or access controls in place, the company faces exposure under the highest security-safeguards tier. 
  • Delayed disclosure: A social networking platform detects unauthorised access to user accounts but waits several weeks before notifying anyone. Even though the breach itself may not have been preventable, that delay alone can attract significant regulatory action. 
  • Children’s data misuse: A gaming app popular with school-age users profiles player behaviour to serve targeted in-app ads, without verifying parental consent. This falls squarely under the children’s-data tier, regardless of whether any breach occurs. 
  • SDF governance failure: A large e-commerce platform designated as a Significant Data Fiduciary skips its mandatory annual data protection impact assessment for two years running. When flagged during a routine review, it faces penalties for failing its enhanced governance obligations. 

What Do These Penalties Mean for Businesses? 

The financial exposure under the DPDP Act is substantial, but the stakes go well beyond the headline figures. A regulatory finding can damage customer confidence, attract adverse media attention, and increase scrutiny from investors and business partners.  

For listed companies or those operating globally, privacy failures may also affect contractual relationships, valuations, and future business opportunities, not just the balance sheet. This gives leadership teams a direct incentive to treat data protection as board-level governance rather than an IT function.  

Startups are no exception: even though early-stage companies may process smaller volumes of data, investors, enterprise customers, and international partners increasingly expect mature privacy governance as a baseline.  Even the Schedule’s “residual” tier carries a cap of ₹50 crore. That’s manageable for a large corporation. For a startup, it could threaten the business itself. Smaller companies can’t assume they’re safe just because their obligations don’t fall under a higher-profile category like security failures or breach notification. 

For individuals, the Board offers a real way to seek redress, since it can act directly on complaints. For policymakers, the size of these penalties also sends a signal: it tells global investors that India’s data protection regime is broadly on par with established frameworks like the EU’s GDPR. 

Data protection has, in effect, evolved from a purely legal obligation into a core element of corporate governance and risk management.  

How Can Companies Avoid Such Penalties? 

  • Put basic security in place: encryption, access controls, login checks, and ongoing monitoring. This is the first thing the Board looks at when deciding whether your safeguards were “reasonable.” 
  • Write clear data protection policies, and train employees regularly so the policies are actually followed, not just filed away. 
  • Build and test a plan for handling incidents: how to spot a breach quickly, contain it, investigate it, and report it on time. Reporting late is a separate penalty on its own. 
  • Check that any third-party vendors you share data with (cloud providers, payment processors, and so on) follow similar security and privacy standards, since you can be held responsible for their mistakes too. 
  • Keep records of your compliance work: risk assessments, security measures, and policy updates. These records help your case if the Board is ever weighing how seriously to penalise you. 
  • Run internal audits regularly to catch gaps yourself before a regulator does.  
  • If your organisation is likely to be classified as a Significant Data Fiduciary, start preparing for the extra audits and governance requirements early, rather than scrambling after the fact. 
  • Review your insurance coverage and vendor contracts with the DPDP Act in mind, and make sure leadership and investors are aware of the potential financial exposure. 

Summing up 

The DPDP Act reflects a broader shift already underway across most data-driven economies: privacy is no longer just a legal formality, but a measure of how much organisations, customers, and investors can trust each other. The penalty framework is built around this idea, rewarding good faith conduct with discretion, while still holding real financial consequences for those who fall short. For organisations that haven’t yet treated this as a priority, the sooner they start, the less it will cost them later, in both compliance effort and regulatory risk. 

0

Need Help?

We're Here To Assist You

Need more information?

Feel free to contact us, and we will be more than happy to answer all of your questions.