DPDP Act Penalties Explained: Every Fine, Trigger, and How to Avoid Them

The Digital Personal Data Protection Act, 2023 (DPDP Act) carries penalties of up to Rs 250 Crore (approximately USD 30 million) per violation. Unlike many global privacy laws, the DPDP Act does not tie fines to revenue percentages. It uses fixed ceiling amounts, and the Data Protection Board of India (DPBI) has broad discretion in determining the exact fine within each bracket.

This guide breaks down every penalty category, what triggers each one, the breach notification timelines you must follow, and how DPDP fines compare to GDPR.

Quick Reference: DPDP Act Penalty Table

Violation	Maximum Penalty	Section
Failure to take reasonable security safeguards to prevent data breach	Rs 250 Crore (~USD 30M)	Section 8(5), Schedule
Failure to notify the DPBI and affected Data Principals of a data breach	Rs 200 Crore (~USD 24M)	Section 8(6), Schedule
Non-compliance with obligations regarding children’s data (under 18)	Rs 200 Crore (~USD 24M)	Section 9, Schedule
Failure to comply with Data Principal rights (access, correction, erasure, grievance redressal)	Rs 200 Crore (~USD 24M)	Section 8, Schedule
Non-compliance with additional obligations by Significant Data Fiduciaries (SDF)	Rs 150 Crore (~USD 18M)	Section 10, Schedule
Breach of any other provision of the Act or Rules	Rs 50 Crore (~USD 6M)	Schedule
Violation by Data Principal (false complaint, suppressing material information)	Rs 10,000	Section 15, Schedule

Key point: These are maximums per instance. Multiple violations across different categories can stack. A single data breach event could theoretically trigger the Rs 250 Crore penalty for inadequate security plus the Rs 200 Crore penalty for failure to notify — a combined exposure of Rs 450 Crore.

What Triggers Each Penalty

Understanding the specific triggers is critical. Many businesses assume penalties only apply to data breaches. In reality, the DPDP Act penalizes a much wider range of failures.

1. Inadequate Security Safeguards — Up to Rs 250 Crore

Trigger: Failure to implement “reasonable security safeguards” to prevent personal data breaches.

This is the highest penalty in the Act and it applies even if no breach actually occurs. The DPBI can penalize you if your security measures are found to be inadequate upon investigation.

What counts as “reasonable security safeguards”:

• Encryption of personal data at rest and in transit
• Access controls limiting who can view or modify personal data
• Regular security audits and vulnerability assessments
• Incident response procedures documented and tested
• Employee training on data handling
• Secure software development practices
• Data minimization (not collecting more than needed)

Common mistakes that trigger this:

• Storing passwords in plain text
• Using outdated encryption algorithms
• No access logging or audit trail
• Shared admin credentials across teams
• No documented security policy
• Failing to patch known vulnerabilities
• Storing personal data on unencrypted devices

2. Failure to Notify Data Breach — Up to Rs 200 Crore

Trigger: Not notifying the DPBI and affected Data Principals about a personal data breach.

The DPDP Act requires notification of every personal data breach. There is no materiality threshold — unlike GDPR, which only requires notification for breaches likely to result in a risk to individuals. Under the DPDP Act, all breaches must be reported.

Who must be notified:

1. Data Protection Board of India (DPBI): Within the timeline specified in the Rules (expected 72 hours)
2. Affected Data Principals: Each individual whose data was compromised
3. CERT-In: Under the existing CERT-In Directions of 2022, cyber incidents must be reported within 6 hours

This creates a dual notification requirement:

Authority	Timeline	Requirement
CERT-In	6 hours from awareness	All cyber security incidents (existing law, CERT-In Directions 2022)
DPBI	72 hours (expected, per Draft Rules)	All personal data breaches
Data Principals	Without undue delay (expected alongside DPBI notification)	Each affected individual

Common mistakes that trigger this:

• Assuming small breaches don’t need reporting
• Delaying notification while conducting internal investigation
• Notifying DPBI but forgetting Data Principals
• Not having a breach detection system (you can’t notify what you don’t detect)
• Ignoring the 6-hour CERT-In requirement

3. Violations Related to Children’s Data — Up to Rs 200 Crore

Trigger: Processing personal data of children (under 18 in India) without following the Act’s requirements.

India’s DPDP Act sets the age of majority at 18 years — higher than GDPR’s 16 years (or 13 in some EU countries). This has significant implications.

Requirements for children’s data:

• Obtain verifiable consent from the parent or lawful guardian before processing
• Do not undertake tracking or behavioral monitoring of children
• Do not target advertising at children
• Do not process data in any manner that is likely to cause harm to a child
• The government may exempt certain classes of Data Fiduciaries or data processing from these requirements (e.g., healthcare or education)

Common mistakes that trigger this:

• Not implementing age verification mechanisms
• Collecting children’s data with the same consent flow as adults
• Running behavioral advertising on platforms used by minors
• Not having a separate privacy notice for children’s data
• Assuming “we don’t target children” is sufficient (if children use your platform, you must comply)

4. Failure to Honor Data Principal Rights — Up to Rs 200 Crore

Trigger: Not responding to or fulfilling Data Principal rights requests within the prescribed timeframe.

Under the DPDP Act, every Data Principal has the right to:

1. Access — Summary of personal data being processed and processing activities
2. Correction and Erasure — Request correction of inaccurate data or erasure of data no longer needed
3. Grievance Redressal — Response from a designated grievance officer
4. Nomination — Nominate another person to exercise rights in case of death or incapacity

Expected response timelines:

• The Draft Rules propose a response window (likely 7 days for acknowledgement, and a reasonable period for fulfillment)
• A designated contact person or grievance officer must be published

Common mistakes that trigger this:

• Having no process to receive or track rights requests
• Ignoring or significantly delaying responses
• Making the process so difficult that it’s effectively impossible
• Not publishing contact details for your Data Protection Officer or grievance officer
• Denying requests without valid legal basis

5. Significant Data Fiduciary (SDF) Non-Compliance — Up to Rs 150 Crore

Trigger: Being designated as a Significant Data Fiduciary and failing to meet additional obligations.

The government will designate certain organizations as SDFs based on volume and sensitivity of data processed, risk to Data Principals, and other factors. SDFs have extra obligations:

• Appoint a Data Protection Officer (DPO) based in India
• Appoint an independent data auditor
• Conduct Data Protection Impact Assessments (DPIA) for specified processing activities
• Conduct periodic audits of data processing practices
• Comply with any additional measures prescribed by the government

Common mistakes that trigger this:

• Assuming SDF status won’t apply to your organization
• Appointing a DPO who is not based in India
• Conducting DPIAs only once, not periodically
• Not acting on findings from data audits

6. Catch-All Provision — Up to Rs 50 Crore

Trigger: Any other violation of the Act or Rules not covered by a specific penalty.

This catches:

• Processing data without valid consent or lawful purpose
• Not providing a clear, accessible privacy notice
• Not honoring consent withdrawal requests
• Cross-border data transfer violations
• Failure to delete data after purpose fulfillment or consent withdrawal
• Retaining data beyond the necessary period
• Not maintaining records of consent

7. Data Principal Violations — Up to Rs 10,000

Trigger: Data Principals (individuals) who file false or frivolous complaints or suppress material information.

This provision is unusual among global data protection laws and is designed to prevent misuse of the complaint mechanism.

Breach Notification Timeline: The Complete Picture

Understanding the full notification timeline is critical because India has overlapping requirements from different regulations.

Step-by-Step Breach Response Timeline

Hour 0: Data breach detected or you become aware of it.

Within 6 hours — CERT-In Notification: Under the CERT-In Directions (April 2022), you must report cyber security incidents to CERT-In within 6 hours. This applies to:

• Unauthorized access to IT systems
• Data breaches or data leaks
• Attacks on servers, databases, and applications
• Any compromise of computer systems

Within 72 hours — DPBI Notification (Expected): The DPDP Act Draft Rules propose a 72-hour window to notify the Data Protection Board of India. Your notification must include:

• Nature of the breach
• Categories of personal data affected
• Approximate number of Data Principals affected
• Likely consequences
• Measures taken or proposed to address the breach

Without undue delay — Data Principal Notification: Each affected individual must be notified. The notification should include:

• Description of the breach in plain language
• Contact details of your Data Protection Officer or grievance officer
• Steps they can take to protect themselves

Breach Notification Comparison: India vs. Global Standards

Aspect	India (DPDP + CERT-In)	GDPR (EU)	CCPA (California)
Notification to authority	6 hours (CERT-In) + 72 hours (DPBI)	72 hours to DPA	N/A (no authority notification required)
Notification to individuals	Required for all breaches	Only if high risk	Required if data is unencrypted
Materiality threshold	None — all breaches	Risk-based assessment	Based on data type
Timeline to individuals	Without undue delay	Without undue delay	”Most expedient time possible”
Record-keeping	Required	Required	Not explicitly required

How DPDP Fines Compare to GDPR

Many businesses operating in both India and the EU want to understand how DPDP penalties stack up against GDPR. Here is a direct comparison.

Penalty Structure Comparison

Factor	DPDP Act (India)	GDPR (EU)
Maximum fine	Rs 250 Crore (~USD 30M)	EUR 20M or 4% of global turnover (whichever is higher)
Calculation method	Fixed ceiling amounts	Revenue-based (percentage of global annual turnover)
Minimum fine	No statutory minimum	No statutory minimum
Criminal penalties	None	Varies by member state
Per-instance or aggregate	Per instance (can stack)	Per violation
Revenue-based scaling	No	Yes (4% of global annual turnover)

What This Means in Practice

For large enterprises: GDPR fines can be significantly higher. Meta’s EUR 1.2 billion fine (2023) and Amazon’s EUR 746 million fine (2021) far exceed the DPDP Act’s maximum. For a company with USD 50 billion in revenue, GDPR’s 4% threshold means potential fines of USD 2 billion — while DPDP caps at approximately USD 30 million.

For small and mid-sized businesses: DPDP Act fines can be proportionally more severe. A startup with Rs 10 Crore in annual revenue could face a penalty of Rs 250 Crore — 25 times its revenue. Under GDPR, the same company would face a maximum of 4% of its revenue.

For all businesses: DPDP penalties can stack across categories. A single incident could trigger penalties for inadequate security (Rs 250 Cr), failure to notify (Rs 200 Cr), and failure to honor rights requests that follow (Rs 200 Cr).

Key Differences in Enforcement Approach

Aspect	DPDP Act	GDPR
Enforcement body	Data Protection Board of India (DPBI)	National DPAs (one per EU member state)
Appeals process	Appellate Tribunal, then High Court	National courts
Right to compensation	Not explicitly provided in the Act	Individuals can claim compensation
Class action equivalent	Not provided	Available in some member states
Regulatory guidance	Expected from DPBI	Extensive guidance from EDPB and national DPAs
Track record	New (no precedent yet)	Mature (billions in cumulative fines issued since 2018)

Factors the DPBI Will Consider When Deciding Penalties

The DPDP Act gives the DPBI discretion to determine the penalty amount within each bracket. While specific guidelines are expected, the following factors will likely be considered:

1. Nature, gravity, and duration of the violation — A one-time minor oversight versus a systematic, ongoing pattern of non-compliance
2. Type and volume of personal data affected — Financial data or health data carries more weight than email addresses
3. Whether the violation was intentional or negligent — Deliberate disregard versus an honest mistake
4. Steps taken to mitigate damage — Quick response and remediation work in your favor
5. Previous violations — Repeat offenders face harsher penalties
6. Financial condition of the entity — The DPBI may consider ability to pay
7. Profits gained from the violation — If non-compliance generated revenue, expect higher penalties
8. Cooperation with the DPBI — Working with investigators versus obstruction

How to Minimize Your Penalty Risk

Compliance is the only reliable way to avoid penalties. Here is a practical roadmap.

Priority 1: Security (Addresses Rs 250 Crore Risk)

• Encrypt all personal data at rest and in transit
• Implement role-based access controls
• Deploy intrusion detection and monitoring
• Conduct quarterly vulnerability assessments
• Document your security policies and procedures
• Train employees on data security annually

Priority 2: Breach Notification (Addresses Rs 200 Crore Risk)

• Set up automated breach detection monitoring
• Create a breach response plan with clear roles and timelines
• Pre-draft notification templates for CERT-In, DPBI, and Data Principals
• Conduct tabletop breach response exercises quarterly
• Maintain a breach register

Priority 3: Consent Management (Addresses Rs 50 Crore+ Risk)

• Implement a compliant consent management platform
• Ensure consent is freely given, specific, informed, and unambiguous
• Make consent withdrawal as easy as giving consent
• Maintain timestamped records of all consent
• Review existing consent records for DPDP compliance

Priority 4: Data Principal Rights (Addresses Rs 200 Crore Risk)

• Build or deploy a Data Subject Access Request (DSAR) handling system
• Publish your Data Protection Officer’s contact details prominently
• Define internal SLAs for responding to rights requests
• Train customer-facing teams on how to route rights requests

Priority 5: Children’s Data (Addresses Rs 200 Crore Risk)

• Implement age verification or age gating on your platforms
• Build a separate parental consent workflow for users under 18
• Disable behavioral tracking and targeted advertising for minors
• Review your platform for any features that could harm children

Frequently Asked Questions

Can penalties be imposed before May 2027? The DPDP Act received Presidential assent in August 2023, but enforcement depends on the notification of effective dates for specific sections and the constitution of the DPBI. The expected full enforcement date is May 13, 2027.

Does the Rs 250 Crore cap apply per incident or overall? The penalty amounts are caps per category of violation. Multiple categories can be triggered by a single incident, effectively stacking the penalties.

Are there any exemptions for small businesses? No. The DPDP Act does not provide any small business exemption for core obligations. All organizations processing digital personal data of individuals in India must comply, regardless of size.

Can individuals sue companies for data breaches? The DPDP Act routes complaints through the DPBI rather than civil courts. The Act does not explicitly provide for individual compensation claims, though individuals can file complaints with the DPBI.

How does this apply to foreign companies? The DPDP Act applies to processing of digital personal data of individuals in India, even if the processing is done outside India, if it relates to offering goods or services to Data Principals in India.

Take Action Before Enforcement Begins

The enforcement deadline is approaching. The businesses that will be best positioned are those that start compliance now, not those that wait for the first penalty to be issued.

The first step is understanding your current exposure. A website compliance scan can identify gaps in your consent management, privacy notices, cookie handling, and data collection practices.

Scan Your Website for DPDP Compliance — Free, instant results. See exactly where your website stands and what to fix first.