Last Updated on April 2, 2026 by Narendra Sahoo
India’s data protection era has arrived. With the DPDP Rules 2025 notified on November 13, 2025, the Digital Personal Data Protection (DPDP) Act of 2023 is no longer theoretical — it is enforceable, operational, and backed by financial penalties of up to ₹250 crore per violation.
For businesses processing personal data of Indian residents — whether you are a bank, a fintech startup, an e-commerce platform, a hospital, or a SaaS company — non-compliance is no longer an option. The Data Protection Board of India (DPBI) is now fully operational and empowered to investigate, audit, and penalize.
In 2024, cybersecurity incidents in India more than doubled — from 1.03 million in 2022 to 2.27 million. The average data breach cost Indian businesses approximately ₹22 crore (IBM 2025). Add a potential DPDP penalty of up to ₹250 crore on top, and the business case for compliance has never been clearer. Organizations have an 18-month transition window — until May 13, 2027 — to achieve full compliance. That clock is running.
This article covers exactly what penalties apply, what triggers them, how the DPBI calculates fines, and — most importantly — how you can avoid them. If you are new to the DPDP Act, we recommend reading our guide on Understanding the Basics of the DPDP Act first.
1️⃣ Authority of the DPDP Board: Penalties and Adjudication
Under Section 33 of the DPDP Act, the Digital Personal Data Protection Board (DPDPB) holds the authority to impose penalties on Data Controllers or Significant Data Fiduciaries (SDFs) for significant breaches of the Act or its rules (Clause 33 (1), DPDP Act).
However, it’s important to note that before any penalty is imposed, the party in question is given an opportunity to present their case. This ensures a process that is both fair and just, allowing for all sides to be heard before a final decision is made.
2️⃣ The Complete DPDP Act Penalty Schedule (2026)
| Violation | Section of DPDP Act | Maximum Penalty |
| Failure to implement reasonable security safeguards to prevent a personal data breach | Section 8(5) read with Schedule | ₹250 Crore |
| Failure to notify the Data Protection Board of India (DPBI) and affected Data Principals of a personal data breach | Section 8(6) | ₹200 Crore |
| Breach of additional obligations in relation to children’s personal data (including processing without verifiable parental consent) | Section 9 | ₹200 Crore |
| Processing personal data without obtaining valid consent or outside of ‘Legitimate Uses’ categories | Section 6 | ₹200 Crore |
| Breach of obligations by a Significant Data Fiduciary (SDF) under Rule 13 (DPO, DPIA, independent audit, algorithmic due diligence) | Section 10 read with Rule 13 | ₹150 Crore per violation |
| Failure to honour a Data Principal’s rights (access, correction, erasure, nomination, grievance) within prescribed timelines | Section 12–14 | ₹10,000 to ₹50 Crore depending on violation |
| Non-compliance with Data Protection Board orders, directions, or undertakings | Section 33(2) | ₹20 Crore |
| Breach of duty by a Data Principal (filing false complaints, impersonating another, false grievance) | Section 15 | ₹10,000 |
Important: These penalties are per violation — not per incident. An organization that violates multiple provisions simultaneously faces separate penalties for each violation. A single data breach could theoretically trigger the ₹250 crore penalty (inadequate security) AND the ₹200 crore penalty (failure to notify) simultaneously. Additionally, all penalty amounts are deposited to the Consolidated Fund of India — they are not offset against victim compensation.
3️⃣ Authority of the Data Protection Board of India (DPBI)
Under Section 33 of the DPDP Act, the Data Protection Board of India holds the authority to impose penalties on Data Fiduciaries, Data Processors, Consent Managers, and — in limited cases — Data Principals, for violations of the Act or its Rules.
The DPBI is now a fully digital, independently functioning statutory body headquartered in the National Capital Region. Before any penalty is imposed, the concerned party is given a full opportunity to present their case — ensuring due process and natural justice. Appeals against DPBI orders may be filed with the Appellate Tribunal (TDSAT) within 60 days.
What the DPBI Can Do:
- Investigate complaints filed by any Data Principal via the DPBI portal or mobile app
- Initiate suo motu (on its own motion) investigations — no complaint needed
- Summon and examine data fiduciaries and third parties
- Conduct audits and seek access to systems and documentation
- Issue compliance directions and corrective orders
- Impose financial penalties (as listed in the penalty schedule above)
- Publish details of violations publicly — creating reputational risk beyond the fine itself
4️⃣ How the DPBI Assesses Penalty Amounts
The penalty schedule sets the maximum amount — not a fixed fine. Under Section 33(1), the DPBI must consider the following factors before determining the actual penalty:
1. Nature, Gravity, and Duration of the Breach
A short-lived incident affecting 10 users is treated very differently from a systemic failure exposing millions of customer records over several months. Longer duration and greater severity will drive the penalty toward the maximum.
2. Type and Nature of Personal Data Affected
Breaches involving sensitive categories — financial data, health records, biometric data, children’s data — attract significantly higher penalties than breaches involving basic contact information. The DPBI is likely to treat health and financial data breaches with particular severity given India’s BFSI and healthcare sector scale.
3. Repetitive Nature of the Breach
A recurring violation signals a systemic governance failure rather than an isolated incident. Repeat violations — particularly where the DPBI has already issued directions — are likely to attract maximum penalties and could be treated as a separate ‘non-compliance with DPBI orders’ offense (₹20 crore additional).
4. Gain or Loss Avoided as a Result of the Breach
If a Data Fiduciary benefited commercially from the non-compliant processing — for example, by selling data without consent, or by avoiding the cost of building proper security safeguards — that financial benefit is considered. The DPBI ensures violations do not become profitable.
5. Mitigation Efforts
Swift, documented, and effective remediation actions can meaningfully reduce the penalty. Organizations that detect a breach, contain it quickly, notify affected parties proactively, and present a credible remediation plan to the DPBI will be viewed more favorably than those who minimize or delay response.
6. Proportionality and Effectiveness of the Penalty
The DPBI must ensure that the penalty is both proportionate (not punitive beyond what the violation warrants) and effective (sufficient to deter similar future violations). A penalty that is too small for a large corporation may not be an effective deterrent.
7. Likely Impact of the Penalty on the Data Fiduciary
The financial capacity and size of the Data Fiduciary are considered. A ₹50 crore penalty may be existential for a startup but a rounding error for a large conglomerate. The DPBI has discretion to calibrate accordingly.
5️⃣ 8 Overlooked Situations That Can Trigger DPDP Penalties
Most businesses focus on the obvious — data breaches and consent. But these 8 lesser-known scenarios are equally dangerous:
✅ Bundled Consent Forms
Bundling data consent with Terms & Conditions is explicitly invalid. Every single processing purpose requires its own separate, granular consent. Existing T&C-embedded consent must be restructured — failure to do so = processing without valid consent = up to ₹200 crore.
✅ Inadequate Vendor Contracts
The Data Fiduciary remains legally accountable even when a vendor or Data Processor causes the breach. If your cloud provider, KYC vendor, or analytics partner leaks data and you did not contractually mandate adequate security safeguards under Rule 6(f), you face the ₹250 crore penalty — not just the vendor.
✅ No Age Verification for Minor Users
If your platform is even potentially accessible to users under 18 and you have not implemented verifiable parental consent, you are already in breach. The DPBI does not require actual harm to impose this penalty.
✅ Incomplete or Delayed Data Erasure
Rule 8: You must erase data when the processing purpose is served. Failure includes keeping inactive user data indefinitely — common in e-commerce and SaaS. Additionally, under Rule 8(1), you must give 48 hours advance notice to the Data Principal before scheduled erasure.
✅ Ignoring Grievance Escalations
If a customer complaint is not addressed within 90 days (Rule 14), they can escalate to the DPBI. A pattern of unanswered grievances can trigger a DPBI investigation even without a breach.
✅ Misconfigured Cloud Storage
An S3 bucket left public, an unencrypted backup, an unsecured API endpoint — none of these require malicious intent to attract the ₹250 crore ‘inadequate security safeguard’ penalty. Negligence is sufficient.
✅ Cross-Border Data Transfer Violations
Transferring data to countries that the Central Government restricts (the ‘blacklist’ model) without adequate safeguards can attract penalties under both the data security and consent provisions simultaneously.
✅ SDF Non-Compliance After Designation
If your organization is designated a Significant Data Fiduciary and fails to appoint an India-resident DPO, conduct an annual DPIA, or engage an independent auditor — each failure is a ₹150 crore violation.
6️⃣ DPDP Penalties vs GDPR vs CCPA — How India Compares
For multinationals and Indian companies with global operations, understanding how DPDP penalties compare to other frameworks helps prioritize compliance investment:
| Criterion | DPDP Act India | GDPR (EU) | CCPA (California, USA) |
| Max Penalty | ₹250 Crore (~€27M) | €20M or 4% of global turnover | $7,500 per intentional violation |
| Penalty Model | Per violation | Per violation / per cent. turnover | Per consumer per violation |
| Criminal Sanctions | No — financial only | No — financial only | No — financial only |
| Enforcement Body | Data Protection Board of India | National supervisory authorities | California AG + CPPA |
| SDF/High-Risk Higher Fines | Yes — ₹150 Cr for SDF violations | Yes — Tier 1 vs Tier 2 penalties | No tiered structure |
| Breach Notification | ALL breaches — DPBI + Data Principal | High-risk breaches — SA within 72h | None if < 500 persons |
| Penalty Destination | Consolidated Fund of India | National / State funds | State funds / compensation |
7️⃣ Where Do Penalties Go?
All penalties imposed by the Data Protection Board under the DPDP Act are credited to the Consolidated Fund of India under Article 266(1) of the Constitution. This means fines do not go to individual complainants — they are state revenue.
Practical Note: Unlike some compensation-based frameworks, DPDP penalties are regulatory fines — not victim compensation. Data Principals who suffer harm must separately pursue civil remedies. However, the DPBI can also direct corrective actions such as deletion of unlawfully processed data, system changes, and public disclosure of violations — the reputational impact of which often exceeds the fine itself.
8️⃣ How to Reduce Your DPDP Penalty Risk — 6 Proven Steps
The DPBI has discretion to reduce penalties significantly for organizations that demonstrate genuine compliance efforts. Here is what matters:
✅ Conduct a DPDP Gap Assessment Now
A formal, documented gap assessment submitted to the DPBI demonstrates good-faith compliance effort. It also identifies your actual risk exposure before enforcement begins. Vista InfoSec offers a structured gap assessment mapped to all DPDP Rules 2025 obligations.
✅ Build a Data Inventory and Processing Record
Know exactly what personal data you hold, where it flows, who has access, and for how long. The DPBI will request this immediately upon investigation. Organizations without it signal negligence.
✅ Implement Privacy-by-Design in New Systems
Any new product, feature, or data integration should have privacy controls built in from the start — not added later. This is your strongest mitigation argument before the DPBI.
✅ Establish a Grievance Redressal Mechanism
Appoint a named Grievance Officer with real authority. Respond to all Data Principal requests within 90 days. Document every interaction. Unresolved complaints are the most common DPBI complaint trigger.
✅ Document Everything — Consent, Breaches, Deletions
Maintain audit trails for all consent grants and withdrawals, all data deletion actions, all breach response steps. Documentation is your primary defense in a DPBI proceeding.
✅ Engage an Independent DPDP Auditor
For Significant Data Fiduciaries, this is mandatory. For others, an independent audit report demonstrating compliance is the most persuasive evidence of good faith you can present to the DPBI.
9️⃣ Frequently Asked Questions — DPDP Act Penalties India
Q: What is the maximum penalty under the DPDP Act in India?
A: The maximum penalty under the DPDP Act is ₹250 crore per violation, applicable to Data Fiduciaries that fail to implement reasonable security safeguards to prevent a personal data breach. Multiple violations in a single incident can attract cumulative penalties across different provisions.
Q: Who can impose penalties under the DPDP Act?
A: Penalties are imposed exclusively by the Data Protection Board of India (DPBI), established under Chapter V of the DPDP Act 2023. The Board is a fully digital, independent statutory body headquartered in the National Capital Region. Its decisions can be appealed to TDSAT within 60 days.
Q: What triggers the ₹200 crore DPDP penalty?
A: The ₹200 crore penalty can be triggered by: (1) failure to notify the DPBI and affected Data Principals of a personal data breach, (2) processing personal data without valid consent, and (3) breach of obligations related to children’s personal data — including processing without verifiable parental consent.
Q: When does DPDP Act penalty enforcement begin?
A: The Data Protection Board of India became operational in November 2025 with the notification of DPDP Rules 2025. Full substantive compliance obligations take effect on May 13, 2027 (18 months from notification). Post this deadline, enforcement begins immediately with no grace period.
Q: Where do DPDP Act fines go?
A: All penalties imposed by the Data Protection Board are credited to the Consolidated Fund of India under Article 266(1) of the Constitution. The fines are state revenue — they do not go directly to individual complainants, who must seek civil remedies separately.
🔟 Conclusion
The DPDP Act’s penalty regime is not designed to be punitive for its own sake — it is designed to create genuine accountability for how Indian residents’ personal data is collected, processed, and protected. With penalties of up to ₹250 crore per violation and the DPBI now fully operational, the cost of non-compliance has become a board-level business risk.
Organizations have until May 13, 2027 to achieve full compliance under DPDP Rules 2025. That window is not a grace period — it is a runway to build the governance, technical controls, and organizational processes that will protect both your customers and your business.
At VISTA InfoSec, we have spent over 20 years guiding organizations across India, the US, Singapore, and the UK through exactly these compliance challenges — from GDPR and HIPAA to PCI DSS and now DPDP. Our DPDP compliance services include gap assessments, DPIA support, DPO consulting, vendor contract reviews, and ongoing compliance monitoring. We don’t just tell you what the law says — we help you build the systems that keep you compliant.
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
