Introduction
India’s Digital Personal Data Protection Act, 2023 (DPDP Act) introduced something India’s privacy regime never previously had: meaningful financial consequences.
The Data Protection Board of India (DPBI), operational since November 13, 2025, has the power to impose penalties of up to ₹250 crore per violation.
₹250 crore is approximately USD 30 million. For most Indian businesses, that is not a regulatory inconvenience — it is existential risk.
Understanding how the penalty framework works is central to compliance planning.
The Enforcement Authority: Data Protection Board of India
The Data Protection Board of India (DPBI) is the statutory enforcement body under the DPDP Act.
It operates through a digital-first model, with:
- Online complaint filing
- Electronic submissions
- Digital hearings
- App-based grievance mechanisms
Who Can Trigger Investigation
An investigation can begin through:
- A complaint filed by a Data Principal
- Suo motu action by the DPBI (based on media reports, breach disclosures, or regulatory intelligence)
Before imposing penalties, the DPBI provides the organisation an opportunity to respond. However, in urgent cases involving ongoing harm, interim directions may be issued.
Appeals
DPBI decisions can be appealed to:
- Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
- High Court
- Supreme Court
The Penalty Schedule: Maximum Exposure
The DPDP Act specifies maximum penalties for each violation category. These are ceilings, not mandatory fines — but they define risk exposure.
Failure to Implement Security Safeguards
Maximum Penalty: ₹250 crore
This is the highest penalty tier.
It applies when a breach occurs due to inadequate security safeguards, including failures such as:
- Lack of encryption (data at rest or in transit)
- Weak access controls
- Absence of multi-factor authentication
- No audit logging
- No breach response plan
- Poor vendor oversight
Because Data Fiduciaries are accountable for their Data Processors, a vendor breach can still trigger this penalty for the Fiduciary.
Security is therefore the single highest financial risk area under the Act.
Failure to Notify a Breach
Maximum Penalty: ₹200 crore
When a breach occurs, two simultaneous obligations arise:
- Notify the DPBI (initial intimation without delay; full report within 72 hours)
- Notify affected Data Principals without delay
Failure to notify — or delayed/incomplete notification — is independently punishable.
Zero-Threshold Rule
All personal data breaches must be reported. There is no materiality threshold.
Even small-scale accidental disclosures require reporting if they constitute unauthorised access, disclosure, or alteration.
Dual Regulatory Clock
Organisations must also comply with CERT-In Directions, which require certain cybersecurity incidents to be reported within 6 hours.
A single incident may trigger:
- 6-hour CERT-In reporting
- 72-hour DPBI reporting
Incident response plans must account for both timelines.
Non-Compliance with Children’s Data Obligations
Maximum Penalty: ₹200 crore
Children (under 18) receive heightened protection:
- Verifiable parental consent required
- Behavioural monitoring prohibited
- Targeted advertising prohibited
- Harmful processing prohibited
Organisations interacting with minors — schools, healthcare providers, family-access workplaces — must design specific compliance controls.
Failure to implement children-specific safeguards can result in high-tier penalties.
Failure to Fulfil Data Principal Rights
Maximum Penalty: ₹50 crore
Organisations must:
- Publish a grievance contact
- Respond to access requests
- Honour correction requests
- Honour erasure requests where applicable
- Enable easy withdrawal of consent
The 90-day response SLA applies.
Ignoring or systematically mishandling rights requests exposes organisations to enforcement.
Consent Manager Non-Compliance
Maximum Penalty: ₹500 crore
This tier applies specifically to registered Consent Managers — a new intermediary category under the DPDP framework.
Most businesses will not operate as Consent Managers. However, this represents the highest theoretical penalty under the Act.
Catch-All Violations
Maximum Penalty: ₹50 crore per instance
Any other violation not specifically listed can attract penalties up to ₹50 crore.
Examples include:
- No privacy notice
- Invalid consent mechanisms
- Purpose creep (using data beyond stated purpose)
- Excessive retention
- No Data Processing Agreement with vendors
- No multi-language notice availability
- No legal basis for processing
Multiple violations in a single workflow can accumulate.
Consolidated Penalty Overview
| Violation Category | Maximum Penalty |
|---|---|
| Failure to implement security safeguards | ₹250 crore |
| Failure to notify breach | ₹200 crore |
| Children’s data violations | ₹200 crore |
| Failure to fulfil Data Principal rights | ₹50 crore |
| Consent Manager violations | ₹500 crore |
| Any other violation | ₹50 crore per instance |
How Penalty Amounts Are Determined
The DPBI considers mitigating and aggravating factors when deciding final amounts.
These include:
- Nature and gravity of the violation
- Duration of non-compliance
- Type of personal data involved (biometric, children’s, health data increase severity)
- Number of affected Data Principals
- Whether the violation was intentional or negligent
- Mitigation steps taken
- Financial gain derived from violation
- History of prior violations
- Cooperation with investigation
- Actual harm caused
Maximum penalties are ceilings. Demonstrated compliance efforts and good-faith remediation materially influence outcomes.
High-Risk Areas to Prioritise
To manage penalty exposure, prioritise in order of financial risk:
1. Security Infrastructure (₹250 crore exposure)
- Encrypt data at rest and in transit
- Enforce role-based access control
- Implement multi-factor authentication
- Maintain audit logs (minimum one year)
- Conduct vendor security due diligence
2. Breach Response Readiness (₹200 crore exposure)
- Document a breach playbook
- Assign named incident owners
- Prepare 72-hour DPBI notification templates
- Prepare Data Principal notification templates
- Conduct breach simulations
3. Privacy Notice and Consent Architecture
- Deploy standalone privacy notices
- Eliminate pre-ticked or bundled consent
- Ensure language accessibility
- Document legitimate use reliance
4. Rights Handling and Retention Discipline
- Publish grievance contact
- Implement deletion workflows
- Maintain 90-day response tracking
- Automate retention enforcement
If You Receive a DPBI Notice
Immediate actions should include:
- Engage legal counsel
- Preserve all relevant records
- Cooperate fully with the investigation
- Document remedial measures
- Avoid obstruction or destruction of evidence
Cooperation and corrective action are mitigating factors.
Cumulative Risk: The Overlooked Multiplier
Penalties are assessed per violation category.
A single incident could trigger:
- ₹250 crore for inadequate security
- ₹200 crore for failure to notify
- ₹50 crore for absence of proper notice
- ₹50 crore for invalid consent
Exposure can compound rapidly.
Compliance failures rarely occur in isolation.
The Strategic Perspective
The DPDP Act shifts privacy from a reputational issue to a balance-sheet risk.
The enforcement authority is operational. Complaint filing is accessible to individuals. Reporting thresholds are strict. Security standards are explicit.
The May 13, 2027 compliance deadline is approaching.
The rational question for leadership is not whether compliance costs money.
It is whether non-compliance risk is financially survivable.
Conclusion
The DPDP penalty framework introduces real, enforceable financial consequences into India’s data governance landscape.
Maximum exposure reaches:
- ₹250 crore for security failures
- ₹200 crore for breach notification failures
- ₹50 crore per instance for other violations
- ₹500 crore for Consent Manager non-compliance
These figures are designed to change organisational behaviour.
Compliance is no longer optional. It is enterprise risk management.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection professional for specific compliance guidance.
Onfra integrates DPDP-aligned consent flows, deletion automation, and Rule 6 security safeguards directly into workplace operations — helping organisations reduce regulatory exposure before enforcement begins.