DPDPA penalties are civil financial penalties imposed by the Data Protection Board of India, scaling up to ₹250 crore for failing to take reasonable security safeguards to prevent a data breach. Fines are assessed per instance based on the nature, gravity, duration and impact of the violation.
The Digital Personal Data Protection Act, 2023 (DPDPA) backs its obligations with real financial teeth. Where earlier Indian data rules carried only token consequences, the DPDPA empowers the Data Protection Board of India to impose penalties that can reach ₹250 crore for a single category of failure — making non-compliance a board-level financial risk rather than a paperwork issue.
Crucially, the DPDPA is a civil-penalty regime. It does not create new criminal offences or prison terms for breaching its provisions; the consequence of non-compliance is a monetary penalty determined through an adjudication process. That changes how organisations should think about risk — the exposure is quantifiable, repeatable, and tied directly to how well you can evidence your controls.
What is the penalty Schedule under the DPDPA?
The penalties are set out in the Schedule to the Act, which fixes a maximum penalty for each category of breach. These are ceilings, not fixed amounts — the Board decides the actual figure within each cap based on the circumstances of the case.
| Violation | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent a personal data breach (Section 8(5)) | Up to ₹250 crore |
| Failure to notify the Data Protection Board or affected Data Principals of a personal data breach | Up to ₹200 crore |
| Non-fulfilment of additional obligations in relation to children (Section 9) | Up to ₹200 crore |
| Non-fulfilment of additional obligations of a Significant Data Fiduciary (Section 10) | Up to ₹150 crore |
| Breach of any other provision of the Act or the Rules | Up to ₹50 crore |
| Breach of a Data Principal’s duties | Up to ₹10,000 |
Security failure carries the highest exposure
The single largest penalty — up to ₹250 crore — attaches to failing to take reasonable security safeguards. Because almost every serious incident begins with a security lapse, this is the cap most organisations should plan against first.
How are DPDPA penalties assessed?
The Schedule sets the maximum; the actual penalty is decided by the Data Protection Board after giving the organisation a reasonable opportunity to be heard. Section 33 directs the Board to have regard to a defined set of factors when fixing the amount, so the penalty is proportionate rather than automatic.
- The nature, gravity and duration of the breach.
- The type and nature of the personal data affected by the breach.
- Whether the breach is repetitive — repeat conduct attracts a higher penalty.
- Whether, as a result of the breach, the person realised a gain or avoided a loss.
- Whether the person took any action to mitigate the breach, and how timely and effective that action was.
- Whether the penalty is proportionate and effective having regard to securing compliance and deterring further breaches.
- The likely impact of the penalty on the person.
In practice this means two organisations that suffer the same incident can face very different penalties. The one that detected the breach quickly, notified promptly, mitigated harm and can produce contemporaneous evidence of reasonable safeguards will be treated far more leniently than one that ignored warnings or cannot demonstrate any controls at all.
Evidence reduces exposure
Maintaining continuous, timestamped evidence of your safeguards, consent records and breach response is the most reliable way to push a penalty toward the lower end of the band — or avoid one entirely.
Who imposes DPDPA penalties?
Penalties are imposed by the Data Protection Board of India, an independent adjudicatory body established under the Act. The Board investigates complaints from Data Principals and personal data breaches, issues directions for remedial or mitigation measures, and conducts inquiries before deciding whether to impose a financial penalty. It is designed to function as a digital-first office, so much of the process — from complaint to inquiry — is conducted electronically.
The Board acts on complaints, on references from the Central Government, and on intimations of breaches. It is the only authority empowered to impose the penalties in the Schedule; there is no separate sectoral fine on top of the DPDPA penalty for the same conduct.
Can you appeal a DPDPA penalty?
Yes. An organisation aggrieved by an order or direction of the Data Protection Board can appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which acts as the Appellate Tribunal under the Act. Appeals must generally be filed within 60 days of receiving the Board’s order. The Tribunal hears the matter using a digital process and can confirm, vary or set aside the Board’s decision. A further appeal on a question of law lies to the Supreme Court of India.
The DPDPA does not threaten imprisonment — it threatens balance-sheet impact. A single security failure can cost up to ₹250 crore, decided per instance by the Data Protection Board.
Are DPDPA penalties criminal? Is there imprisonment?
No. The DPDPA is a civil-penalty statute. Unlike some earlier proposals and unlike provisions of the Information Technology Act, the DPDPA does not prescribe imprisonment for breaching its data-protection obligations. The consequence of non-compliance is a monetary penalty determined by the Board, not a custodial sentence. (Separate criminal liability could still arise under other laws — for example for fraud or theft — but that is outside the DPDPA itself.)
Are DPDPA penalties charged per instance?
The figures in the Schedule are maximum penalties per instance of breach rather than a single annual cap. Because the Board weighs whether conduct is repetitive, an organisation with multiple distinct failures — or a pattern of the same failure — can face penalties that compound well beyond the headline number for one violation. The practical lesson is that systemic, unaddressed gaps are far more dangerous than a single isolated lapse.
How can businesses reduce their penalty exposure?
Because the Board explicitly weighs safeguards, mitigation and timeliness, penalty exposure is something you can actively manage. The most effective levers are: implementing and documenting reasonable security safeguards under Section 8(5), running a tested breach-response plan so notification is fast and complete, keeping clean consent and rights records, and maintaining continuous evidence of compliance so you can demonstrate good faith if the Board ever asks.
Know your exposure before the Board does
Run a free DPDPA readiness assessment to map your highest-penalty gaps — especially around security safeguards and breach response — and get a prioritised plan to close them.