DPDP Act Penalties & Fines (Up to ₹250 Crore)

Penalties are tiered, not flat

The first thing to understand is that there is no single penalty under the DPDP Act. The law sets out a schedule of maximum penalties, each tied to a particular category of failure, so the exposure for a security breach differs from the exposure for, say, a notice failure.

This tiered design is deliberate. It concentrates the heaviest penalties on the failures that cause the most harm to individuals — principally security and breach-related lapses — while applying lighter ceilings to less serious breaches of the Act's obligations.

For an organisation, this means your exposure is not uniform across every obligation. Knowing which failures sit in which tier lets you direct your investment toward the areas where the financial stakes are highest.

Mapping your obligations to their penalty tiers is a useful planning exercise in itself. It converts an abstract fear of fines into a concrete prioritisation: invest most where the ceilings are highest, and treat lower-tier obligations as important but less financially acute.

The ₹250 crore tier: security failures

The highest ceiling in the Act — up to ₹250 crore — applies to the failure to take reasonable security safeguards to prevent a personal data breach. This is the single largest exposure under the law, and it sits squarely on the obligation to protect the data in your custody.

The message is unmistakable: of all the duties the Act imposes, securing personal data is the one whose neglect is punished most severely. A breach that flows from inadequate safeguards is treated as the gravest kind of failure.

This is why security is the highest-leverage area of any compliance programme. Investing in encryption, access control, logging and monitoring is, in effect, the most direct way to reduce your maximum financial exposure under the Act.

It is worth noting that the penalty attaches to the failure to take reasonable safeguards, not merely to the fact of a breach. An organisation that genuinely implemented strong measures and was still breached is in a different position from one that was plainly negligent.

The ₹200 crore tier: breach notification and children

The next tier, up to ₹200 crore, covers two distinct failures: the failure to notify the Board and affected individuals of a personal data breach, and the failure to meet the additional obligations protecting children's data.

Significantly, the notification penalty is separate from the security penalty. An organisation could in principle face exposure both for the inadequate safeguards that allowed a breach and for failing to report that breach properly — two distinct failures, two distinct ceilings.

The inclusion of children's-data failures at this high tier underlines how seriously the Act treats the protection of minors, making verifiable parental consent and the ban on harmful tracking matters of real financial consequence.

Because the children's-data and breach-notification ceilings sit so high, two operational capabilities — verifiable parental consent and a tested breach-response runbook — deliver outsized risk reduction relative to their cost, and should be priorities for any organisation they apply to.

Other tiers and the general ceiling

Below the top tiers, the schedule includes a penalty of up to ₹150 crore for a Significant Data Fiduciary's failure to meet its additional obligations, such as the DPO, DPIA and audit duties, and a general residuary ceiling of up to ₹50 crore for breaching other provisions of the Act or Rules.

The Act also places duties on data principals, and breaching those — for instance by filing false or frivolous complaints — can attract a much smaller penalty, reflecting the very different scale of an individual's conduct.

Taken together, the schedule paints a clear hierarchy of seriousness, with security and breach failures at the top and general procedural lapses lower down.

The residuary ceiling matters because it means no obligation is truly consequence-free. Even procedural lapses that fall outside the headline tiers can attract substantial penalties, so a programme cannot safely ignore the 'smaller' duties.

How the Board decides the amount

The ceilings are maximums, not automatic fines. The Data Protection Board determines the actual penalty after an inquiry, weighing factors the Act specifies: the nature, gravity and duration of the breach, the type and sensitivity of the personal data affected, and whether the conduct was repetitive.

It also considers any gain made or loss avoided as a result of the breach, the steps the organisation took to mitigate the harm, and whether the penalty is proportionate and effective. This gives the Board significant discretion to tailor penalties to the circumstances.

The practical implication is that demonstrable good faith matters. An organisation that can show it took reasonable safeguards, responded quickly, and acted to mitigate harm will be treated very differently from one that was negligent and unresponsive.

In practice, this discretion means your conduct before and after an incident shapes the outcome as much as the incident itself. Documented safeguards, prompt notification and visible remediation are the levers most within your control when penalties are being weighed.

Voluntary undertakings and mitigation

The Act provides a mechanism for voluntary undertakings, by which an organisation can offer commitments to the Board to remedy or refrain from certain conduct. Where accepted, such an undertaking can avert or limit penalty proceedings on the matters it covers.

This reflects a regime interested in compliance and remediation, not merely punishment. An organisation that engages constructively — fixing the underlying problem and committing to do better — may find a more favourable path than one that is purely adversarial.

Mitigation, in other words, is not only a factor in setting penalties but can shape whether and how penalties arise at all, rewarding organisations that take responsibility.

Treating the Board as a counterpart you can engage with constructively — rather than an adversary to stonewall — is therefore a sound strategy. A credible voluntary undertaking, backed by real remediation, can be far cheaper than a contested penalty.

Where the penalties go

Penalties imposed under the DPDP Act are credited to the Consolidated Fund of India. They are not compensation paid to affected individuals; they are public penalties intended to enforce the law and deter non-compliance.

This distinguishes the DPDP regime from the old Section 43A approach, which centred on compensation to affected persons. Under the Act, the primary financial consequence is a penalty to the State, with the deterrent effect that implies.

For organisations, the practical point is that the penalty is a cost of non-compliance to be avoided, not a sum that can be negotiated directly with complainants in lieu of fixing the underlying issue.

What the structure means for you

The clearest lesson from the penalty schedule is where to focus. Because the largest ceilings attach to security failures, breach-notification failures and children's-data failures, those three areas deserve disproportionate attention and budget in any programme.

It also tells you that good faith and remediation count. Building demonstrable safeguards, a tested breach-response capability and strong children's-data protections does not just reduce the chance of a penalty — it improves your position if one is ever considered.

Read this way, the penalty structure is less a threat to fear than a map of priorities: it tells you exactly where the stakes are highest, so you can invest your compliance effort where it matters most.