The statutory penalties ranging from Rs 10,000 to Rs 250 crore for various categories of DPDPA violations.
The DPDPA Schedule prescribes maximum penalties for different categories of violations. Key amounts include: failure to take reasonable security safeguards (up to Rs 250 crore), failure to notify the Board and Data Principals of a breach (up to Rs 200 crore), non-compliance with obligations regarding children (up to Rs 200 crore), failure to comply with Board directions (up to Rs 50 crore), and breach of Data Principal duties (up to Rs 10,000 for individuals). Penalties are per violation — multiple breaches attract separate penalties.
The penalty amounts are not theoretical — they represent existential risk for Indian startups. A single consent violation affecting 10,000 users could theoretically attract penalties exceeding your company's valuation. This makes proactive compliance a business survival issue.
A Bengaluru startup suffers a data breach affecting 100,000 users. Potential penalty exposure: up to Rs 250 crore for inadequate safeguards PLUS up to Rs 200 crore for delayed notification. Total exposure of Rs 450 crore — likely exceeding the company's entire valuation.
Penalties are maximums, not automatic amounts. The Board considers proportionality, good faith efforts, breach severity, and remediation when determining actual penalty amounts. Demonstrable compliance efforts can significantly reduce penalties.
DPDPA Shield automates Compliance Dashboard. See how →