DPDPA Shield — Knowledge BaseAll Articles

DPDPA 2023 Penalty Schedule — Complete List with Amounts

The Digital Personal Data Protection Act, 2023 contains a fixed penalty schedule in its Schedule (appended to the Act). Unlike GDPR which uses a percentage-of-turnover model, DPDPA specifies absolute maximum amounts for each category of violation. The Data Protection Board of India determines the actual penalty quantum within these caps based on the facts of each case.

Full Penalty Schedule

1. Failure to Take Reasonable Security Safeguards — Up to Rs. 250 Crore

Section reference: Section 8(4)
Maximum penalty: Rs. 250,00,00,000 (Rs. 250 crore / approximately USD 30 million)
What it covers: Failure to implement reasonable security safeguards to prevent personal data breaches. This includes inadequate encryption, missing access controls, absent logging, failure to patch known vulnerabilities, and absence of regular security testing. Importantly, this penalty can be imposed even if no breach has actually occurred — inadequate security itself is a violation.

2. Failure to Notify Board and Data Principals of Breach — Up to Rs. 200 Crore

Section reference: Section 8(6)
Maximum penalty: Rs. 200,00,00,000 (Rs. 200 crore / approximately USD 24 million)
What it covers: Failure to notify the Data Protection Board and/or each affected Data Principal of a personal data breach "without delay." This applies whether the failure is complete non-notification, excessive delay in notification, or notification that is materially incomplete or misleading.

3. Non-Compliance with Children's Data Obligations — Up to Rs. 200 Crore

Section reference: Section 9
Maximum penalty: Rs. 200,00,00,000 (Rs. 200 crore / approximately USD 24 million)
What it covers: Processing children's data without verifiable parental consent, tracking or behaviourally monitoring children, targeted advertising directed at children, or any processing likely to cause significant harm to a child. Children are defined as persons under 18 years of age.

4. Non-Compliance with Significant Data Fiduciary Obligations — Up to Rs. 150 Crore

Section reference: Section 10
Maximum penalty: Rs. 150,00,00,000 (Rs. 150 crore / approximately USD 18 million)
What it covers: Failure by a notified Significant Data Fiduciary to appoint a Data Protection Officer based in India, appoint an independent data auditor, conduct periodic Data Protection Impact Assessments, or comply with any other additional obligations imposed on Significant Data Fiduciaries.

5. Non-Compliance with Any Other Provision — Up to Rs. 50 Crore

Section reference: Residual provision covering all other violations
Maximum penalty: Rs. 50,00,00,000 (Rs. 50 crore / approximately USD 6 million)
What it covers: Any violation of the Act or Rules not specifically listed above. This catch-all provision covers: failure to provide adequate notice (Section 5), processing without valid consent (Section 6), failure to honour Data Principal rights within 90 days (Sections 11-14), failure to maintain adequate processor contracts (Section 8(2)), failure to delete data upon purpose fulfilment (Section 8(7)), failure to maintain consent records proving compliance (Section 6(10)), and any other non-compliance.

6. Penalty on Data Principals — Up to Rs. 10,000

Section reference: Section 15
Maximum penalty: Rs. 10,000
What it covers: Filing false or frivolous complaints with the Board, providing false or misleading information to a Data Fiduciary when exercising rights, suppressing material information, or registering false grievances with malicious intent.

7. Repeat Offences — Up to Rs. 500 Crore

Maximum penalty: Rs. 500,00,00,000 (Rs. 500 crore / approximately USD 60 million)
What it covers: Any repeat violation by the same entity. The Board may impose enhanced penalties for repeat offenders, up to the overall maximum of Rs. 500 crore per instance.

How the DPB Determines Penalty Quantum

The Data Protection Board does not automatically impose the maximum penalty. Section 33 provides that the Board shall determine the penalty amount having regard to:

  • Nature and gravity — The seriousness of the non-compliance, the type and sensitivity of data involved, and the number of Data Principals affected.
  • Duration — How long the non-compliance persisted before being detected or remediated.
  • Repetitiveness — Whether this is a first offence or a pattern of non-compliance.
  • Financial gain — Whether the entity derived financial benefit from the non-compliance or the breach.
  • Mitigation steps — What actions the entity took to mitigate harm after becoming aware of the non-compliance.

Aggravating Factors

The Board is likely to impose penalties closer to the maximum cap when:

  • Repeat offence — The entity has been found in violation before and failed to implement corrective measures.
  • Wilful violation — The non-compliance was deliberate rather than negligent. Knowingly processing without consent, deliberately concealing a breach, or instructing employees to circumvent controls.
  • Financial gain — The entity profited from the non-compliance (e.g., selling personal data without consent, monetising data beyond consented purposes).
  • Scale of harm — Large numbers of Data Principals affected, sensitive data categories involved (financial, health, biometric), or vulnerable populations affected (children, elderly).
  • Concealment — Attempts to hide the breach, destroy evidence, or obstruct the Board's inquiry.
  • Failure to cooperate — Non-responsiveness to Board communications, failure to provide requested information, or obstructing investigators.

Mitigating Factors

The Board is likely to impose lower penalties when:

  • Prompt cooperation — The entity cooperated fully with the Board from the outset, provided all requested information, and facilitated the investigation.
  • Proactive notification — The entity discovered and reported the breach itself, rather than it being discovered by a third party or the Board.
  • Rapid remediation — The entity took immediate steps to contain the breach, secure affected systems, and prevent recurrence.
  • Voluntary compensation — The entity proactively offered remediation or compensation to affected Data Principals without being ordered to do so.
  • Technical maturity — The entity had reasonable safeguards in place that were circumvented by a sophisticated attack, demonstrating good-faith compliance effort.
  • First offence — No prior violations or adverse findings against the entity.

DPDPA vs GDPR Penalty Comparison

DPDPA and GDPR take fundamentally different approaches to penalties, and understanding the distinction is important for multinational businesses:

  • Fixed vs turnover-based — DPDPA uses fixed maximum amounts (Rs. 250 Cr). GDPR uses percentage of annual global turnover (4% or EUR 20 million, whichever is higher). For large enterprises, GDPR penalties can be astronomically higher (Meta's EUR 1.2 billion fine). For SMEs, DPDPA's fixed caps may actually be more severe.
  • Predictability — DPDPA's fixed schedule provides certainty about maximum exposure. GDPR's turnover model means exposure grows with company revenue.
  • SME impact — A startup with Rs. 5 crore annual revenue facing a Rs. 50 crore penalty is existential. Under GDPR, 4% of that revenue would be only EUR ~60,000. DPDPA's fixed amounts are therefore more impactful for smaller businesses.
  • No minimum — Neither Act specifies minimum penalties. Both regulators have discretion to impose proportionate amounts within the cap.
  • Per-violation basis — Both regimes apply penalties per violation. A single breach affecting multiple issues (inadequate security + failure to notify) can attract multiple penalties under DPDPA.
  • No data portability penalty — DPDPA does not provide a data portability right (unlike GDPR), so there is no penalty equivalent for failing to provide data in a machine-readable format.
  • Data Principal penalties — DPDPA uniquely imposes penalties on individuals (Rs. 10,000 for false complaints). GDPR does not penalise data subjects.

Why Fixed Schedule Benefits SMEs

Despite the headline figures being large, DPDPA's fixed penalty model offers practical advantages for Indian SMEs:

  • Certainty for planning — Maximum exposure is known and can be planned for via insurance, reserves, or risk management decisions.
  • Proportionate enforcement expected — The Board has discretion within the caps. An SME with a minor first violation is unlikely to receive the maximum penalty. The Board must consider factors including the entity's size and resources.
  • Insurance feasibility — Cyber insurance policies can be sized against known maximum exposure rather than uncertain percentage-based calculations.
  • Investment justification — Compliance investment can be justified against quantifiable maximum exposure, making ROI calculations straightforward for compliance software and services.

Estimating Your Breach Cost Exposure

The actual cost of a personal data breach extends far beyond the DPB penalty. Total breach cost includes: the penalty itself, forensic investigation costs, legal counsel fees, notification costs (reaching all affected Data Principals), credit monitoring or compensation for affected individuals, system remediation and security upgrades, business interruption during containment, reputational damage and customer churn, and potential civil litigation by affected individuals.

For a detailed estimate of your organisation's specific breach cost exposure based on your data volume, sector, and security posture, use our free Breach Cost Estimator tool.

Want to reduce your penalty exposure with automated compliance? Book a free demo of DPDPA Shield →