The DPDP Act Has Teeth
India's Digital Personal Data Protection Act 2023 is not a compliance exercise with symbolic fines. The penalty schedule under the Act is among the most significant in Indian regulatory law. Understanding what can trigger a penalty — and how large it can be — is essential for every business handling personal data.
The Penalty Schedule at a Glance
The DPDP Act imposes penalties through the Data Protection Board of India. The key penalty tiers are:
₹250 Crore — Failure to Implement Security Safeguards
This is the largest penalty under the Act. If a business fails to implement "reasonable security safeguards" to protect personal data and this results in a breach, the Data Protection Board may impose a penalty of up to ₹250 crore per instance.
₹200 Crore — Failure to Notify a Data Breach
When a personal data breach occurs, data fiduciaries must notify both the Data Protection Board and affected individuals. Failure to notify — or delayed notification — can result in a penalty of up to ₹200 crore.
₹200 Crore — Violations Relating to Children's Data
Processing children's data without verifiable parental consent, or engaging in behavioural monitoring or targeted advertising directed at children, attracts penalties of up to ₹200 crore.
₹150 Crore — Significant Data Fiduciary Non-Compliance
Significant Data Fiduciaries (SDFs) designated by the government have additional obligations — DPOs, data audits, DPIAs. Non-compliance with SDF-specific requirements can attract penalties up to ₹150 crore.
₹50 Crore — Other Violations
Violations of other provisions — such as failing to honour data principal rights, improper consent practices, or inadequate grievance redressal — carry penalties of up to ₹50 crore per violation.
How Are Penalties Determined?
The Data Protection Board will consider the following factors when determining the quantum of penalty:
- Nature, gravity, and duration of the violation
- Type of personal data affected
- Repetitive nature of the violation
- Whether the data fiduciary gained any financial advantage
- Measures taken by the data fiduciary to mitigate harm
- Whether the violation was intentional or negligent
Can Penalties Be Appealed?
Yes. Orders of the Data Protection Board can be appealed to the Appellate Tribunal established under the Act. Further appeals lie to the High Court on questions of law.
Voluntary Undertakings
The Act allows data fiduciaries to offer a "voluntary undertaking" to the Board — committing to cease a violation and pay a specified amount. If accepted by the Board, this closes the proceeding. Proactive compliance and self-reporting can significantly reduce penalty exposure.
The Practical Lesson
The penalty structure makes one thing clear: investing in DPDP Act compliance now is far less expensive than facing enforcement action later. A single breach leading to a ₹250 crore penalty could be existential for most businesses.
Clawrity's DPDP Act lawyers help businesses assess their current risk exposure and build compliance programmes that are practical, proportionate, and effective. Reach out to understand where your business stands.
