The Financial Stakes of Non-Compliance
The DPDP Act doesn't just impose fines — it creates an existential financial risk for Indian businesses. Unlike GDPR's percentage-of-revenue approach, the DPDP Act prescribes fixed maximum penalties that apply regardless of company size.
A startup processing student data faces the same Rs 200 crore maximum as Infosys. And penalties are cumulative — multiple violations in a single incident can stack up to a combined exposure that exceeds most companies' annual revenue.
Let's break down every penalty provision and what it means in practice.
The Complete Penalty Schedule
The DPDP Act's Schedule (Table) prescribes penalties for specific violations:
Category 1: Breach of Personal Data (Rs 250 Crore)
Section 8(5) — Failure to implement reasonable security safeguards that results in a personal data breach.
- Your systems are breached due to inadequate security
- You failed to implement "reasonable" safeguards (encryption, access controls, monitoring)
- The breach results in unauthorised access, disclosure, or loss of personal data
Key nuance: There is no materiality threshold. A breach involving 1 record triggers the same obligation as one involving 1 million records. The Board determines the actual penalty amount based on the nature, gravity, and duration of the breach.
Category 2: Failure to Notify (Rs 200 Crore)
Section 8(6) — Failure to notify the Data Protection Board and affected individuals of a data breach.
- CERT-In: Within 6 hours of discovery
- Data Protection Board: Within 72 hours
- Affected individuals: Without unreasonable delay
Combined exposure for a breach with late notification: Rs 450 crore.
Category 3: Children's Data (Rs 200 Crore)
Section 9 — Failure to obtain verifiable parental consent before processing children's data, or engaging in tracking, behavioural monitoring, or targeted advertising directed at children.
- EdTech platforms (students)
- Gaming companies (teenage users)
- Social media (under-18 accounts)
- E-commerce (family accounts where children browse)
Combined exposure for a breach involving children's data with late notification: Rs 650 crore.
Category 4: Consent Violations (Rs 50 Crore)
Section 5 & 6 — Failure to obtain valid consent, failure to provide a privacy notice, or processing data beyond the consented purpose.
- No consent collected at all
- Bundled consent (not purpose-specific)
- Missing or inadequate privacy notice
- Processing data for purposes not disclosed to the individual
- Making consent withdrawal harder than giving consent
Category 5: Data Principal Rights (Rs 50 Crore)
Section 11-14 — Failure to fulfil data access, correction, erasure, or grievance requests within the prescribed timeframe.
The 7-day SLA is strict. Failing to respond to even one request can trigger this penalty.
Category 6: Other Obligations (Rs 10,000 per individual)
- Provides false information when exercising their rights
- Files frivolous or false grievances
- Suppresses material information in a data request
They face a penalty of up to Rs 10,000.
Real-World Penalty Scenarios
Let's walk through three realistic scenarios to understand how penalties compound.
Scenario 1: E-Commerce Data Breach
An e-commerce company with 5 lakh customers suffers a database breach. They discover it on Monday but don't report to CERT-In until Thursday (3 days later).
- Breach due to inadequate security: up to Rs 250 crore
- Failure to notify CERT-In within 6 hours: up to Rs 200 crore
- Total exposure: Rs 450 crore
This exceeds the annual revenue of most mid-size e-commerce companies in India.
Scenario 2: EdTech Processing Student Data
An EdTech platform processes data of students aged 14-17 without verifiable parental consent. They also use this data for targeted advertising (behavioural monitoring).
- Processing children's data without parental consent: up to Rs 200 crore
- Behavioural monitoring of children: up to Rs 200 crore
- Missing privacy notice: up to Rs 50 crore
- Total exposure: Rs 450 crore
Scenario 3: SaaS Company Ignoring Data Requests
A SaaS company receives 50 data erasure requests but has no automated system. They miss the 7-day SLA on all of them.
- Failure to fulfil data principal rights: up to Rs 50 crore
- If any requestors are under 18: additional Rs 200 crore
- Total exposure: Rs 50-250 crore
How the Board Determines Penalty Amounts
The Data Protection Board considers several factors when deciding the actual penalty within the prescribed maximum:
- Nature, gravity, and duration of the violation
- Type of personal data affected (sensitive data = higher penalty)
- Repetitive nature — repeat offenders face higher penalties
- Whether the entity gained financially from the violation
- Actions taken to mitigate — did you have safeguards? Did you act quickly?
- Whether the entity is a Significant Data Fiduciary — higher expectations = higher penalties
This means demonstrable compliance efforts — even incomplete ones — can significantly reduce your penalty exposure. Having a compliance platform with an audit trail is evidence that you took your obligations seriously.
How to Protect Your Business
The most cost-effective protection is prevention. Here's the priority order:
1. Fix consent first — Rs 50 crore exposure, and it's the easiest to implement. An embeddable consent widget with proper audit trails can be deployed in days.
2. Set up breach management — Rs 450 crore combined exposure for breach + late notification. You need automated detection, pre-built CERT-In report templates, and escalation workflows.
3. Automate data requests — Rs 50 crore exposure, and the 7-day SLA makes manual processing impossible at scale.
4. Deploy privacy notices — Rs 50 crore exposure for missing or inadequate notices.
Take our free DPDP readiness assessment to see where your gaps are, or start your free trial to begin closing them today.
The compliance deadline is May 13, 2027. The cost of compliance is a fraction of the cost of a single penalty.
Check your DPDP readiness in 3 minutes
12 questions, instant score, detailed category breakdown.