DPDP Penalties: ₹250 Crore Fine Explained
The Data Protection Board of India can impose fines from ₹50 crore to ₹250 crore for violations of the Digital Personal Data Protection Act. Penalties depend on the severity of the violation — with the highest fine (₹250 crore) reserved for failure to implement security safeguards.
Key facts: Enforcement begins May 14, 2027 • Applies to all businesses regardless of size • Fines are proportionate to violation severity • No revenue threshold exemptions.
Jump to Section
Complete DPDP Penalty Breakdown
The DPDP Act establishes a tiered penalty system where fines range from ₹50 crore to ₹250 crore depending on the type of violation. Here's the complete breakdown:
| Violation Type | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore |
| Processing children's data without verifiable parental consent | ₹200 crore |
| Failure to notify Data Protection Board of breach within 72 hours | ₹200 crore |
| Processing personal data without valid consent | ₹50 crore |
| Failure to honor Data Principal rights (access, deletion, correction) | ₹50 crore |
| Non-publication or inadequate privacy policy | ₹50 crore |
| Retention of data beyond necessary period | ₹50 crore |
| Failure to appoint DPO (for Significant Data Fiduciaries) | ₹50 crore |
⚠️ Important Context: These are maximum penalties. The Data Protection Board will impose proportionate fines based on the nature of the violation, number of affected users, and whether the violation was intentional or negligent. However, even a ₹10 lakh fine (0.04% of maximum) can be devastating for most Indian startups.
Who Can Be Fined Under DPDP?
The DPDP Act does not exempt any business based on size, revenue, or employee count. Here's who can face penalties:
✅ Entities Subject to DPDP Penalties:
- Indian startups and SMEs — Even 1-person businesses processing personal data
- Large Indian enterprises — All companies regardless of revenue
- Foreign companies with Indian users — US, EU, Singapore-based businesses serving Indians
- E-commerce platforms — Flipkart, Amazon India, smaller stores
- SaaS companies — B2B software platforms, CRM tools, analytics
- Fintech and EdTech — Payment apps, investment platforms, online learning
- Healthcare and fitness apps — Telemedicine, health records, wearables
- Social media and gaming — Platforms with user accounts
Individual Liability
While penalties are imposed on the Data Fiduciary (the entity), the DPDP Act also allows penalties on individuals who are directly responsible for the violation. This means:
- Founders and CEOs can be held personally liable
- Data Protection Officers (DPOs) can be penalized for failures
- Technical teams responsible for security can face consequences
No "Too Small to Fine" Exemption: Unlike some global regulations, DPDP does not have a revenue threshold or employee count exemption. A 2-person startup can be fined just as a 2,000-employee corporation — though the fine amount will be proportionate.
Real Violation Examples: What Triggers Penalties
Understanding what actually constitutes a violation helps you avoid penalties. Here are real-world scenarios:
Scenario: An Indian fintech app stores customer bank details and UPI IDs in an unencrypted database. A hacker gains access and leaks data of 500,000 users.
Violation: Failure to implement reasonable security safeguards (encryption, access controls).
Potential Penalty: ₹50 crore to ₹250 crore depending on impact and negligence level.
Scenario: An EdTech platform collects data from students aged 12-16 without obtaining verifiable parental consent. The platform also tracks student behavior to serve targeted ads.
Violation: Processing children's data without consent + behavioral tracking of minors (both prohibited).
Potential Penalty: ₹100 crore to ₹200 crore.
Scenario: An e-commerce platform discovers a data breach on Monday but waits 10 days to notify the Data Protection Board, hoping to fix the issue quietly.
Violation: Failure to notify breach within 72 hours.
Potential Penalty: ₹50 crore to ₹200 crore (delayed notification = higher penalty).
Scenario: A SaaS company uses pre-ticked checkboxes on signup forms: "I agree to share my data with third-party partners." Users don't actively consent — the box is ticked by default.
Violation: Processing data without valid consent (consent must be explicit, not assumed).
Potential Penalty: ₹10 crore to ₹50 crore.
Scenario: A user emails a fitness app requesting deletion of their health data. The app ignores the request for 6 months. The user complains to the Data Protection Board.
Violation: Failure to honor Data Principal rights.
Potential Penalty: ₹5 crore to ₹50 crore.
Scenario: A startup's website collects emails through a newsletter form but has no privacy policy published anywhere on the site.
Violation: Non-publication of privacy policy.
Potential Penalty: ₹2 crore to ₹50 crore.
How Are DPDP Penalties Calculated?
The Data Protection Board of India considers multiple factors when determining the actual penalty amount:
1. Nature and Severity of Violation
A security breach affecting 10 million users will be penalized more severely than one affecting 100 users.
2. Intentional vs. Negligent vs. Accidental
- Intentional violations: Knowingly collecting data without consent → Maximum penalties
- Negligent violations: Poor security practices, ignoring known risks → High penalties
- Accidental violations: Good faith mistakes, immediate corrective action → Lower penalties
3. Number of Affected Data Principals
Violations affecting thousands or millions of users result in higher fines than those affecting a handful of users.
4. Sensitivity of Data
Breaches involving sensitive personal data (financial info, health records, biometric data, children's data) are penalized more harshly than breaches of basic contact information.
5. Repeat Violations
First-time violators may receive lower penalties. Repeat offenders face escalating fines.
6. Cooperation with Data Protection Board
Entities that self-report violations, cooperate with investigations, and take immediate corrective action may receive reduced penalties.
✓ Proportionality Principle: The Board is expected to impose proportionate fines. A 10-person startup with a minor compliance lapse won't face the same penalty as a billion-dollar corporation with a massive data breach. However, proportionality does NOT mean immunity — small businesses can still face fines in the ₹10 lakh to ₹5 crore range.
When Does Enforcement Begin?
The timeline for DPDP enforcement is critical:
| Date | What Happens |
|---|---|
| Now - May 13, 2027 | Grace period for compliance. No penalties issued. |
| May 13, 2027 | Mandatory compliance deadline. All businesses must be DPDP-compliant. |
| May 14, 2027 onward | Data Protection Board begins enforcement. Penalties can be issued. |
How Enforcement Works
The Data Protection Board can initiate investigations through:
- User complaints: Data Principals file grievances about violations
- Data breach reports: Mandatory 72-hour breach notifications trigger investigations
- Suo moto (on its own): Board discovers violations through media reports, audits, or monitoring
- Third-party reports: Competitors, NGOs, or whistleblowers report violations
Once an investigation begins:
- Board issues a notice to the Data Fiduciary
- Entity has opportunity to respond and provide evidence
- Board conducts investigation (may include audits, data requests)
- Board issues penalty determination
- Entity can appeal the penalty
How to Avoid DPDP Penalties
Compliance is the only way to avoid penalties. Here's your action plan:
1. Implement Security Safeguards NOW
- Encrypt all personal data (in transit and at rest)
- Set up access controls (who can view/edit data)
- Conduct regular security audits
- Create an incident response plan
2. Publish a DPDP-Compliant Privacy Policy
- Explain what data you collect and why
- Specify retention periods
- Describe user rights (access, deletion, correction)
- Write in clear, plain language (no legal jargon)
3. Get Valid Consent
- Use clear, specific consent language
- No pre-ticked checkboxes
- Make consent easy to withdraw
- Keep records of when/how consent was obtained
4. Set Up Data Principal Rights Mechanism
- Create a [email protected] email
- OR add a data rights request form
- Respond to requests within 30 days
5. If You Process Children's Data
- Obtain verifiable parental consent
- Do NOT track children's behavior
- Do NOT serve targeted ads to minors
6. Prepare for Breach Notification
- Create a breach response team
- Document breach notification procedures
- Know how to contact Data Protection Board within 72 hours
Frequently Asked Questions
What is the maximum DPDP penalty?
The maximum penalty is ₹250 crore for failure to implement reasonable security safeguards.
Who can impose DPDP penalties?
The Data Protection Board of India has the sole authority to investigate violations and impose penalties.
Can small businesses be fined under DPDP?
Yes. The DPDP Act does not exempt small businesses. Any entity processing personal data can be penalized, though fines will be proportionate to the violation's severity.
When can penalties start being issued?
Penalties can be issued from May 14, 2027 — one day after the mandatory compliance deadline.
Can I be personally fined as a founder?
Yes. The DPDP Act allows penalties on individuals who are directly responsible for violations, including founders, CEOs, and Data Protection Officers.
What if I fix the violation immediately?
Immediate corrective action and cooperation with the Board can result in reduced penalties, but does not guarantee immunity from fines.
Avoid DPDP Penalties: Get Compliant Today
Our complete DPDP compliance guide shows you exactly what to implement to avoid ₹50 crore to ₹250 crore fines.
Read the Complete DPDP Guide →