DPDP Penalties Explained: How Much Can a Data Breach Cost Your Business?
Understand DPDP Act penalties up to INR 250 crore. Covers all penalty tiers, real-world breach scenarios, and comparison with GDPR and CCPA fines.
The Digital Personal Data Protection Act 2023 carries financial penalties that can threaten the survival of any Indian business. The maximum penalty of INR 250 crore for a single breach is not a theoretical upper limit designed to grab headlines. It is a legally enforceable consequence specified in the Schedule to the Act, and the Data Protection Board of India has the authority to impose it.
Understanding the penalty structure is not an academic exercise. It is a prerequisite for rational compliance budgeting. Every rupee you spend on compliance should be evaluated against the penalties you are avoiding.
What are the specific penalty amounts under the DPDP Act?
The DPDP Act 2023 specifies four tiers of penalties in its Schedule, ranging from INR 50 crore for general non-compliance to INR 250 crore for failure to implement security safeguards resulting in a breach. Each tier corresponds to specific obligations in the Act.
Here is the complete penalty structure:
| Violation | DPDP Act Section | Maximum Penalty |
|
--|
--|
-|
| Failure to take reasonable security safeguards resulting in a personal data breach | Section 8(5) | ₹250 crore |
| Processing children's data in violation of the Act | Section 9 | ₹200 crore |
| Failure to notify the DPBI and affected data principals of a breach | Section 8(6) | ₹150 crore |
| Failure to fulfill obligations as a Data Fiduciary or Significant Data Fiduciary | Sections 8, 10 | ₹150 crore |
| Non-compliance by Data Processors with their obligations | Section 8(2) | ₹150 crore |
| Breach of additional obligations by Significant Data Fiduciaries | Section 10 | ₹150 crore |
| Any other non-compliance with the provisions of the Act | Various | ₹50 crore |
Critical points about these penalties:
1. They are per contravention. If a breach exposes data from two processing activities that each violated a different section, the penalties can be additive.
2. There is no turnover-based cap. Unlike GDPR, which caps fines at 4% of turnover, DPDP penalties are fixed maximums. This means an early-stage startup could theoretically face the same INR 250 crore fine as an Ambani-group company.
3. The DPBI determines the actual amount. The Schedule specifies maximums. The Board exercises discretion based on the nature, gravity, and duration of the breach, the number of data principals affected, and the efforts made by the entity to mitigate damage.
How do DPDP penalties compare to GDPR and CCPA fines?
DPDP penalties are structured as fixed-cap amounts, while GDPR uses a percentage-of-turnover model and CCPA imposes per-record fines. For Indian SMEs, DPDP penalties are proportionally harsher than GDPR. For multinational corporations, GDPR fines can exceed DPDP maximums.
Here is a detailed comparison:
| Parameter | DPDP (India) | GDPR (EU) | CCPA/CPRA (California) |
|
--|
-|
--|
-|
| Maximum penalty | ₹250 crore (~USD 30M) | 4% global turnover or EUR 20M (higher of two) | USD 7,500 per intentional violation |
| Minimum penalty | Not specified | Not specified | USD 2,500 per unintentional violation |
| Breach notification failure | ₹150 crore | Part of general penalties | Part of general penalties |
| Children's data violation | ₹200 crore | Part of general penalties | USD 7,500 per child record |
| Enforcement body | DPBI | DPAs (per country) | California AG / CPPA |
| Private right of action | No | Limited (varies by member state) | Yes (data breaches) |
| Turnover-based scaling | No | Yes (4% cap) | No (per-record model) |
| Appeal mechanism | TDSAT, then Supreme Court | National courts | State/federal courts |
The key insight: DPDP's fixed-cap model is disproportionately severe for small businesses. A company with INR 5 crore annual revenue facing a INR 50 crore fine for a basic compliance failure is looking at 10x its revenue in penalties. Under GDPR, the same company would face a fine capped at 4% of turnover, approximately INR 20 lakh.
Conversely, for a company with INR 10,000 crore in revenue, the DPDP maximum of INR 250 crore is 2.5% of revenue, while GDPR could impose up to INR 400 crore (4% of turnover).
This structural difference means Indian SMEs and startups have more to lose, proportionally, from non-compliance than large enterprises do.
What triggers the highest DPDP penalty of INR 250 crore?
The INR 250 crore penalty is triggered by failure to implement reasonable security safeguards under Section 8(5) of the DPDP Act, resulting in a personal data breach. This means the breach itself is not the trigger. The failure to have adequate security measures in place is what elevates the penalty to the maximum tier.
The distinction matters. Two identical breaches — same attack vector, same data exposed, same number of affected data principals — can result in vastly different penalties depending on what security measures the Data Fiduciary had in place before the breach.
To trigger the INR 250 crore tier, the DPBI would need to establish:
1. A personal data breach occurred. Data was accessed, disclosed, altered, or destroyed without authorization.
2. The Data Fiduciary had a duty to implement security safeguards. Under Section 8(5), every Data Fiduciary must implement reasonable security safeguards to prevent breaches.
3. The safeguards were inadequate. The measures in place did not meet the standard of "reasonable" given the nature and volume of data processed.
4. The inadequacy contributed to the breach. There must be a causal connection between the security failure and the breach.
What constitutes "reasonable security safeguards" is not defined in the Act with technical specificity. The DPDP Rules 2025 provide some guidance, referencing industry-standard practices like encryption, access controls, and regular security audits. Organizations following recognized frameworks like ISO 27001, SOC 2, or the CERT-In Cyber Security Framework will be in a stronger position to argue their safeguards were reasonable.
What happens if a D2C brand leaks customer WhatsApp data?
A D2C brand that leaks customer WhatsApp data faces potential penalties across multiple DPDP sections simultaneously: up to INR 250 crore for the breach itself, INR 150 crore for delayed notification, and additional penalties if consent management was non-compliant. The total exposure can exceed INR 400 crore for a single incident.
Let us walk through a realistic scenario.
The scenario: A direct-to-consumer skincare brand with 2 lakh customers uses WhatsApp Business for order updates and marketing. A misconfigured API endpoint exposes a database containing customer names, phone numbers, WhatsApp conversation histories, purchase histories, and delivery addresses. Penalty analysis:| Violation | Details | Potential Penalty |
|
--|
|
|
| Inadequate security safeguards (Section 8(5)) | Misconfigured API without access controls, no encryption at rest | Up to ₹250 crore |
| Failure to notify DPBI within 72 hours (Section 8(6)) | Brand detects breach on Monday, begins investigation, does not notify DPBI until Thursday | Up to ₹150 crore |
| Non-compliant consent for marketing messages (Section 6) | Marketing messages sent without granular consent separate from transactional consent | Up to ₹50 crore |
| No DSAR response mechanism (Section 11) | Customers requesting their data have no way to submit or track requests | Up to ₹50 crore |
Beyond penalties, the business consequences include:This scenario is not far-fetched. According to CERT-In's India Cyber Threat Report 2025, e-commerce and D2C companies experienced a 340% increase in API-related data exposures between 2023 and 2025.
How does the DPBI determine the actual penalty amount?
The Data Protection Board of India determines penalty amounts based on the nature, gravity, and duration of the breach; the type and volume of personal data affected; the actions taken by the Data Fiduciary to mitigate the breach; whether the breach was a first offence or repeat violation; and any financial gain obtained from the non-compliance.
The DPDP Act does not prescribe a penalty formula. Section 33 grants the DPBI broad discretion to consider:
1. Nature and gravity of the breach. Exposure of sensitive financial or health data is treated more seriously than exposure of basic contact information.
2. Duration. A breach that persisted for six months due to lack of monitoring will attract a higher penalty than one detected and contained within hours.
3. Number of affected data principals. A breach affecting 10 lakh individuals is fundamentally different from one affecting 100.
4. Deliberate vs. negligent conduct. Deliberate circumvention of compliance requirements will attract higher penalties than negligent failures, though negligence is not a defence.
5. Mitigation efforts. Did the Data Fiduciary promptly contain the breach, notify affected individuals, offer remediation, and take steps to prevent recurrence? Active mitigation reduces penalty exposure.
6. Repeat violations. A first-time offender will likely receive a lower penalty than an entity with a history of non-compliance.
7. Financial gain. If the entity profited from the non-compliant processing (e.g., selling personal data without consent), the penalty will account for that gain.
This discretionary model means that compliance effort directly reduces penalty exposure, even if a breach occurs. The DPBI is more likely to impose a moderate penalty on a business that had implemented security measures, maintained documentation, and responded promptly than on one that had done nothing.
What are the hidden costs of a data breach beyond DPDP fines?
The regulatory penalty is often the smallest component of total breach cost. Hidden costs include forensic investigation, legal defence, business interruption, customer notification and monitoring, reputation damage, increased insurance premiums, and long-term customer attrition. According to the IBM Cost of a Data Breach Report 2025, the average total cost of a data breach in India is INR 19.5 crore.
Here is a realistic cost breakdown for a mid-sized Indian business:
| Cost Category | Estimated Range | Timeline |
|
--|
-|
-|
| Forensic investigation | ₹10-50 lakh | Immediate |
| Legal counsel and defence | ₹15-75 lakh | 6-24 months |
| DPBI penalty | ₹50 lakh - ₹250 crore | 3-18 months |
| Customer notification | ₹5-25 lakh | Immediate |
| Credit/identity monitoring for affected individuals | ₹10-50 lakh | 12-24 months |
| Business interruption (system downtime) | ₹5-100 lakh | Days to weeks |
| PR crisis management | ₹5-30 lakh | 1-6 months |
| Customer churn (10-30% of affected base) | Variable, often crores | 6-24 months |
| Increased cyber insurance premiums | 50-200% increase | Annual |
| Technology remediation | ₹20-200 lakh | 1-6 months |
| Regulatory compliance upgrades (post-breach) | ₹10-100 lakh | 3-12 months |
The total cost multiplier is typically 3-5x the direct penalty. A INR 50 crore penalty incident often results in INR 150-250 crore in total costs when all downstream effects are included.
How can businesses reduce their DPDP penalty exposure?
Businesses reduce DPDP penalty exposure through three mechanisms: preventing breaches with technical safeguards, limiting breach impact through data minimization and access controls, and demonstrating good faith compliance effort through documentation and rapid response. The DPBI's discretionary penalty model rewards businesses that take proactive measures.
A structured approach to penalty reduction:
1. Implement encryption at rest and in transit. This is the most fundamental security safeguard. Encrypted data that is accessed without authorization may not constitute a reportable breach if the encryption keys were not compromised.
2. Enforce principle of least privilege. Limit access to personal data to only those employees and systems that need it for specific, documented purposes. Fewer access points means fewer breach vectors.
3. Conduct regular security audits. Quarterly vulnerability assessments and annual penetration testing demonstrate that you are proactively identifying and remediating weaknesses.
4. Minimize data collection and retention. You cannot breach data you do not hold. Review every data field you collect and every retention period. If you do not need it, do not store it.
5. Deploy breach detection tools. The 72-hour notification clock starts at awareness. The faster you detect a breach, the more time you have to assess and report. Invest in intrusion detection, anomaly monitoring, and data loss prevention.
6. Automate compliance documentation. Platforms like KAVACH maintain continuous compliance evidence — consent artifacts, processing logs, DSAR responses — that demonstrate good faith effort to the DPBI.
7. Prepare breach response in advance. Have a tested incident response plan, pre-approved DPBI notification templates, and a designated response team. Improvised responses during a crisis lead to missed deadlines and higher penalties.
8. Train employees quarterly. Most breaches involve human error. Phishing awareness, secure data handling, and incident reporting training directly reduce breach probability.
What should you do if your business has already experienced a data breach?
If your business has experienced a data breach, your immediate priorities are containment, assessment, and notification — in that order. Contain the breach to prevent further data exposure, assess the scope and severity, and notify the DPBI within 72 hours of becoming aware of the breach as required by Section 8(6).
Step-by-step breach response:
1. Contain immediately. Isolate affected systems, revoke compromised credentials, close exploited vulnerabilities. Every minute of continued exposure increases your liability.
2. Preserve evidence. Do not wipe systems or destroy logs in the rush to contain. Forensic evidence is critical for both the investigation and your legal defence.
3. Assess scope. Determine what data was affected, how many data principals are impacted, what the attack vector was, and whether the breach is ongoing.
4. Notify the DPBI within 72 hours. File the notification with the Data Protection Board of India. Include the nature of the breach, data affected, approximate number of data principals, likely consequences, and measures taken.
5. Notify affected data principals. Inform individuals whose data was compromised. Provide clear information about what happened, what data was affected, and what steps they should take.
6. Engage legal counsel. DPDP enforcement proceedings are quasi-judicial. Having legal representation from the outset protects your interests.
7. Remediate and document. Fix the root cause, implement additional safeguards, and document everything. Your remediation effort will influence the DPBI's penalty determination.
8. Review and improve. Conduct a post-incident review. Update your security measures, incident response plan, and compliance documentation based on lessons learned.
The cost of prevention is always lower than the cost of remediation. Explore the DPDP Penalty Calculator to estimate your business's exposure, and consider implementing KAVACH to automate the compliance measures that reduce penalty risk.