India's Digital Personal Data Protection (DPDP) Act, 2023 marks a watershed moment in the country's data governance landscape. For businesses operating in India — or handling the personal data of Indian residents — understanding the maximum penalties under this law is no longer optional. It is a business imperative.
This guide breaks down everything you need to know: the penalty structure, what triggers maximum fines, DPDP Act compliance requirements, and how organisations can proactively protect themselves.
What is the DPDP Act?
The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted by the Indian Parliament to govern the collection, processing, storage, and transfer of digital personal data. It applies to any entity — called a Data Fiduciary — that processes personal data of individuals in India, whether the processing happens within India or outside it.
The Act establishes rights for Data Principals (individuals whose data is collected) and obligations for Data Fiduciaries. It also creates the Data Protection Board of India as the adjudicating authority empowered to investigate complaints and impose penalties.
Overview of the Penalty Framework
The DPDP Act does not follow a one-size-fits-all penalty model. It lays out a tiered penalty structure under Schedule 1, with different maximum fines corresponding to specific categories of violations.
Note: 1 Crore = 10 Million Indian Rupees. At current exchange rates, ₹200 Crore is approximately USD 24 million.
What is the Maximum Penalty Under the DPDP Act?
The maximum penalty under the DPDP Act is ₹200 Crore (approximately ₹2 billion), applicable in two critical scenarios:
1. Failure to Safeguard Children's Data
Any Data Fiduciary that processes the personal data of a child (under 18 years of age) without verifiable parental consent, or that engages in tracking, behavioural monitoring, or targeted advertising directed at children, can face a penalty of up to ₹200 Crore. This reflects the legislature's strong intent to protect minors in digital ecosystems.
2. Failure to Report a Personal Data Breach
Data Fiduciaries are required to notify both the Data Protection Board and affected Data Principals in the event of a personal data breach. Failure to do so — whether through delay, suppression, or negligence — can attract a penalty of up to ₹200 Crore.
This provision places an enormous premium on having robust breach detection, incident response, and notification mechanisms in place.
Other Key Penalties You Must Know
₹150 Crore — Significant Data Fiduciaries
Entities designated as Significant Data Fiduciaries (SDFs) carry additional obligations, including:
Appointing a Data Protection Officer (DPO) based in India
Conducting periodic Data Protection Impact Assessments (DPIAs)
Undertaking periodic audits by independent data auditors
Ensuring algorithmic accountability and verifiability
Non-compliance with these enhanced obligations can result in penalties of up to ₹150 Crore.
₹50 Crore — General Violations
Any contravention of the DPDP Act's provisions or its associated Rules that does not fall under a specific higher-penalty category carries a maximum fine of ₹50 Crore. This catch-all provision is broad and could apply to failures around consent management, data localisation, or honouring Data Principals' rights.
₹10,000 — Data Principal Violations
The Act is not exclusively aimed at businesses. Data Principals themselves have duties — including not filing false grievances or furnishing fraudulent information. Violations by individuals attract fines of up to ₹10,000.
What Factors Influence Penalty Determination?
The Data Protection Board does not automatically impose the maximum penalty. Section 33 of the Act lists factors the Board must consider when determining the quantum of penalty:
Nature, gravity, and duration of the non-compliance
Type of personal data affected (sensitive vs. general)
Repetitive nature of the default
Gain by the Data Fiduciary or loss caused to Data Principals as a consequence of the default
Mitigating actions taken by the Data Fiduciary (such as quick breach notification or voluntary remediation)
Degree of cooperation shown with the Board
Organisations that demonstrate proactive compliance, quick remediation, and good faith cooperation are likely to face lower penalties within the prescribed range.
DPDP Act Compliance Requirements: A Practical Checklist
Avoiding penalties begins with understanding — and implementing — the DPDP Act's compliance requirements. Here is what Data Fiduciaries must do:
1. Obtain Valid, Informed Consent
Consent must be:
Free, specific, informed, unconditional, and unambiguous
Obtained through a clear affirmative action (not pre-ticked boxes)
As easy to withdraw as it is to give
A Consent Manager — an entity registered with the Data Protection Board — may be used to manage consent on behalf of Data Principals.
2. Publish a Clear Privacy Notice
Before or at the time of collecting personal data, the Data Fiduciary must provide a notice explaining:
What data is being collected
The purpose of processing
How Data Principals can exercise their rights
Contact information for the Data Protection Officer
3. Honour Data Principal Rights
The DPDP Act grants individuals the following rights, which Data Fiduciaries must facilitate:
Right to access information about the data processed
Right to correction and erasure of inaccurate or outdated data
Right to grievance redressal with timely response mechanisms
Right to nominate a nominee who can exercise rights on their behalf in case of death or incapacity
4. Implement Data Security Safeguards
Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. While the Act does not prescribe specific technical standards, regulators will expect industry-appropriate measures such as encryption, access controls, and penetration testing.
5. Report Breaches Promptly
In the event of a breach, the Data Fiduciary must notify:
The Data Protection Board (with full details of the breach, its impact, and remediation steps)
Affected Data Principals (in a clear, non-technical language)
The notification timelines will be specified in the Rules under the Act. Delays or omissions can attract the maximum penalty of ₹200 Crore.
6. Erase Data When No Longer Needed
Data must be erased once the purpose of processing is fulfilled and there is no legal requirement to retain it. Data Fiduciaries cannot retain personal data indefinitely.
7. Restrictions on Processing Children's Data
Organisations must:
Obtain verifiable parental consent before processing any data of a child
Not engage in tracking, profiling, or behavioural advertising targeting minors
Not collect data that is likely to cause harm to a child's well-being
8. Additional Requirements for Significant Data Fiduciaries
If designated as a Significant Data Fiduciary, additional obligations apply:
Appoint a Data Protection Officer (DPO) (based in India)
Engage an independent data auditor for periodic audits
Conduct Data Protection Impact Assessments (DPIAs)
Ensure algorithmic accountability for processing activities
Cross-Border Data Transfer Rules
The DPDP Act permits transfer of personal data outside India, except to countries notified by the Central Government as restricted. This is a positive-list/negative-list framework — businesses can transfer data internationally unless the destination country is blacklisted.
Organisations conducting cross-border transfers should monitor the evolving list of restricted countries and ensure contractual safeguards are in place.
The Data Protection Board of India
The Data Protection Board of India is the statutory body responsible for:
Adjudicating complaints and appeals
Investigating personal data breaches
Directing remedial action and imposing penalties
Maintaining a register of Consent Managers
The Board functions as a digital office, and proceedings may be conducted electronically. Its decisions are appealable before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Key Takeaway: What Should Businesses Do Right Now?
The DPDP Act and its Rules are being finalised, but the compliance clock is already ticking. Here is what forward-thinking organisations should prioritise:
Conduct a data audit — map all personal data collected, processed, and stored
Review and revise consent mechanisms — ensure they meet the Act's standards
Update your privacy notices — they must be plain, clear, and actionable
Build a breach response plan — breach notification is one of the highest-risk areas
Assess whether you qualify as a Significant Data Fiduciary — and prepare accordingly
Train your teams — compliance is organisation-wide, not just a legal or IT function
Engage a legal or compliance expert — the Rules will clarify several ambiguous provisions
FAQs:
Q1. What is the maximum penalty under the DPDP Act?
The maximum penalty under the DPDP Act is ₹200 Crore. This applies to two specific violations: failure to protect children's personal data (processing without verifiable parental consent), and failure to notify the Data Protection Board and affected individuals of a personal data breach.
Q2. Who enforces the DPDP Act and imposes penalties?
The Data Protection Board of India is the adjudicating authority responsible for investigating complaints, determining non-compliance, and imposing financial penalties on Data Fiduciaries.
Q3. What are the DPDP Act compliance requirements for businesses?
Key compliance requirements include: obtaining valid and informed consent before processing personal data, publishing a clear privacy notice, honouring Data Principal rights (access, correction, erasure, grievance redressal), implementing data security safeguards, erasing data when it is no longer needed, reporting breaches promptly, and complying with restrictions on processing children's data.
Q4. What is a Significant Data Fiduciary under the DPDP Act?
A Significant Data Fiduciary is an entity designated by the Central Government based on factors such as the volume and sensitivity of data processed, the risk posed to Data Principals, and the potential impact on India's sovereignty and security. Significant Data Fiduciaries face enhanced obligations, including appointing a DPO, conducting DPIAs, and undergoing independent audits.
Q5. Does the DPDP Act apply to foreign companies?
Yes. The DPDP Act applies to any entity that processes the personal data of individuals in India, even if the entity itself is located outside India. This has significant implications for multinational companies and global SaaS providers serving Indian customers.
Q6. What constitutes a "personal data breach" under the DPDP Act?
While the Act uses the term broadly, a personal data breach generally refers to any unauthorised access, disclosure, alteration, or destruction of personal data that could harm the Data Principal. The exact definition and notification timelines will be clarified in the Rules.
Q7. Can penalties be reduced or waived?
The Data Protection Board has discretion in determining the penalty within the prescribed range. Factors such as the gravity of the violation, mitigating steps taken, degree of cooperation, and whether it is a first-time offence can result in penalties below the maximum. However, no provision for complete waiver exists for serious violations.
Q8. Is there a penalty for not appointing a Data Protection Officer?
Significant Data Fiduciaries that fail to appoint a DPO can face penalties of up to ₹150 Crore under the category of non-fulfilment of obligations of Significant Data Fiduciaries.
Q9. What is the penalty for violating the rights of a Data Principal?
If a Data Fiduciary fails to honour a Data Principal's rights — such as the right to correction, erasure, or grievance redressal — this would typically fall under the general violations category, attracting penalties of up to ₹50 Crore. For Data Principals who violate their own duties (e.g., filing false grievances), the maximum penalty is ₹10,000.
Q10. When will the DPDP Act come into full force?
The DPDP Act, 2023 was passed by Parliament and received Presidential assent, but its full enforcement is contingent on the Central Government notifying the commencement date and finalising the Rules. Businesses should not wait for full enforcement — beginning compliance preparations now is strongly advisable.
Conclusion
The DPDP Act represents India's most comprehensive framework for protecting digital personal data — and its penalty regime signals that the government is serious about enforcement. With fines reaching up to ₹200 Crore, non-compliance is simply not a risk any organisation can afford to take.
The good news is that compliance is achievable. By understanding the DPDP Act compliance requirements, mapping your data flows, strengthening consent mechanisms, and building robust breach response capabilities, your organisation can operate confidently in India's new data protection era.