What is the Maximum Penalty Under the DPDP Act?

By Gaurav     29-06-2026     6

India's Digital Personal Data Protection (DPDP) Act, 2023 marks a watershed moment in the country's data governance landscape. For businesses operating in India — or handling the personal data of Indian residents — understanding the maximum penalties under this law is no longer optional. It is a business imperative.

This guide breaks down everything you need to know: the penalty structure, what triggers maximum fines, DPDP Act compliance requirements, and how organisations can proactively protect themselves.

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted by the Indian Parliament to govern the collection, processing, storage, and transfer of digital personal data. It applies to any entity — called a Data Fiduciary — that processes personal data of individuals in India, whether the processing happens within India or outside it.

The Act establishes rights for Data Principals (individuals whose data is collected) and obligations for Data Fiduciaries. It also creates the Data Protection Board of India as the adjudicating authority empowered to investigate complaints and impose penalties.

Overview of the Penalty Framework

The DPDP Act does not follow a one-size-fits-all penalty model. It lays out a tiered penalty structure under Schedule 1, with different maximum fines corresponding to specific categories of violations.

Violation Category

Maximum Penalty

Failure to protect children's data / processing data of minors without consent

₹200 Crore

Failure to notify Data Principals and the Data Protection Board of a personal data breach

₹200 Crore

Non-fulfilment of obligations of Significant Data Fiduciaries

₹150 Crore

Violation of duties of a Data Principal

₹10,000

Breach of any other provision of the Act or its Rules

₹50 Crore

Note: 1 Crore = 10 Million Indian Rupees. At current exchange rates, ₹200 Crore is approximately USD 24 million.

What is the Maximum Penalty Under the DPDP Act?

The maximum penalty under the DPDP Act is ₹200 Crore (approximately ₹2 billion), applicable in two critical scenarios:

1. Failure to Safeguard Children's Data

Any Data Fiduciary that processes the personal data of a child (under 18 years of age) without verifiable parental consent, or that engages in tracking, behavioural monitoring, or targeted advertising directed at children, can face a penalty of up to ₹200 Crore. This reflects the legislature's strong intent to protect minors in digital ecosystems.

2. Failure to Report a Personal Data Breach

Data Fiduciaries are required to notify both the Data Protection Board and affected Data Principals in the event of a personal data breach. Failure to do so — whether through delay, suppression, or negligence — can attract a penalty of up to ₹200 Crore.

This provision places an enormous premium on having robust breach detection, incident response, and notification mechanisms in place.

Other Key Penalties You Must Know

₹150 Crore — Significant Data Fiduciaries

Entities designated as Significant Data Fiduciaries (SDFs) carry additional obligations, including:

Appointing a Data Protection Officer (DPO) based in India

Conducting periodic Data Protection Impact Assessments (DPIAs)

Undertaking periodic audits by independent data auditors

Ensuring algorithmic accountability and verifiability

Non-compliance with these enhanced obligations can result in penalties of up to ₹150 Crore.

₹50 Crore — General Violations

Any contravention of the DPDP Act's provisions or its associated Rules that does not fall under a specific higher-penalty category carries a maximum fine of ₹50 Crore. This catch-all provision is broad and could apply to failures around consent management, data localisation, or honouring Data Principals' rights.

₹10,000 — Data Principal Violations

The Act is not exclusively aimed at businesses. Data Principals themselves have duties — including not filing false grievances or furnishing fraudulent information. Violations by individuals attract fines of up to ₹10,000.

What Factors Influence Penalty Determination?

The Data Protection Board does not automatically impose the maximum penalty. Section 33 of the Act lists factors the Board must consider when determining the quantum of penalty:

Nature, gravity, and duration of the non-compliance

Type of personal data affected (sensitive vs. general)

Repetitive nature of the default

Gain by the Data Fiduciary or loss caused to Data Principals as a consequence of the default

Mitigating actions taken by the Data Fiduciary (such as quick breach notification or voluntary remediation)

Degree of cooperation shown with the Board

Organisations that demonstrate proactive compliance, quick remediation, and good faith cooperation are likely to face lower penalties within the prescribed range.

DPDP Act Compliance Requirements: A Practical Checklist

Avoiding penalties begins with understanding — and implementing — the DPDP Act's compliance requirements. Here is what Data Fiduciaries must do:

1. Obtain Valid, Informed Consent

Consent must be:

Free, specific, informed, unconditional, and unambiguous

Obtained through a clear affirmative action (not pre-ticked boxes)

As easy to withdraw as it is to give

Consent Manager — an entity registered with the Data Protection Board — may be used to manage consent on behalf of Data Principals.

2. Publish a Clear Privacy Notice

Before or at the time of collecting personal data, the Data Fiduciary must provide a notice explaining:

What data is being collected

The purpose of processing

How Data Principals can exercise their rights

Contact information for the Data Protection Officer

3. Honour Data Principal Rights

The DPDP Act grants individuals the following rights, which Data Fiduciaries must facilitate:

Right to access information about the data processed

Right to correction and erasure of inaccurate or outdated data

Right to grievance redressal with timely response mechanisms

Right to nominate a nominee who can exercise rights on their behalf in case of death or incapacity

4. Implement Data Security Safeguards

Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. While the Act does not prescribe specific technical standards, regulators will expect industry-appropriate measures such as encryption, access controls, and penetration testing.

5. Report Breaches Promptly

In the event of a breach, the Data Fiduciary must notify:

The Data Protection Board (with full details of the breach, its impact, and remediation steps)

Affected Data Principals (in a clear, non-technical language)

The notification timelines will be specified in the Rules under the Act. Delays or omissions can attract the maximum penalty of ₹200 Crore.

6. Erase Data When No Longer Needed

Data must be erased once the purpose of processing is fulfilled and there is no legal requirement to retain it. Data Fiduciaries cannot retain personal data indefinitely.

7. Restrictions on Processing Children's Data

Organisations must:

Obtain verifiable parental consent before processing any data of a child

Not engage in tracking, profiling, or behavioural advertising targeting minors

Not collect data that is likely to cause harm to a child's well-being

8. Additional Requirements for Significant Data Fiduciaries

If designated as a Significant Data Fiduciary, additional obligations apply:

Appoint a Data Protection Officer (DPO) (based in India)

Engage an independent data auditor for periodic audits

Conduct Data Protection Impact Assessments (DPIAs)

Ensure algorithmic accountability for processing activities

Cross-Border Data Transfer Rules

The DPDP Act permits transfer of personal data outside India, except to countries notified by the Central Government as restricted. This is a positive-list/negative-list framework — businesses can transfer data internationally unless the destination country is blacklisted.

Organisations conducting cross-border transfers should monitor the evolving list of restricted countries and ensure contractual safeguards are in place.

The Data Protection Board of India

The Data Protection Board of India is the statutory body responsible for:

Adjudicating complaints and appeals

Investigating personal data breaches

Directing remedial action and imposing penalties

Maintaining a register of Consent Managers

The Board functions as a digital office, and proceedings may be conducted electronically. Its decisions are appealable before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Key Takeaway: What Should Businesses Do Right Now?

The DPDP Act and its Rules are being finalised, but the compliance clock is already ticking. Here is what forward-thinking organisations should prioritise:

Conduct a data audit — map all personal data collected, processed, and stored

Review and revise consent mechanisms — ensure they meet the Act's standards

Update your privacy notices — they must be plain, clear, and actionable

Build a breach response plan — breach notification is one of the highest-risk areas

Assess whether you qualify as a Significant Data Fiduciary — and prepare accordingly

Train your teams — compliance is organisation-wide, not just a legal or IT function

Engage a legal or compliance expert — the Rules will clarify several ambiguous provisions

FAQs:

Q1. What is the maximum penalty under the DPDP Act? 

The maximum penalty under the DPDP Act is ₹200 Crore. This applies to two specific violations: failure to protect children's personal data (processing without verifiable parental consent), and failure to notify the Data Protection Board and affected individuals of a personal data breach.

Q2. Who enforces the DPDP Act and imposes penalties? 

The Data Protection Board of India is the adjudicating authority responsible for investigating complaints, determining non-compliance, and imposing financial penalties on Data Fiduciaries.

Q3. What are the DPDP Act compliance requirements for businesses? 

Key compliance requirements include: obtaining valid and informed consent before processing personal data, publishing a clear privacy notice, honouring Data Principal rights (access, correction, erasure, grievance redressal), implementing data security safeguards, erasing data when it is no longer needed, reporting breaches promptly, and complying with restrictions on processing children's data.

Q4. What is a Significant Data Fiduciary under the DPDP Act? 

A Significant Data Fiduciary is an entity designated by the Central Government based on factors such as the volume and sensitivity of data processed, the risk posed to Data Principals, and the potential impact on India's sovereignty and security. Significant Data Fiduciaries face enhanced obligations, including appointing a DPO, conducting DPIAs, and undergoing independent audits.

Q5. Does the DPDP Act apply to foreign companies? 

Yes. The DPDP Act applies to any entity that processes the personal data of individuals in India, even if the entity itself is located outside India. This has significant implications for multinational companies and global SaaS providers serving Indian customers.

Q6. What constitutes a "personal data breach" under the DPDP Act? 

While the Act uses the term broadly, a personal data breach generally refers to any unauthorised access, disclosure, alteration, or destruction of personal data that could harm the Data Principal. The exact definition and notification timelines will be clarified in the Rules.

Q7. Can penalties be reduced or waived? 

The Data Protection Board has discretion in determining the penalty within the prescribed range. Factors such as the gravity of the violation, mitigating steps taken, degree of cooperation, and whether it is a first-time offence can result in penalties below the maximum. However, no provision for complete waiver exists for serious violations.

Q8. Is there a penalty for not appointing a Data Protection Officer? 

Significant Data Fiduciaries that fail to appoint a DPO can face penalties of up to ₹150 Crore under the category of non-fulfilment of obligations of Significant Data Fiduciaries.

Q9. What is the penalty for violating the rights of a Data Principal? 

If a Data Fiduciary fails to honour a Data Principal's rights — such as the right to correction, erasure, or grievance redressal — this would typically fall under the general violations category, attracting penalties of up to ₹50 Crore. For Data Principals who violate their own duties (e.g., filing false grievances), the maximum penalty is ₹10,000.

Q10. When will the DPDP Act come into full force? 

The DPDP Act, 2023 was passed by Parliament and received Presidential assent, but its full enforcement is contingent on the Central Government notifying the commencement date and finalising the Rules. Businesses should not wait for full enforcement — beginning compliance preparations now is strongly advisable.

Conclusion

The DPDP Act represents India's most comprehensive framework for protecting digital personal data — and its penalty regime signals that the government is serious about enforcement. With fines reaching up to ₹200 Crore, non-compliance is simply not a risk any organisation can afford to take.

The good news is that compliance is achievable. By understanding the DPDP Act compliance requirements, mapping your data flows, strengthening consent mechanisms, and building robust breach response capabilities, your organisation can operate confidently in India's new data protection era.

Share on social media

Our Categories

Medical: Doctors & Specialists , Endocrinologist , Neurologist , Pediatrician , Dermatologist , Gastroenterologist , Orthopedic , Cardiologist , Gynecologist , Physicians , Nephrologist Hospitals & Clinics , Eye Hospital / Clinics , Orthopedic , Heart , Cardiology , Brain & Spine Centre , Multispecialty Hospital , Hospitals / Dental Clinics , Dermatologist , Ayurvedic Hospital , ENT Pathlabs , Veterinary , Laparoscopic Surgeon , Urologist , Neurosurgeon , Hospitals / Dental Clinics , Dermatologist , Eye specialist

Real Estate: Shoping Mall , Builders and Developers , Upcoming Projects , Photographer , Construction Company , Property Types , Residential Property , Commercial Property , Plots / Land , Villas Real Estate Services , Real Estate Agents / Dealers , Property Brokers , Real Estate Consultants , Real Estate Developers / Builders Property Rent , Flats / Apartments for Rent , Shops / Showrooms for Rent / Lease , Studio Apartments Rent , Office Space for Rent Construction & Development Construction Companies / Contractors , Civil Engineers , Architects

Education: Schools , Boarding , CBSE , ICSE , Up Board , International , Play School , Driving School Colleges/Institute/ Classes , Engineering & Technology , Medical Collage , Arts, Science & Commerce , Management & Business Colleges , Law Colleges , Education & Teaching Colleges , Design, Fashion & Fine Arts Colleges , Media & Communication Colleges , Agriculture Science Colleges , Veterinary Science Colleges Classes, Courses & Coaching , Academic Coaching , IT & Computer Courses , Creative & Design Courses , Language & Communication University , Nadi Astrologer , Vedic Astrologer , Kp Astrologer , Lal Kitab Astrologer , Numerologist Astrologer , Palm Reader

Accommodation: Hostels / PG , Boys , Girls Resorts , Motels , Guest House , Paying Guest , Home Stay , Dharamshala , Farmhouse , Oyo Rooms , Hotels 7 Star , 3 Star , 5 Star , 4 Star , Budget Hotels

Tour and Travels: Domestic Tour Packages , International Tour Packages , Honeymoon Tours , Family Holiday Packages , Flight / Train / Bus Booking , Flight Ticket Booking , Bus Booking , Train Ticket Booking Car / Bike , Scooty Rentals , Bike Rentals , Car Rentals , Scooty Rentals , Taxi Service Adventure Tours , Pilgrimage Tours

Restaurants / Bar / Cafe: Bakery / Cake , South Indian Restaurants , North Indian Restaurants , Punjabi Restaurants , Gujarati Restaurants , Rajasthani Restaurants , Bengali Restaurants , Mughlai Restaurants , Chinese Restaurants , Thai Restaurant

Packers and Movers: Local Packers and Movers , Domestic Packers , International Packers And Movers

Stock & Trading: Stock Market Trading , Commodity Trading , Forex Trading , Crypto Trading , Binary Options Trading , Trading Education & Training Stock Market Training , Forex Trading Courses , Crypto Trading Tutorials

Beauty & Saloon: Beauty Parlours / Salons , Men's salon / Parlour , Ladies Parlour / Salon Spa & Wellness Centers , Hair Transplant , Hair Salons / Hair Studios , Men Hair Salon , Ladies Hair Salon Unisex Salon , Nail Salons , Makeup Artists , Tattoo Studios , Beauty Academies / Training Institutes , Makeup Academy , Hairstyles Academy , Nail Art Mehandi Artist

More..