DPDP Penalties Decoded: How the ₹250 Crore Maximum Actually Gets Calculated

Last updated: May 18, 2026

Last updated: 7 May 2026 · Reading time: ~15 minutes · Audience: CFOs, GRC leads, board members, founders trying to size their DPDP risk exposure.

The headline number versus the reality

“DPDP penalties go up to ₹250 crore” — you’ve seen this in every cybersecurity vendor pitch since 2024. It’s accurate, but incomplete. Here’s what’s actually in the Act:

Critical detail: these are maximums, not fixed amounts. Section 33(2) of the Act lists six factors the Data Protection Board must consider when determining the actual penalty. The factors push the figure up or down from the ceiling.

The six factors that decide the actual penalty

Section 33(2) requires the DPB to weigh:

1. Nature, gravity, and duration of the violation — was it a one-time slip or a months-long failure?
2. Type and nature of personal data affected — financial, health, biometric, children’s data carry higher weight than general PII.
3. Whether the violation was repetitive — first offence vs. recurring pattern.
4. Whether the Data Fiduciary realised gain or avoided loss as a consequence — did they save money by skimping on security?
5. Whether they took action to mitigate the violation, and the timeliness of that action — fast detection + transparent disclosure reduces the multiplier.
6. Whether the penalty is proportionate and effective — practical and deterrent.

The factors aren’t separately weighted in the Act, but in practice mature regulators (parallels: GDPR’s Article 83(2), SEBI’s adjudicating officer methodology) tend to treat factors 1, 2, 5 as primary drivers. Factor 5 — your response — is the one you control after the breach.

Worked example 1 — Series-A SaaS startup, leaked database

Scenario

A Bengaluru-based B2B SaaS company (~50 employees, ~50,000 customer records). Engineering left a MongoDB instance exposed to the internet without authentication. Researcher discovered it via Shodan, responsibly disclosed. Records exposed: 50,000 user emails, names, hashed passwords, phone numbers, company names. No payment data, no health, no biometric.

Factor analysis

• Nature/gravity/duration: Misconfiguration. Exposure window: 4 days from researcher’s discovery to remediation. Moderate gravity.
• Type of data: General PII — not sensitive categories. Lower weight.
• Repetition: First reported violation. No prior pattern.
• Gain/loss: Skipped network segmentation cost the company ~₹0 to “save” — not a deliberate cost-cutting decision, more carelessness.
• Mitigation: Acknowledged researcher within 24 hours, fixed misconfiguration in 4 days, notified affected customers within 72 hours, hired external security firm for full audit, published transparent post-incident report. Strong mitigation.
• Proportionality: ₹250 crore would bankrupt a Series-A startup. Effective deterrent ≠ extinction-level fine.

Likely DPB outcome

Probable penalty range: ₹50 lakh to ₹2 crore. The §8(2) maximum of ₹250 crore is theoretical — the proportionality factor and the strong mitigation behaviour pull it dramatically down. Plus the cap from “any other obligation” is ₹50 crore for cases that don’t quite hit the §8(2) threshold of “failure of reasonable security safeguards” — debatable here whether a misconfigured DB qualifies.

Comparison: GDPR has imposed similar penalties for similar misconfigurations on small EU companies — typically €100,000 to €500,000.

Worked example 2 — Mid-sized fintech, insider data theft

Scenario

A Mumbai-based fintech (~500 employees, ~5 million customers). A senior data analyst with database access exfiltrates 2 million customer records to an external buyer over 8 months before being caught. Data: PAN, Aadhaar (masked), bank account numbers (masked), credit scores, transaction patterns, KYC documents.

Factor analysis

• Nature/gravity/duration: Insider exfiltration over 8 months — failure of access controls, audit logging, anomaly detection. Severe gravity.
• Type of data: Financial + government ID. Sensitive category. Highest weight.
• Repetition: First DPDP-era enforcement action, but the Act treats prolonged failure as repetitive in nature.
• Gain/loss: The Data Fiduciary skipped database activity monitoring (typical cost: ₹50 lakh-2 crore/year for an entity this size) — deliberate cost-saving.
• Mitigation: Detection only after external tip-off. Notification to DPB within statutory timeline. Customer notification staged over 2 weeks. Forensics conducted. Insider prosecuted. Mitigation rated moderate — fast post-detection but slow detection itself indicates control failures.
• Proportionality: Mid-sized fintech with material revenue. Penalty must be material enough to be a deterrent — for a company of this size, ₹50 crore-100 crore range becomes proportionate.

Likely DPB outcome

Probable penalty range: ₹40 crore to ₹120 crore. This is in the ₹250 crore §8(2) zone because the failure spans 8 months, involves sensitive data, and reflects deliberate under-investment in monitoring. The mid-range estimate accounts for moderate mitigation. RBI may impose parallel sanctions under their cyber framework. IT Act §43A creates additional civil liability to affected customers.

Worked example 3 — Enterprise health insurer, ransomware

Scenario

A national health insurer (~10,000 employees, ~30 million policyholders). Ransomware attack via a phishing-compromised employee account; attackers exfiltrate before encryption. Affected data: policy numbers, medical claim history, hospital records, prescriptions, treating-doctor names, partial Aadhaar. 30 million records exposed.

Factor analysis

• Nature/gravity/duration: Catastrophic breach scope. Most severe gravity tier.
• Type of data: Health data — most sensitive category under DPDP §9(1) read with §10. Highest possible weight.
• Repetition: Insurer had been issued advisories by IRDAI in prior years on similar control gaps. Treated as repetitive.
• Gain/loss: Insurer had postponed MFA roll-out for cost reasons (estimated ₹15 crore investment). Deliberate cost avoidance leading to the entry vector.
• Mitigation: Detection within 48 hours of encryption. Notification to DPB within 72 hours. Customer notification within 30 days. Free credit monitoring offered. Independent forensics published. Proactive engagement with regulators. Strong mitigation — but the magnitude of the breach overshadows.
• Proportionality: National insurer with multi-thousand-crore revenue. Penalty in single-digit-crore range would not be a deterrent. Penalty must be felt at the executive level.

Likely DPB outcome

Probable penalty range: ₹150 crore to ₹250 crore (full ceiling). Plus ₹150 crore for SDF non-compliance under §10. Plus IRDAI sanctions. Plus potential class-action under IT Act §43A. Plus shareholder litigation (if listed). Plus the soft cost of customer churn — typically 2-5% of book value for an incident of this magnitude.

The Star Health 2024 breach is the closest pre-DPDP precedent — under the old IT Act regime that breach faced limited regulatory penalty. Under DPDP, the same incident in 2026 would credibly attract the maximum.

What mitigation actions actually reduce the penalty multiplier

Factor 5 — “action taken to mitigate” — is the one you control. Based on parallels in GDPR enforcement and SEBI adjudication patterns, the highest-credit mitigation actions are:

1. Self-detection. Discovering the breach yourself before a third party tells you. Investment in SOC, EDR, anomaly detection, threat hunting pays back here.
2. Fast, full disclosure to regulator. Within statutory timelines, with all known facts, no spin. Late or partial disclosure is the single biggest penalty multiplier.
3. Affected-individual notification with substance. Beyond the legal minimum: clear language, specific actions the individual can take, free monitoring/credit-protection where relevant.
4. Independent forensics with public summary. Hire a credible firm; publish enough of the report that independent observers can verify your account.
5. Material remediation investment. Not just the immediate fix — sustained investment in the control gap that caused the incident. Document the spend.
6. Cooperation with the DPB investigation. Open access to logs, executives, systems. Adversarial postures get punished.
7. No retaliation against the security researcher / whistle-blower / journalist. Suing the person who told you about the breach is the worst possible signal.

What aggravates the penalty

• Concealment or delay in notification. Treated as additional violation under §8(6).
• Misleading statements to regulator or customers. Can convert what would have been §8 into criminal exposure under BNS §316 (theft) and §318 (cheating).
• Threatening the discoverer. Especially with anti-hacking statutes (IT Act §66) when researcher acted in good faith.
• Repeated similar incidents. Each subsequent incident’s penalty multiplier increases.
• Cost-saving as evident motive. Internal documents showing security investment was deferred for budget reasons are damaging at adjudication.
• Material misrepresentation in Significant Data Fiduciary self-classification. SDF status triggers higher obligations; under-classifying yourself to avoid them is an aggravating factor.

Cyber insurance and DPDP — what’s actually covered

A common misconception: “we have cyber insurance, so the DPDP penalty is covered”. Mostly false.

• Regulatory penalties are not covered by most Indian cyber policies — Indian insurance regulation prohibits insuring against penalties imposed for one’s own legal violations.
• Defence costs (legal fees, regulatory response, forensics) are typically covered.
• Third-party liability (compensation to affected individuals under §43A) is typically covered up to policy limit.
• Business interruption from the incident is typically covered.
• Ransom payment coverage varies — and is increasingly excluded if the threat actor is sanctions-listed (US OFAC issue).

Read the policy. Most CFOs over-estimate their cyber-insurance coverage of regulatory penalties by 5-10x.

How to reduce your DPDP penalty exposure

The cheapest path to lower exposure is investing in factors that the DPB credits at adjudication. In rough order of cost-effectiveness:

1. Detection & logging infrastructure. SIEM, audit logs, anomaly detection. Self-detection is the highest-credit mitigation.
2. MFA on all privileged access. Eliminates the most common breach vector. Cost: low.
3. Encryption at rest with HSM-backed keys. A breach of encrypted data with secure key management is sometimes treated as not a “personal data breach” for §8(6) purposes.
4. Tested incident-response runbook. Quarterly tabletop. The difference between “we had a plan” and “we executed a plan” is felt in the adjudication.
5. External annual security audit. CERT-In empanelled auditor — produces evidence of “reasonable security practices” being maintained.
6. DPO function (even if not yet SDF). Demonstrates good-faith effort.
7. Privacy-by-design in product. Data minimisation at collection prevents the worst breach scenarios.
8. Vendor risk programme. Most breaches involve a sub-processor — managing that risk reduces your exposure.

What this means for your board / CFO

• The ₹250 crore figure is the maximum, not the expected loss. For most companies, expected DPDP penalty exposure is in the ₹1-50 crore range depending on size, sensitivity of data, and current control maturity.
• Penalty risk is materially reducible through factor-5 mitigation investments — typically 3-5x return on each rupee spent on detection / response infrastructure.
• Cyber insurance does not cover regulatory penalties — budget separately.
• Repeated minor incidents compound faster than one major one — investing in foundational controls is more cost-effective than large one-time programmes after the first incident.
• Self-classification as SDF is consequential — under-classification is itself a violation.

RingSafe DPDP Penalty Calculator

We built a free calculator that estimates your worst-case DPDP exposure based on data volume, sensitivity, current control maturity, and incident history. Takes 2 minutes, generates a one-page report you can share with your CFO or board.

Run the calculator →

What to do this week

1. Run the penalty calculator. Get a baseline exposure estimate.
2. Self-classify SDF status. Document the decision and the basis. If borderline, classify up.
3. Review your incident-response runbook. Specifically the DPB notification path. Have you drafted the template? Who signs off on it?
4. Audit your detection capability. If a determined insider exfiltrated data tonight, when would you find out? If “we wouldn’t until told” — that’s your highest-priority control gap.
5. Review your cyber insurance. Specifically the regulatory-penalty exclusion language. Most policies are silent on DPDP — get an opinion from your broker.
6. Book a DPDP exposure assessment. External, structured. Get one quote here.

Sources & further reading

• Digital Personal Data Protection Act 2023 — Schedule 1 contains the penalty matrix.
• RingSafe DPDP pillar page
• DPDP Penalty Calculator
• DPDP Readiness Checklist

Related engagement → How we delivered DPDP Act readiness for a multi-million-user fintech