DPDP Compliance

DPDP Penalty Structure: What ₹250 Crore Actually Means

Manish Garg
Manish Garg Associate CISSP · RingSafe
April 19, 2026
8 min read

The ₹250 crore headline is the marketing version of DPDP’s penalty structure. It is the number that reliably appears in compliance-officer presentations and board-level summaries. It is also misleading if read as a single monolithic threat. Understanding how DPDP penalties actually work — when they apply, how they are calibrated, what makes them larger or smaller, and what structurally limits them — is essential for any compliance programme that aims to be more than theatre.

The full penalty schedule

DPDP’s penalty caps are in the Schedule to the Act. Each cap applies to a specific category of contravention:

Get the DPDP Action Pack — free

20-point printable compliance checklist + monthly DPDP intelligence briefings on new enforcement actions, rule clarifications, and practical implementation templates.

Get the PDF + Updates →

  • ₹250 crore — failure to take reasonable security safeguards (§8(5))
  • ₹200 crore — failure to notify the Board or affected Data Principals of a personal data breach (§8(6))
  • ₹200 crore — non-fulfilment of additional obligations in relation to children (§9)
  • ₹150 crore — non-fulfilment of additional obligations of Significant Data Fiduciaries (§10)
  • ₹50 crore — non-fulfilment of duties of Data Principals (₹10,000 per individual for Principal-side contraventions, far lower than Fiduciary-side)
  • ₹50 crore — breach of voluntary undertaking
  • ₹50 crore — any other contravention of provisions

These are maximum caps, not default penalties. The actual penalty is determined by the Data Protection Board based on statutory factors laid out in §33(2).

What drives the size of a penalty

The Board must consider six statutory factors in determining the quantum:

  1. The nature, gravity, and duration of the contravention
  2. The type and nature of personal data affected
  3. The repetitive nature of the default
  4. Whether the entity has made any gain from the default
  5. The nature and extent of harm caused to Data Principals
  6. The entity’s action to mitigate the effects of the contravention, and whether the action was taken in a timely manner

What this means practically: a breach of sensitive data (health records, financial credentials) affecting millions of Principals, where the Fiduciary delayed notification and took no remediation action, is at the high end. A breach of limited-sensitivity data affecting a small population, where the Fiduciary notified promptly and remediated, is at the low end. The range between the two on identical facts is genuinely large — orders of magnitude.

Aggregation — and why it matters

The penalty schedule is per contravention, not per Principal. A single breach affecting ten million Principals is one contravention of §8(5), not ten million. The cap is ₹250 crore for that contravention.

But simultaneous or sequential contraventions of different provisions are separate. A Fiduciary that:

  • Failed to take reasonable safeguards (₹250 Cr cap), and
  • Failed to notify the breach within the required timeline (₹200 Cr cap), and
  • (If applicable) is an SDF that failed to perform required DPIA (₹150 Cr cap)

…is theoretically exposed to ₹600 crore in aggregate. In practice, the Board will consider whether these arose from the same underlying facts and calibrate accordingly — but the ceiling is the sum, not the largest component.

How “reasonable security safeguards” will be defined

The ₹250 crore cap attaches to failure to take “reasonable” safeguards. “Reasonable” is the load-bearing word, and its interpretation will be the subject of the first generation of DPDP case law. Based on the 2025 Rules and early Board guidance, the practical baseline is shaping up as:

  • Access controls aligned with role-based access principles
  • Encryption of personal data at rest and in transit
  • Security incident response capability with documented procedures
  • Vulnerability management programme with regular testing
  • Employee training on personal data handling
  • Vendor governance over processors handling personal data
  • Logging and audit trail sufficient to investigate incidents
  • Business-continuity and data-backup practices

This is functionally a subset of ISO 27001 controls, mapped to personal-data protection. Organizations with a mature ISO 27001 or SOC 2 programme will be able to demonstrate “reasonable” compliance with most of this. Organizations with ad-hoc security will not.

The mitigating factor for penalty calibration is explicit: the Board will consider whether the Fiduciary acted in a timely manner to mitigate the effects. Post-breach, the difference between a 30-day remediation plan executed and a 180-day remediation plan stalled at policy writing will be visible in the penalty number.

Breach notification — the 72-hour penalty

The ₹200 crore cap on §8(6) contraventions is the one most organizations will trip on first, because breach notification is where operational discipline and regulatory alignment most often diverge.

The Rules specify 72 hours from awareness. Common failure modes:

  • Delayed internal awareness — the SOC detects anomaly on day 1, but escalation to the DPO happens on day 8 because the chain of notification inside the company is broken
  • Waiting for certainty — the legal team wants to know exactly what was exfiltrated before notifying; forensics takes 14 days; notification is 11 days late
  • Narrow interpretation of “personal data breach” — treating availability incidents (ransomware that locks but does not exfiltrate) as not requiring notification
  • Incomplete notification scope — notifying the Board but not the affected Principals, or vice versa

The penalty structure rewards the opposite of each of these: internal escalation that gets the DPO informed within hours of detection, breach-notification playbooks that permit provisional disclosure with later update, broad interpretation of what counts as a breach, and complete notification to both Board and Principals in parallel.

Children’s data — the under-appreciated ₹200 Cr exposure

Every edtech platform, every gaming app, every social product that has any under-18 users is in scope for §9 obligations. The requirements (verifiable parental consent, prohibition on targeted tracking and advertising of children) are non-negotiable.

Organizations that rely on “our product is not for children” self-declarations without enforcing age gates will be exposed. The expected enforcement pattern is: a regulator identifies that a product markets to, or has significant uptake by, under-18 users; the Board inquires into age-verification and parental-consent practices; if those are absent, §9 contravention is found.

The cap is ₹200 crore. The risk profile for any consumer product with young users that has not specifically built compliant parental-consent flows is substantial.

SDF obligations — ₹150 Cr for governance failures

Once designated as a Significant Data Fiduciary, additional obligations attach: DPO appointment, independent data auditor, DPIAs, and other prescribed measures. Non-fulfilment is capped at ₹150 crore.

The operational risk is that SDF designation is retrospective — once the Fiduciary is notified, the obligations attach immediately. Organizations that treat SDF readiness as something to build after designation notice will be behind from day one and exposed to compliance penalties while building the programme. The expected pattern: plan for SDF readiness if your scale or sensitivity profile puts you in the likely-designation band.

The voluntary undertaking — penalty avoidance mechanism

One of DPDP’s more interesting provisions is §32, which allows the Board to accept a voluntary undertaking from a person in relation to any matter being inquired into. If accepted, the Board may — instead of issuing a penalty — accept the undertaking as resolution of the matter. Breach of the undertaking itself is a penalizable contravention (cap: ₹50 crore).

Practical implication: an organization that acknowledges deficiencies, commits to a specified remediation programme, and accepts monitoring can potentially avoid the headline penalty in exchange for an enforceable undertaking. This is the DPDP equivalent of the consent-decree mechanism familiar from competition law, and it is the likely outcome for first-offender cases where the organization is credible about remediation.

What the first enforcement actions will look like

Based on regulator-behaviour patterns across other Indian regulatory regimes and the early signals from the Data Protection Board, the first generation of DPDP enforcement is likely to follow a predictable shape:

  • First six months of active enforcement (Q4 2026 – Q1 2027) — notice actions, advisory letters, and compliance-improvement orders against mid-profile offenders. Few penalty orders. Significant public commentary designed to clarify interpretation.
  • Months 7–12 (Q2–Q3 2027) — first penalty orders. Initially in the ₹5–50 crore range against clear-cut cases: unnotified breaches, blatant consent failures, egregious children’s-data violations. The headlines will be smaller than ₹250 crore but will establish precedent.
  • Months 13–24 (Q4 2027 – 2028) — penalty scale rises as the Board develops confidence in its interpretation and as high-profile breach cases mature through the notice-and-inquiry process. First ₹100-crore-plus orders.

Organizations assume DPDP is an abstract threat. The regulatory signal is that by late 2026 it will be operational and by 2027 it will be imposing real costs.

The numbers behind the numbers

For compliance programmes competing for budget, the useful conversion is: what is the expected penalty exposure in rupees, and how does that compare to the cost of compliance?

A rough model for a mid-market Indian SaaS processing data of ~1 million Principals, without children’s data or SDF exposure:

  • Probability of a reportable breach in a 5-year horizon: ~15–25% for typical-maturity SaaS
  • Probability of post-breach penalty: high, given enforcement priority
  • Expected penalty range given “reasonable” safeguards deficiency: ₹10–75 crore
  • Expected penalty range with safeguards documented and breach notified on time: ₹2–15 crore (voluntary undertaking plausible at lower end)

The delta between these outcomes — roughly an order of magnitude — is the value of a working DPDP programme. It is also the business case for the programme itself: the annualized cost of meaningful compliance (data mapping, consent overhaul, security baseline, breach readiness) for a mid-market SaaS is ₹40 lakh–₹1.5 crore. The delta on expected penalty is substantially larger.

Related reading

To understand your organization’s actual exposure — penalty band, remediation cost, and compliance roadmap — book a DPDP readiness scoping call.

More from the Blog

Module 5 · Advanced

Module 5 · Why SSRF Is Still Critical in 2026 <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Every URL parameter where the server fetches. Cloud metadata turned SSRF from inconvenience to…

Apr 22, 2026 · 4 min
Module 1 · Intermediate

Module 1 · Microsoft Entra ID Security <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Roles, attack patterns (token theft, AitM, consent phishing), Conditional Access, PIM, hybrid AD considerations.

Apr 22, 2026 · 4 min
Module 4 · Advanced

Module 4 · Business Logic — Where Scanners Fail <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Business logic bugs are legal sequences of actions producing illegal outcomes. Understand the product…

Apr 22, 2026 · 4 min