DPDPA Penalties Explained: Who Gets Fined Rs 250 Crore?

How the Penalty Structure Actually Works

Graded Fines Based on the Nature of the Violation

The Digital Personal Data Protection Act does not impose a single flat fine for all violations. The Data Protection Board of India, which is the enforcement authority under the Act, has the power to impose penalties up to specific caps depending on the type and severity of the breach.

The penalty tiers under the Act work as follows. Failure to implement reasonable security safeguards leading to a personal data breach can attract penalties up to Rs 250 crore. Failure to notify the Data Protection Board and affected individuals about a data breach can attract penalties up to Rs 200 crore. Violations involving the personal data of children or failure to obtain verifiable parental consent can attract penalties up to Rs 200 crore. Non fulfilment of obligations under the Act by a Data Fiduciary or Consent Manager can attract penalties up to Rs 150 crore. Breaching additional obligations imposed on Significant Data Fiduciaries can attract penalties up to Rs 150 crore. Other violations of provisions of the Act carry penalties up to Rs 50 crore. And individuals who breach the duty to provide accurate information or who misuse rights under the Act can face penalties up to Rs 10,000.

These are caps, not automatic fines. The Board will assess the actual penalty based on a range of factors before arriving at a specific number.

What the Board Considers Before Imposing a Fine

The Factors That Determine Your Actual Exposure

The Act is explicit that the Data Protection Board must weigh several considerations before determining a penalty. The nature, gravity, and duration of the violation matters. A brief, contained breach handled quickly is treated differently from a prolonged failure to implement basic safeguards.

The type of personal data involved is relevant. Data belonging to children, or data that is particularly sensitive in nature, will attract more serious scrutiny. The number of Data Principals affected also matters. A breach that affects five users is different from one that affects five million.

Repetition is a significant aggravating factor. A company that has been warned or penalised previously and failed to correct its behaviour will face harsher penalties than one experiencing a first violation. On the other side of the ledger, mitigating steps matter too. Did the organisation have reasonable safeguards in place before the incident? Did it act quickly once the problem was identified? Did it communicate transparently with affected users and with the regulator?

This means that the penalty an organisation actually faces depends heavily on how it responds to a problem, not just on the fact that a problem occurred. Organisations with documented, good faith compliance programmes are in a meaningfully better position than those that have done nothing.

Why Small Businesses Are Not Protected by Their Size

DPDPA Does Not Have a Small Business Exemption

One of the most persistent misconceptions about DPDPA is that it primarily targets large corporations and that small businesses or startups can defer compliance until they scale up.

This is incorrect. The Act applies to any entity that determines the purpose and means of processing personal data. Size is not a qualifying criterion. A ten person startup that collects user emails and payment information is a Data Fiduciary under the Act just as much as a multinational corporation with hundreds of millions of users.

The Act does include a provision that allows the government to exempt certain categories of Data Fiduciaries or types of data processing from specific obligations. There have been discussions about simplified compliance pathways for startups and MSMEs. However, as of now, these exemptions have not been notified. They are expected to take effect alongside the core compliance obligations in May 2027, but they remain subject to government notification and are not yet operative.

What this means practically is that every business handling personal data should treat itself as fully subject to the Act until told otherwise. Planning your compliance programme around an exemption that has not yet been confirmed is a risky approach.

The Breach Notification Requirement and Why It Matters

72 Hours Is Not a Lot of Time

One of the most operationally demanding requirements under the DPDP Rules 2025 is breach notification. When a personal data breach occurs, the Data Fiduciary must inform the Data Protection Board and notify all affected individuals without delay. The notification must be in plain language and must explain what happened, what data was compromised, what the potential impact is, and what steps are being taken to address the situation.

The 72 hour window that is referenced in the regulatory framework is tight. It requires that organisations have a breach detection and response plan already in place before an incident occurs. A company that discovers a breach and then begins drafting its notification process from scratch is unlikely to meet this requirement.

Failure to notify within the required timeframe is itself a violation under the Act, separate from the underlying breach. This means an organisation can face two separate penalty actions, one for the breach itself and one for the failure to report it promptly.

Children's Data Attracts the Strictest Scrutiny

An Area Where Mistakes Are Especially Costly

The Act and the DPDP Rules 2025 include specific and stringent requirements around the processing of personal data belonging to children, defined as individuals under 18 years of age. Data Fiduciaries who process children's data must obtain verifiable parental consent before doing so. They must not process data in ways that are detrimental to the wellbeing of a child.

For edtech platforms, gaming companies, social media services, and apps that are likely to be used by minors, these requirements are not abstract. They require age verification mechanisms and parental consent workflows that are both technically robust and practically workable.

Violations involving children's data carry penalties up to Rs 200 crore, the second highest tier in the Act. The government has signalled clearly that this is an area of heightened regulatory concern.

The Real Cost Is Not the Penalty

Why Reputational Damage Matters More Than Fines

Organisations that focus their attention primarily on the financial penalty risk missing the larger picture. The fine is the quantifiable outcome. The consequences that are harder to quantify are often more damaging.

A publicly investigated data breach erodes user trust in ways that take years to recover from. It invites scrutiny from customers, investors, and business partners. It can trigger contractual penalties from enterprise clients who have their own data protection obligations. It can affect fundraising for startups and valuations for public companies. And it creates a reputational context in which every future privacy related issue gets amplified.

The Data Protection Board operates as a digital first body, which means complaint filings, investigations, and outcomes will be visible and trackable in ways that legacy regulatory proceedings were not. The public nature of enforcement is itself a significant incentive for businesses to get compliance right.

Way Forward

The most effective way to manage penalty risk is not to wait for an incident and hope for leniency. It is to build a compliance programme that demonstrates ongoing good faith effort, even before every obligation has been formally enforced.

Start by conducting a data mapping exercise. Know what personal data your organisation collects, where it is stored, which teams and vendors have access, and what security controls are in place. This visibility is the prerequisite for everything else.

Next, build or review your breach notification protocol. Document who is responsible for identifying a breach, who makes the decision to notify, what the notification must contain, and how it gets delivered to users and to the Board within the required timeframe.

For businesses that process children's data, prioritise the technical and operational work required to implement verifiable parental consent. This is the area of highest regulatory sensitivity and the area where implementation challenges are most complex.

Finally, document your compliance efforts. When the Board investigates a violation, the documented evidence of your organisation's ongoing compliance programme is one of the most important mitigating factors available to you. Organisations that cannot demonstrate prior effort will face penalties towards the upper end of the applicable range.

Conclusion

Rs 250 crore is not the starting point. It is the outermost limit of a graded framework that is designed to be proportionate to the severity of the violation and the conduct of the organisation.

For most businesses, the practical exposure from a first violation handled responsibly will be far below the maximum. But that calculation changes quickly if the violation is severe, if children's data is involved, if notification is delayed, or if the organisation has a prior history of non compliance.

The better framing is this. Organisations that build responsible data practices, maintain proper documentation, and respond to incidents promptly and transparently rarely face the most serious penalties. The penalty structure is designed to punish negligence and deliberate misconduct. It is not designed to punish organisations that are making a genuine effort.

Make the effort now, while the phased timeline still gives you the runway to do it properly.