Home/Resources/DPDPA Penalties Explained: How the ₹250 Crore Ceiling Actually Gets Applied
Digital & E-Commerce Legal Support6 MIN READLast updated: July 2026

DPDPA Penalties Explained: How the ₹250 Crore Ceiling Actually Gets Applied

Every article about India’s data protection law leads with the same number: 250 crore rupees. It appears in headlines, vendor pitch decks, and worried board presentations. What almost nobody explains is how that number would actually be applied to a real company that has a real bad day. Is it automatic? Is it per user? Could a ten person startup genuinely face it?

DPDPA Penalties Explained: How the ₹250 Crore Ceiling Actually Gets Applied article image

Quick Answer

Every article about India’s data protection law leads with the same number: 250 crore rupees. It appears in headlines, vendor pitch decks, and worried board presentations. What almost nobody explains is how that number would actually be applied to a real company that has a real bad day. Is it automatic? Is it per user? Could a ten person startup genuinely face it? Let us fix that. This article walks through the full penalty schedule under the Digital Personal Data Protection Act, 2023, the process the Data Protection Board of India must follow before a single rupee is imposed, the six statutory factors that scale a penalty up or down, and what all of this means for how you should prioritise your compliance spend before the enforcement date of 13 May 2027.

  • The DPDP Act’s penalties are a graded schedule of ceilings, 250 crore for security failures, 200 crore for breach notification and children’s data violations, 150 crore for SDF lapses, 50 crore for the rest, applied by a Board that must hear you and weigh six statutory factors before fixing any amount. The design rewards demonstrable diligence: reasonable safeguards, fast honest notification, documented mitigation. Spend your compliance budget in the order the schedule implies, and the headline number stays what it should be, a headline about somebody else.
DPDPA Penalties Explained: How the ₹250 Crore Ceiling Actually Gets Applied supporting image
Related documentation

The penalty schedule: five ceilings, not one

The Act’s Schedule sets maximum penalties for different categories of breach. Think of them as ceilings, not price tags. The headline ceiling of up to 250 crore rupees applies to one specific failure: not taking reasonable security safeguards to prevent a personal data breach. Read that carefully, because it tells you where the legislature thinks the gravest risk lies. The biggest number in the statute is attached to security hygiene, not to paperwork. Up to 200 crore rupees applies to failing to notify the Data Protection Board and affected individuals when a personal data breach occurs. Notice the design: the breach itself falls under the 250 crore ceiling if your safeguards were unreasonable, and hiding the breach is a separate 200 crore exposure. A company that gets breached and stays silent can be hit under both heads. Up to 200 crore rupees also applies to violating the obligations around children’s data, such as processing a child’s data without verifiable parental consent or running targeted advertising at children. Up to 150 crore rupees applies to Significant Data Fiduciaries that breach their additional obligations, the DPO appointment, audits, and impact assessments we cover in our article on SDF classification. Up to 50 crore rupees is the residual ceiling for breaching any other provision of the Act or Rules. And in a detail that surprises people, Data Principals themselves, meaning individuals, can be fined up to 10,000 rupees for breaching their duties, for instance by filing a false or frivolous complaint.

Who imposes the penalty, and how

Penalties are imposed by the Data Protection Board of India, a digital first adjudicating body that became operational when the DPDP Rules, 2025 were notified in November 2025. The Board is not a court, and DPDPA penalties are not criminal fines; they are civil monetary penalties, and the Act notably contains no imprisonment provisions. The process has guardrails. The Board must conduct an inquiry, and it can only impose a penalty after giving the person concerned an opportunity of being heard. Its determination must find that the breach is significant. Appeals from the Board go to the Telecom Disputes Settlement and Appellate Tribunal, and from there the usual judicial ladder applies. In other words, a penalty is the end of a process, not a lightning strike. The Board also has a gentler tool worth knowing about: it can accept voluntary undertakings from companies, essentially binding commitments to fix problems, and acceptance can bar penalty proceedings on those facts. For a company that discovers its own lapse, walking to the regulator with a credible remediation plan may be the cheapest legal strategy available.

The six factors that set the actual number

Section 33(2) requires the Board to weigh six factors when fixing the amount, and this is where the ceilings become real numbers. The nature, gravity, and duration of the breach. A misconfigured server exposed for six hours reads very differently from one exposed for six months. The type and nature of the personal data affected. Leaked newsletter emails and leaked health records are different universes. Whether the breach is repetitive. A second offence changes everything about how the Board will view you. Whether the person gained or avoided loss through the breach. Cutting security costs and pocketing the savings is an aggravating factor with a paper trail. Whether you mitigated, and how fast. The company that detected, contained, notified, and fixed within days has a powerful story; the company that learned about its breach from a journalist does not. And proportionality, whether the penalty is effective and proportionate to securing future compliance. Under Section 33(3), the Board may also reduce or increase the penalty up to twice the quantum otherwise determined in appropriate cases, which means aggravation can push a figure sharply upward within the ceiling. Now run two companies through this machine. Company A suffers a sophisticated attack despite encryption, access controls, audits, and a tested response plan. It notifies users and the Board promptly. Even under the 250 crore ceiling, every Section 33 factor argues for a modest outcome, and its safeguards may well be found reasonable, meaning no penalty under that head at all. Company B stored passwords in plain text, ignored a security researcher’s warning for a year, and notified nobody. Same ceiling, opposite trajectory, and the notification failure adds a second head of penalty. The lesson: the ceilings measure the worst case, but the factors measure you.

What this means for your compliance budget

Read the schedule as a priority list written by Parliament. Security safeguards carry the biggest number, so encryption, access control, logging, and vendor security clauses are your first spend. Breach detection and notification readiness carry the second biggest number, so build and rehearse an incident response plan; the DPDP Rules expect intimation to affected users without delay and a detailed report to the Board within seventy two hours. Children’s data sits at the same level, so if minors can use your product, verifiable parental consent is not a nice to have. Everything else matters, but the statute has told you the order.

Can AI help you avoid penalties?

In the two highest penalty zones, meaningfully yes. AI driven security tools detect anomalies, flag unusual data access, and catch misconfigurations far faster than periodic human review, which speaks directly to the reasonable safeguards standard behind the 250 crore ceiling. AI can also accelerate breach response, identifying affected records in hours instead of weeks, which supports timely notification under the 200 crore head. The caution is equally direct: whether a safeguard was reasonable and whether an incident legally qualifies as a notifiable personal data breach are judgment calls with statutory consequences, and an AI tool’s confident classification is not a legal opinion. Automate detection and drafting; route the decisions through a qualified human, because the Board will judge your choices, not your software’s.

When to Review This

  • The DPDP Act’s penalties are a graded schedule of ceilings, 250 crore for security failures, 200 crore for breach notification and children’s data violations, 150 crore for SDF lapses, 50 crore for the rest, applied by a Board that must hear you and weigh six statutory factors before fixing any amount. The design rewards demonstrable diligence: reasonable safeguards, fast honest notification, documented mitigation. Spend your compliance budget in the order the schedule implies, and the headline number stays what it should be, a headline about somebody else.

Disclaimer

This article is for general information only and is not legal advice. Penalty exposure depends on your specific facts, so take professional advice before acting.

CLARITY

Common Questions

Is the 250 crore rupee penalty automatic for every data breach?

No. It is the ceiling for one category, failure to take reasonable security safeguards, and applies only after an inquiry, a hearing, and a weighing of the six Section 33 factors. A company with genuinely reasonable safeguards that still suffers a breach may face no penalty under that head.

Can individuals be jailed under the DPDPA?

No. The Act provides civil monetary penalties only. It contains no imprisonment provisions, unlike some earlier drafts of Indian privacy legislation.

Who receives the penalty amount?

Penalties are credited to the Consolidated Fund of India. Notably, the Act does not create a compensation route for affected individuals through the Board, a deliberate change from the older Section 43A regime under the IT Act.

Can a small startup really face crore level penalties?

The ceilings apply to all Data Fiduciaries regardless of size, but proportionality is a mandatory factor, and the Board must consider whether the amount is effective and proportionate. Size will influence quantum, not liability.

When do these penalties become live?

The Data Protection Board exists now, and the substantive obligations become enforceable on 13 May 2027 under the phased timeline of the DPDP Rules, 2025. Building your defences during the runway is the entire point of the phase in.

What is a voluntary undertaking and why does it matter?

It is a commitment you offer the Board, for example to fix a practice and compensate affected users, which the Board may accept. Acceptance can bar penalty proceedings on those facts, making it a valuable option for self detected lapses.

Need Help with DPDPA Penalties Explained: How the ₹250 Crore Ceiling Actually Gets Applied?

Contact Tirth Inamdar at Inamdar Legal for customized assistance on your specific requirements.

EXPLORE MORE

Related Resources

View All Resources

Related Services

Digital & E-Commerce Legal Support

Website Agreements

Website terms and legal documentation support for online businesses.

Digital & E-Commerce Legal Support

Terms and Conditions

Terms and conditions drafted for clear online use.

Digital & E-Commerce Legal Support

Privacy Policy

Privacy policy drafting support for websites and apps.

Digital & E-Commerce Legal Support

E-Commerce Legal Documentation

Legal documentation support for e-commerce operations.