Penalties Under the DPDP Act 2023: What Non-Compliance Could Cost Your Business

/ Data Privacy Law / By

When the Digital Personal Data Protection Act, 2023 was enacted, the headline that travelled fastest in startup circles was the ₹250 crore figure. It is, deservedly, a wake-up call. But the penalty structure under the DPDP Act is more nuanced than a single big number — and understanding the gradient of penalties is essential to building a smart, prioritised compliance program.

This article breaks down what triggers penalties, how they are calculated, who decides them, and how a startup can mitigate exposure through proactive compliance.

Who Imposes Penalties?

The Data Protection Board of India (DPBI), established under Chapter V of the Act, is the adjudicatory body. The Board may inquire into complaints, intimations from the Government, or matters referred to it. After hearing the parties, it may impose monetary penalties prescribed in the Schedule.

Importantly, an aggrieved person may appeal a Board order to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Penalties imposed by the Board are credited to the Consolidated Fund of India.

The Schedule: Penalty Tiers Explained

The Act’s Schedule lists specific monetary upper limits depending on the nature of the breach. The actual amount is decided by the Board, factoring in the gravity, duration, repetitive nature, gain or loss caused, and any mitigating action by the fiduciary.

  • Up to ₹250 crore: failure of a data fiduciary to take reasonable security safeguards to prevent a personal data breach. This is the single largest monetary risk under the Act and the one most relevant to any startup that runs production systems.
  • Up to ₹200 crore: failure to notify the Board and affected data principals of a personal data breach.
  • Up to ₹200 crore: breach of additional obligations relating to children’s personal data, including the prohibition on tracking, behavioural monitoring, and targeted advertising directed at children.
  • Up to ₹150 crore: breach of the additional obligations applicable to a Significant Data Fiduciary, such as appointing a Data Protection Officer and conducting periodic Data Protection Impact Assessments.
  • Up to ₹10,000: breach of duties of the data principal, including filing false or frivolous complaints.
  • Up to ₹50 crore: breach of any other provision of the Act or its Rules — a residual catch-all that should not be underestimated.

Security Breaches: The ₹250 Crore Risk

Section 8(5) requires a data fiduciary to “protect personal data in its possession or under its control… by taking reasonable security safeguards.” Reasonable is judged against industry standards and the sensitivity of data processed. Common scenarios that have triggered enforcement under similar laws globally include:

  • Storing user credentials in plaintext or with weak hashing.
  • Misconfigured cloud storage that exposes user data publicly.
  • Stale credentials of former employees retained in production.
  • Unsegmented databases where a single SQL injection exposes all users.
  • Lack of encryption for sensitive fields at rest or in transit.

A startup that suffers a breach will be asked, “what reasonable safeguards were in place?” The answer must be evidenced — not asserted.

Breach Notification Failures

Section 8(6) obliges the fiduciary to inform both the Board and each affected data principal of any breach. Failure to notify is itself a discrete violation, attracting up to ₹200 crore. This is significant because some companies, fearing reputational damage, delay or downplay notifications. Under the DPDP Act, that is a costly second mistake on top of the first.

Build a breach-response playbook so that the moment an incident is detected:

  • A documented incident-response team is activated.
  • Forensic preservation begins.
  • Counsel is engaged.
  • Notifications are drafted and sent to the Board and to affected users in the prescribed manner.

Children’s Data Violations

Section 9 imposes specific protections for individuals under 18. A fiduciary must obtain verifiable parental consent and is prohibited from tracking, behavioural monitoring, and serving targeted advertisements to children. Breach of these obligations attracts up to ₹200 crore.

Edtech platforms, gaming apps, and social products are most exposed. Verifiable parental consent is non-trivial to design — it usually requires identity verification, parent-on-record records, and additional support workflows.

Significant Data Fiduciaries

Section 10 empowers the Government to designate a Significant Data Fiduciary (SDF) based on volume and sensitivity of data, risk to electoral democracy, security, and public order. SDFs face additional obligations: appointing a Data Protection Officer based in India, undertaking periodic Data Protection Impact Assessments, and engaging an independent auditor. Breach of these obligations triggers penalties of up to ₹150 crore.

A growing fintech, healthtech, or consumer-tech startup may, over time, become an SDF. Plan early — retro-fitting governance is far harder than baking it in.

How Penalties Are Determined

Section 33 lists the factors the Board will consider when fixing the quantum within the Schedule’s upper limits:

  • The nature, gravity, and duration of the breach.
  • The type and nature of the personal data affected.
  • Repetitive nature of the breach.
  • Whether the person realised gain or avoided loss as a result of the breach.
  • Any action taken by the person to mitigate the effects and consequences of the breach.
  • Whether the penalty is proportionate and effective, considering the need to deter further breaches.

Notice the explicit mitigation factor: a startup that responds quickly, transparently, and constructively after a breach is materially better off than one that hides or stalls.

Mitigating Risk Through Proactive Compliance

A practical, low-drama approach to risk mitigation:

  • Treat security and privacy as engineering disciplines, not legal afterthoughts.
  • Maintain a current data map and a rolling risk register.
  • Adopt recognised standards (ISO 27001, SOC 2, NIST CSF) appropriate to your stage.
  • Document everything: policies, training, audits, incidents.
  • Run incident-response tabletop exercises annually.
  • Take cyber-insurance with adequate limits and DPDP-compatible coverage.
  • Use vendor diligence templates that align with the Act’s obligations.
  • Get a privacy-savvy lawyer involved early for high-risk launches.

Conclusion: The Cost of Doing Nothing

The DPDP Act gives Indian regulators teeth that they have not historically had. The first wave of inquiries will set tone-setting precedents — and you do not want your startup to be in that first wave for the wrong reasons. The good news is that proactive compliance is far cheaper than the penalties, and it pays back in customer trust and enterprise readiness.

Worried about your DPDP exposure? Book a privacy-risk assessment and get a clear, prioritised remediation plan tailored to your stage of growth.