DPDPA Penalties and Fines Structure

The Digital Personal Data Protection Act 2023 introduces a graduated penalty framework with maximum fines reaching ₹250 crores for the most severe violations. Unlike GDPR percentage-based penalties, DPDPA prescribes absolute monetary caps. This article examines the penalty structure, aggravating factors, and mitigation strategies.

The Schedule to DPDPA prescribes specific penalty ranges for different violations. Non-compliance with children data provisions attracts up to ₹200 crores. Failure to implement security safeguards or notify breaches carries penalties up to ₹250 crores. General non-compliance attracts up to ₹50 crores. These are maximum caps; the Data Protection Board determines actual amounts based on circumstances.

The Board considers several factors when determining penalty quantum: nature, gravity, and duration of breach; number of affected data principals; intentional or negligent character; actions taken to mitigate damage; degree of cooperation with authorities; previous breaches by the same entity; and financial benefits derived from the breach. Repeat offenders face significantly higher penalties.

Organisations can mitigate penalties through: prompt breach notification and remediation; comprehensive documentation of compliance efforts; investment in security infrastructure; cooperation with regulatory investigations; implementation of corrective measures before enforcement; and demonstrated good faith efforts at compliance even where failures occurred.

GDPR penalties reach 4% of global annual turnover or €20 million. For large multinationals, GDPR exposure can exceed DPDPA caps significantly. However, for mid-sized Indian companies, DPDPA penalties represent substantial financial risk. The absolute cap approach provides predictability but may not scale with organisational size.