The ₹250 Crore Question: What the DPDPA Penalty Regime Actually Means

The DPDPA Penalty Architecture

Section 33 of the DPDPA 2023 empowers the Data Protection Board of India (DPBI) to impose monetary penalties for breaches. The penalties are specified in The Schedule appended to the Act. Unlike the GDPR's percentage-of-turnover model, the DPDPA uses absolute monetary caps for each category of violation.

The Schedule establishes a tiered penalty structure based on the nature and severity of the violation: (1) Failure to implement reasonable security safeguards under Section 8(5) — up to ₹250 Crore; (2) Failure to notify the Board and affected Data Principals of a personal data breach under Section 8(6) — up to ₹200 Crore; (3) Non-compliance with children's data obligations under Section 9 — up to ₹200 Crore; (4) Non-compliance with Significant Data Fiduciary obligations under Section 10 — up to ₹150 Crore; (5) Breach of other provisions (Sections 4-12, Section 14) — up to ₹200 Crore; (6) Other violations — up to ₹50 Crore; (7) Data Principal duty violations under Section 15 — up to ₹10,000.

Critically, the Board may enhance the penalty up to twice the amount specified in The Schedule based on aggravating factors. This means the theoretical maximum penalty for a security safeguard failure can reach ₹500 Crore.

When the ₹250Cr Maximum Applies

The ₹250 Crore maximum penalty is reserved for the most consequential violation category: failure to implement reasonable security safeguards under Section 8(5). This penalty can be imposed even if no actual data breach occurs — the mere absence of adequate security measures is sufficient.

Scenarios where the ₹250Cr ceiling becomes operative include: Scenario 1 — An organisation processes personal data of millions of Data Principals without implementing encryption, access controls, or audit logging, and the DPBI audit reveals systemic security deficiencies; Scenario 2 — A data breach exposes personal data of a large population, and the subsequent investigation reveals that the organisation had no security safeguards in place or that existing safeguards were materially inadequate; Scenario 3 — The Board issues a direction under Section 34 requiring the organisation to implement specific security measures, and the organisation fails to comply — attracting an additional ₹250Cr penalty for non-compliance with Board directions.

The Board considers several factors under Section 33(2) when determining the quantum within the ₹250Cr ceiling: the nature, gravity, and duration of the breach; the type of personal data affected; whether the violation was repetitive; whether the entity gained from or avoided a loss due to the breach; the timeliness and effectiveness of mitigating actions; the proportionality of the penalty; and the likely impact on the entity.

The ₹200 Crore Breach Notification Penalty

The second-highest penalty tier — up to ₹200 Crore — applies to two critical categories: failure to notify the Board and affected Data Principals of a personal data breach (Section 8(6)), and violations of children's data protection obligations (Section 9).

Breach notification under Section 8(6) requires the Data Fiduciary to inform the Board and each affected Data Principal in the prescribed manner and timeframe. The DPDP Rules specify the notification procedure including format, content, and timeline. Failure to notify — or material delay in notification — triggers the ₹200Cr penalty.

Children's data violations under Section 9 carry the same ₹200Cr ceiling. This includes: processing children's data without verifiable parental consent; tracking, behavioural monitoring, or targeted advertising directed at children; and any processing that causes demonstrable harm to a child. The DPDPA defines "child" as any individual below 18 years of age, significantly higher than the GDPR's 13-16 threshold.

Compliance Gaps That Trigger Maximum Exposure

Our analysis of the penalty architecture identifies six critical compliance gaps that position organisations in the highest penalty zones:

Gap 1 — No Security Safeguards Framework: Section 8(5) requires "reasonable security safeguards" to prevent personal data breaches. Without a documented, implemented security framework — including encryption, access controls, vulnerability assessments, and incident detection — the organisation faces the full ₹250Cr exposure.

Gap 2 — Absent or Delayed Breach Notification: Section 8(6) mandates notification to the Board and affected Data Principals. Delayed or absent notification attracts ₹200Cr exposure, independent of the breach itself.

Gap 3 — Children's Data Non-Compliance: Processing children's data without verifiable parental consent, or engaging in tracking or targeted advertising toward children, triggers ₹200Cr exposure under Section 9.

Gap 4 — SDF Obligations Not Met: Significant Data Fiduciaries who fail to appoint a DPO, conduct DPIAs, or submit to annual audits under Section 10 face ₹150Cr exposure.

Gap 5 — Consent Architecture Failures: Invalid or unverifiable consent under Sections 6-7 constitutes a fundamental processing violation, attracting penalties under the ₹200Cr general provisions category.

Gap 6 — Non-Compliance with Board Directions: Ignoring or failing to implement DPBI directions under Section 34 triggers an independent ₹250Cr penalty, regardless of the underlying violation.

The Compliance Ladder: Reducing Penalty Exposure

Organisations that build a structured compliance programme significantly reduce their penalty exposure. The DPBI is mandated under Section 33(2) to consider mitigating actions, proportionality, and the entity's compliance posture when determining penalty quantum.

Rung 1 — Classify Your Status: Formally determine whether your organisation qualifies as a Significant Data Fiduciary under Section 10 criteria. Document the assessment with legal counsel and review annually.

Rung 2 — Implement Security Safeguards: Build and document a reasonable security framework under Section 8(5) — encryption, access controls, vulnerability management, penetration testing, and audit logging. This directly addresses the ₹250Cr penalty zone.

Rung 3 — Establish Governance: Appoint a DPO (mandatory for SDFs under Section 10), maintain Records of Processing Activity, conduct Data Protection Impact Assessments, and establish board-level privacy oversight.

Rung 4 — Build Breach Readiness: Implement a documented breach response plan with notification templates, communication protocols, and regular drills. This addresses the ₹200Cr notification penalty zone.

Rung 5 — Maintain Regulatory Relationship: Respond promptly to Board inquiries, comply with directions, and maintain contemporaneous documentation of all compliance activities. This protects against the ₹250Cr penalty for non-compliance with Board directions.

Organisations demonstrating all five rungs significantly reduce penalty quantum — even when violations occur — because the Board must consider mitigation, cooperation, and proportionality.