AMLEGALSDPDPAVibe Data Privacy
Case Studies & Penalties

Three Organisations That
Chose to Be Ready

These are not hypothetical scenarios. These are anonymised accounts of real DPDPA compliance implementations — the gaps we found, the systems we built, and the measurable outcomes. Below them sits the complete penalty architecture, because every number here has a statutory consequence attached to it.

The Challenge

A payment aggregator processing over ₹200 crore monthly, operating across multiple banking partnerships with RBI and CERT-In reporting obligations layered on top of DPDPA. Their existing "compliance" was a 47-page privacy policy that no one had read and a cookie banner that defaulted to "Accept All." Consent records existed for none of their 6.2 million registered users.

Our Approach

We began with a complete data flow mapping exercise that revealed 23 previously undocumented data-sharing pathways with third-party processors. The consent architecture was rebuilt from scratch — granular, purpose-linked, withdrawal-capable, with evidence trails that satisfy both DPDPA Section 6 and RBI’s existing data localisation requirements.

Measurable Outcomes

  • Consent architecture rebuilt for 6.2M users with granular purpose-linking
  • 23 undocumented data-sharing pathways identified and governed
  • 72-hour breach notification workflow integrated with existing CERT-In reporting
  • Cross-border transfer exposure under Section 16 mapped and mitigated
  • Vibe Pulse Score: 34 → 81 in 10 weeks

We thought we were compliant because we had a privacy policy. What we actually had was a liability document that the DPBI would have used against us.

Chief Compliance Officer · Pan-India Payment Infrastructure Provider

DPDPA Penalty Architecture

The Data Protection Board of India does not cap aggregate penalties. It does not offer a first-offence discount. Each instance of non-compliance is assessed independently. The numbers below are not theoretical maximums — they are statutory exposures that apply the moment your organisation processes personal data without adequate safeguards.

Section 33(a)MAXIMUM

Failure to take reasonable security safeguards to prevent personal data breach

₹250 Crore
Section 33(b)

Failure to notify the Board and affected Data Principals of personal data breach

₹200 Crore
Section 33(c)

Non-fulfilment of additional obligations regarding children’s personal data

₹200 Crore
Section 33(d)

Non-fulfilment of additional obligations of Significant Data Fiduciary

₹150 Crore
Section 33(e)

Non-compliance with any other provision of the Act

₹50 Crore
Section 34

Breach of duty by Data Principal (false complaints, suppression of information)

₹10,000

Note: Penalties under Section 33 are per instance. The Board may impose penalties for each separate breach, each failure to notify, each non-compliant processing activity. Aggregate exposure for a single organisation can exceed the maximum single-instance amount many times over.

Frequently Asked Questions

Your Defence Begins Today

The Data Protection Board does not ask whether you intended to comply. It asks whether you did. Start with a confidential assessment.

Assess Your Exposure