
Every person whose data you hold has legal rights over it. Under the DPDP Act, 2023, you must build the technology that makes those rights …
DPDP & Tech 1.8: Data Principal Rights Portal — Building the Self-Service Compliance Layer

Every person whose data you hold has legal rights over it. Under the DPDP Act, 2023, you must build the technology that makes those rights …
DPDP & Tech 1.8: Data Principal Rights Portal — Building the Self-Service Compliance Layer

A personal data breach has just occurred in your organisation. The 72-hour clock has started. Do your systems know yet? Under Rule 7(2)(b) of the …
dPDP & tech 1.6: Breach Detection & 72-Hour Notification — When Seconds Count

Your database was just breached. What does the attacker actually see? If the answer is “real names, phone numbers, and financial records” — your …
Your database was just breached. What does the attacker actually see?

That checkbox on your sign-up form is not consent under DPDP. Here’s what actually is. Most organisations collecting customer data today have some …
Consent Management Technology — The First Line of Compliance

The Digital Personal Data Protection Act, 2023 — commonly called DPDP — received Presidential assent on 11th August 2023. It is India’s first …
India’s most important data law is here. Does your IT team know what it means for them?
Are you a leader or a follower?
We’re a Chartered Accountant Firm. This initiative is to give updates about laws, regulations, accounting and finance. The same is to create awareness among public at large and be a part in Strong Nation building as we Chartered Accountants are Partners in Nation Building.

The DPDP Act establishes a clear and significant penalty framework. Penalties are imposed by the Data Protection Board of India after due inquiry, giving the accused an opportunity to be heard. The penalties are civil in nature — monetary fines, not criminal prosecution.
| Breach | Maximum Penalty |
|---|---|
| Failure to implement security safeguards | ₹250 crore |
| Failure to notify breach to Board or individuals | ₹200 crore |
| Breach of children’s data obligations | ₹200 crore |
| Breach of Significant Data Fiduciary obligations | ₹150 crore |
| Any other provision of the Act or Rules | ₹50 crore |
| Breach of duties by a Data Principal | ₹10,000 |
The Board does not automatically impose the maximum. It considers:
Example 1 — Failure to Secure Data (₹250 crore) A large e-commerce platform stores millions of customer records — names, addresses, and payment details — without encryption or access controls. Hackers exploit this and steal the data. The platform had no reasonable safeguards in place. The Board finds them liable for up to ₹250 crore.
Example 2 — Failure to Report a Breach (₹200 crore) A telecom company discovers that its customer database has been compromised. Instead of notifying the Board and affected customers promptly, it delays disclosure for weeks hoping to manage the situation internally. This failure to notify attracts a penalty of up to ₹200 crore.
Example 3 — Children’s Data Violation (₹200 crore) An ed-tech platform collects data of students under 18 without obtaining verifiable parental consent. It also runs targeted advertisements directed at children on its platform. Both violations together attract a penalty of up to ₹200 crore.
Example 4 — Significant Data Fiduciary Default (₹150 crore) A major social media platform notified as a Significant Data Fiduciary fails to appoint a Data Protection Officer based in India and does not conduct its mandatory annual Data Protection Impact Assessment. The Board imposes a penalty of up to ₹150 crore.
Example 5 — Data Principal Misuse (₹10,000) An individual files repeated false complaints against a company with the Data Protection Board, with no genuine grievance. The Board finds the complaints frivolous and imposes a penalty of up to ₹10,000 on the individual.
Yes. If the Board reports that penalties have been imposed on a Data Fiduciary on two or more occasions, the Central Government may direct platforms and intermediaries to block public access to that organisation’s services in India — making repeat non-compliance an existential risk for businesses.
Penalties under the DPDP Act are not symbolic. They are substantial, scalable, and designed to deter. Compliance is not a one-time exercise — it is an ongoing obligation, and the cost of ignoring it far exceeds the cost of getting it right.
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.