Direct answer: Under India's Digital Personal Data Protection Act 2023, financial penalties range up to ₹250 crore for failure to implement reasonable security safeguards, up to ₹200 crore for breach-notification failures, consent/notice violations, and children's data breaches, and up to ₹150 crore for Significant Data Fiduciary obligation breaches. The Data Protection Board of India (DPBI) imposes penalties proportionate to breach severity; full enforcement is expected from May 2027.

DPDP Act 2023 Penalties — Complete Guide for Indian Businesses

Non-compliance with the DPDP Act is not a theoretical risk. The Act establishes a schedule of financial penalties designed to be material for organisations of every size — from early-stage startups to large enterprises.

Penalty Schedule (Key Violations)

ViolationMax PenaltyDPDP Reference
Failure to implement reasonable security safeguards₹250 CroreSchedule Item 1
Failure to notify Board and Data Principal of breach₹200 CroreSchedule Item 2
Children's data violations (Section 9)₹200 CroreSchedule Item 3
Consent / notice violations (Sections 5–7)₹200 CroreSchedule Item 4
Significant Data Fiduciary obligation breaches₹150 CroreSchedule Item 5
Failure to fulfil data principal rights (Sections 11–14)₹100 CroreSchedule Item 6
Grievance redressal failures (Section 13)₹50 CroreSchedule Item 7

Enforcement Timeline

How Penalties Are Calculated

The DPBI considers the nature, gravity and duration of the non-compliance, whether it was intentional or negligent, prior history, and steps taken to mitigate harm. Documented compliance programmes, timely breach response, and evidence of good-faith remediation can influence outcomes even when a violation occurred.

Reduce Penalty Exposure with Complynz

Start DPDP Compliance Checklist | Read Penalties Deep Dive