Under India's DPDP Act 2023, the Data Protection Board can impose graduated civil penalties: up to ₹250 Crore for inadequate security safeguards, ₹200 Crore for failing to protect children's data or notify a breach, and ₹150 Crore for not fulfilling Data Principal rights. Penalties are per-incident and can be cumulative.
The penalty tiers
The highest tier — up to ₹250 Crore — applies to inadequate security safeguards and certain Significant Data Fiduciary failures. Breach-notification failures and children's-data violations sit at up to ₹200 Crore, and failing to meet Data Principal rights at up to ₹150 Crore.
Per-incident and cumulative
Penalties apply per violation, so multiple lapses — or a breach affecting many Data Principals — can stack into very large cumulative liability. This makes prevention dramatically cheaper than cure.
How to reduce exposure
Strong security safeguards, valid consent, accurate RoPA, tested breach response and documented DPIAs all reduce both the likelihood of violations and the severity the Board is likely to assess. Evidence of good-faith compliance matters.
FAQ
Up to ₹250 Crore per violation for inadequate security safeguards, with other tiers at ₹200 Crore and ₹150 Crore. Penalties are per-incident and can accumulate.