DPDP Penalties &
Enforcement

The highest penalty under the Digital Personal Data Protection Act, 2023 is up to ₹250 crore per instance. This top slab applies to a failure to take reasonable security safeguards to prevent a personal data breach, and to the breach itself. Failure to notify the Data Protection Board and affected data principals of a breach, and non-compliance with children’s-data obligations, carry penalties of up to ₹200 crore each. There is no percentage-of-turnover formula — penalties are fixed-rupee ceilings set out in the Schedule to the Act.

The Data Protection Board of India — a body established under the Act and notified by the Ministry of Electronics and Information Technology (MeitY) — adjudicates complaints and imposes monetary penalties. The Board can act on a complaint from a data principal or initiate an inquiry on its own (suo motu), issue directions, and refer matters onward. It is designed to function as a digital-first, largely online adjudicatory body.

Penalties are determined per instance of non-compliance. A single security incident can simultaneously breach the duty to maintain safeguards, the duty to notify the Board, and the duty to notify affected data principals — each a separate default the Board can penalise. This is why the headline figures compound: the ₹250 crore ceiling is per qualifying instance, not a one-time cap on an organisation.

Yes. Before fixing an amount, the Board considers factors such as the nature and gravity of the breach, the type and volume of personal data affected, whether the default was repeated, any gains made or losses avoided, and whether the fiduciary self-disclosed and took prompt remedial action. Once an order is passed, it can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days, and a further appeal on a question of law lies to the Supreme Court.

The most reliable mitigation is a demonstrable, documented compliance program: a current data inventory, lawful consent flows, reasonable security safeguards (encryption, access control, logging), a tested breach-response playbook, and evidence of training. Because the Board explicitly weighs prior compliance and corrective action, organisations that can show they acted in good faith and remediated quickly are treated more favourably. Tranquility Cybersecurity (TCSA) helps organisations build that evidentiary trail before an incident occurs.