Skip to main contentChat with us

DPDP Penalty Calculator

Calculate your potential penalty exposure under the Digital Personal Data Protection Act 2023. Penalties range from ₹50 crores to ₹250 crores per violation.

Assessment

Fill out the assessment to see your penalty risk

Understanding DPDP Penalties

Penalty Tiers

  • ₹50 Cr:Data breach non-notification, inadequate security
  • ₹150 Cr:Data retention violations, purpose limitation failures
  • ₹200 Cr:Children's data without verifiable parental consent
  • ₹250 Cr:Unauthorized cross-border data transfer

Key Facts

  • Penalties are per violation, not per affected user
  • Multiple violations can result in stacked penalties
  • Penalties apply to companies of all sizes equally
  • Enforcement begins May 13, 2027
  • First penalties likely in late 2027 as "examples"

DPDP Penalty FAQs

Common questions about how penalties under India's Digital Personal Data Protection Act are set and calculated.

What are the penalties under the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 imposes financial penalties per violation rather than per affected user. Amounts range from ₹50 crore (for failing to notify a data breach or for inadequate security safeguards) up to ₹250 crore (for an unauthorised cross-border data transfer), with intermediate tiers of ₹150 crore for retention/purpose-limitation failures and ₹200 crore for processing children’s data without verifiable parental consent.

What is the ₹250 crore cap under the DPDP Act?

₹250 crore is the maximum penalty the Data Protection Board can levy for a single category of violation under the DPDP Act — the highest tier, reserved for unauthorised cross-border transfer of personal data. Because penalties are assessed per violation, an organisation with multiple distinct violations can face stacked penalties, though each individual category is capped at its own ceiling.

How is a DPDP penalty calculated?

The Data Protection Board determines the actual penalty at its discretion, considering the nature, gravity, and duration of the violation, the type and volume of personal data affected, whether the breach was repetitive, and any mitigating action taken. This calculator gives an indicative range by mapping your selected violation type to its statutory tier and adjusting for factors such as Significant Data Fiduciary status, children’s data, and cross-border transfers. It is an estimate for awareness only and is not legal advice.

Disclaimer: This calculator provides estimated penalty ranges based on the Digital Personal Data Protection Act 2023 and Rules 2025. Actual penalties may vary based on specific circumstances, intent, and Data Protection Board discretion. This is for informational purposes only and does not constitute legal advice. Consult a DPDP compliance expert for your specific situation.