DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting
July 2, 2026
Every conversation about the Digital Personal Data Protection Act eventually arrives at the same number: ₹250 crore. It is worth understanding exactly where that number comes from, what else sits in the penalty schedule, and why the cheapest compliance strategy is the one that starts early.
The Schedule to the DPDP Act, 2023 sets monetary penalties by category of breach, applied per instance:
Two features make this schedule sharper than it first appears. First, penalties stack: a single incident can combine a safeguards failure (₹250 crore exposure) with a notification failure (₹200 crore exposure). Second, "per instance" means a pattern of violations multiplies rather than merges.
The Data Protection Board — operational since November 13, 2025 — weighs the nature, gravity, and duration of the violation; the type and sensitivity of data affected; whether the violation was repetitive; whether the organization gained from it; the mitigation efforts made; and the proportionality of its response. Translated: an organization that can demonstrate a running compliance program, prompt notification, and genuine remediation faces a very different order of penalty than one that has nothing to show. The evidence you keep before an incident is the biggest variable in what you pay after one.
The penalty is only the visible line item. The rest of the invoice includes enterprise deals stalling on vendor security reviews, procurement teams adding DPDPA warranties to contracts, insurers repricing cyber cover, and the engineering cost of rebuilding data systems under regulatory deadline instead of on your own schedule. For consumer businesses, add the churn that follows a public breach notice — which the law now obligates you to send to every affected user, in plain language.
There is also a personal dimension: Significant Data Fiduciaries must designate accountable individuals, including a Data Protection Officer based in India. Accountability under this law has names attached.
The full substantive regime lands May 13, 2027, with the Consent Manager framework arriving November 13, 2026. Current guidance suggests no grace period beyond Phase 3. The organizations that will spend the least on DPDPA compliance are the ones treating 2026 as the build year: data mapping while there is slack to do it properly, consent architecture shipped once instead of patched twice, breach playbooks rehearsed before they are graded, and evidence accumulating from day one.
The ones that will spend the most are those buying emergency consulting in Q1 2027 — or explaining to the Board why they didn't.
A credible DPDPA program does not require a compliance department the size of a bank's. It requires the machinery to run continuously and prove itself: consent that is captured and checkable, rights requests closed within SLA, breaches notified inside the statutory window, safeguards that leave an audit trail.
Data Adhikaar, the agentic DPDPA compliance fabric from Qodequay Technologies, packages that machinery as a service: ten specialist AI agents covering consent, data principal rights, breach response, DPIAs, vendor risk, and audit evidence — connected to your existing systems through SDKs, APIs, and 25+ connectors, with Mumbai-region data residency and notices in all 22 scheduled languages. Every action lands in a tamper-evident Evidence Vault, so your mitigation story is provable by export.
₹250 crore is the cost of the worst day. Readiness is a rounding error against it. Start with the free readiness assessment — know your gaps before the Board does.
General guidance on the DPDP Act, 2023 — not legal advice. Penalty outcomes depend on facts and the Board's determination.
Free 30-minute consultation with our team — or see our products in action.