DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting
July 2, 2026
Most organizations discover the true state of their security program in the worst possible way: mid-incident, with a clock running. The Digital Personal Data Protection Act, 2023 makes that clock explicit — and short.
The Act defines a personal data breach broadly: any unauthorized processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access that compromises its confidentiality, integrity, or availability. Note what is missing: a materiality threshold. A misdirected export, a misconfigured bucket, a lost laptop with unencrypted records — each can qualify, whether or not an attacker was involved.
Under the DPDP Rules, 2025, when a breach occurs a Data Fiduciary owes two distinct notifications:
Failure to notify carries its own penalty under the Act's Schedule — up to ₹200 crore — separate from the up-to-₹250-crore exposure for failing to maintain reasonable security safeguards in the first place. A breach can therefore generate two independent penalty events: one for the safeguard failure, one for the notification failure.
Seventy-two hours sounds like three days. In practice it decomposes into a brutal sequence: detect the incident, confirm personal data is involved, scope which records and which people, classify severity, draft principal-facing notices your lawyers will sign, dispatch them across channels, file the initial intimation, then assemble a detailed, accurate report for the Board — while simultaneously containing the incident itself.
Organizations that meet the window share three traits: they maintain a live map of where personal data lives (so scoping takes hours, not days); they keep pre-approved notification templates in every language they serve; and they rehearse. Organizations that miss it usually lost the first 48 hours deciding who owns the problem.
A DPDPA-ready breach response program looks like this:
Run a tabletop exercise against the 72-hour window twice a year. Time each stage. Most teams discover their true bottleneck is not detection but drafting and approval — exactly the stages that can be prepared in advance.
Data Adhikaar by Qodequay Technologies builds this playbook into software. The Suraksha agent drives the 72-hour window end to end: classifies the incident, scopes affected Data Principals from the live data map, drafts principal and Board notifications for human approval, dispatches them, and time-stamps every step into a tamper-evident Evidence Vault — so when the Board asks what you did and when, the answer is an export, not a reconstruction.
Hope is not a breach response plan. Take the free readiness assessment and see whether your current program would survive a 72-hour test.
General guidance on the DPDP Act, 2023 and DPDP Rules, 2025 — not legal advice.
Free 30-minute consultation with our team — or see our products in action.