Skip to main content
Home » Data Privacy & DPDPA » DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting

DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting

Shashikant Kalsha

July 2, 2026

Blog features image

DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting

Every conversation about the Digital Personal Data Protection Act eventually arrives at the same number: ₹250 crore. It is worth understanding exactly where that number comes from, what else sits in the penalty schedule, and why the cheapest compliance strategy is the one that starts early.

The penalty schedule, decoded

The Schedule to the DPDP Act, 2023 sets monetary penalties by category of breach, applied per instance:

  • Up to ₹250 crore — failure to take reasonable security safeguards to prevent a personal data breach. This is the headline number, and it attaches to the most common failure mode in Indian industry.
  • Up to ₹200 crore — failure to notify the Board or affected Data Principals of a personal data breach.
  • Up to ₹200 crore — breach of obligations relating to children's personal data.
  • Up to ₹150 crore — breach of the additional obligations of Significant Data Fiduciaries.
  • Up to ₹50 crore — the residual category for breach of any other provision of the Act or Rules.

Two features make this schedule sharper than it first appears. First, penalties stack: a single incident can combine a safeguards failure (₹250 crore exposure) with a notification failure (₹200 crore exposure). Second, "per instance" means a pattern of violations multiplies rather than merges.

How the Board will decide amounts

The Data Protection Board — operational since November 13, 2025 — weighs the nature, gravity, and duration of the violation; the type and sensitivity of data affected; whether the violation was repetitive; whether the organization gained from it; the mitigation efforts made; and the proportionality of its response. Translated: an organization that can demonstrate a running compliance program, prompt notification, and genuine remediation faces a very different order of penalty than one that has nothing to show. The evidence you keep before an incident is the biggest variable in what you pay after one.

The costs beyond the fine

The penalty is only the visible line item. The rest of the invoice includes enterprise deals stalling on vendor security reviews, procurement teams adding DPDPA warranties to contracts, insurers repricing cyber cover, and the engineering cost of rebuilding data systems under regulatory deadline instead of on your own schedule. For consumer businesses, add the churn that follows a public breach notice — which the law now obligates you to send to every affected user, in plain language.

There is also a personal dimension: Significant Data Fiduciaries must designate accountable individuals, including a Data Protection Officer based in India. Accountability under this law has names attached.

Waiting is the expensive option

The full substantive regime lands May 13, 2027, with the Consent Manager framework arriving November 13, 2026. Current guidance suggests no grace period beyond Phase 3. The organizations that will spend the least on DPDPA compliance are the ones treating 2026 as the build year: data mapping while there is slack to do it properly, consent architecture shipped once instead of patched twice, breach playbooks rehearsed before they are graded, and evidence accumulating from day one.

The ones that will spend the most are those buying emergency consulting in Q1 2027 — or explaining to the Board why they didn't.

Readiness is cheaper than remediation

A credible DPDPA program does not require a compliance department the size of a bank's. It requires the machinery to run continuously and prove itself: consent that is captured and checkable, rights requests closed within SLA, breaches notified inside the statutory window, safeguards that leave an audit trail.

Data Adhikaar, the agentic DPDPA compliance fabric from Qodequay Technologies, packages that machinery as a service: ten specialist AI agents covering consent, data principal rights, breach response, DPIAs, vendor risk, and audit evidence — connected to your existing systems through SDKs, APIs, and 25+ connectors, with Mumbai-region data residency and notices in all 22 scheduled languages. Every action lands in a tamper-evident Evidence Vault, so your mitigation story is provable by export.

₹250 crore is the cost of the worst day. Readiness is a rounding error against it. Start with the free readiness assessment — know your gaps before the Board does.

General guidance on the DPDP Act, 2023 — not legal advice. Penalty outcomes depend on facts and the Board's determination.

Author profile image

Shashikant Kalsha

As the CEO and Founder of Qodequay Technologies, I bring over 20 years of expertise in design thinking, consulting, and digital transformation. Our mission is to merge cutting-edge technologies like AI, Metaverse, AR/VR/MR, and Blockchain with human-centered design, serving global enterprises across the USA, Europe, India, and Australia. I specialize in creating impactful digital solutions, mentoring emerging designers, and leveraging data science to empower underserved communities in rural India. With a credential in Human-Centered Design and extensive experience in guiding product innovation, I’m dedicated to revolutionizing the digital landscape with visionary solutions.

Follow the expert : linked-in Logo

Have a project in mind?

Free 30-minute consultation with our team — or see our products in action.

Book a 30-min Consultation