03 Jun 2026 · 6 min read
The DPDP Act's penalty regime is laid out in the Schedule, not in the body of the Act. There are five graded bands: ₹250 crore (failure to take security safeguards under Section 8(5)), ₹200 crore (failure to notify breaches to the Board or Data Principal), ₹200 crore (failure of children-specific obligations), ₹150 crore (failure of Significant Data Fiduciary duties), and ₹50 crore (every other obligation). A residual ₹10,000 penalty applies to Data Principals who file frivolous or false complaints.
The headline ₹250 crore is the cap per default — not the floor, not the certain penalty. Section 33(2) tells the Data Protection Board what to weigh when actually setting the number: nature, gravity and duration of the breach; type and nature of personal data affected; repetitive nature; whether the breach was deliberate or negligent; mitigation steps; and whether the Data Fiduciary cooperated. In other words, a first-time accidental misconfiguration with prompt remediation will not draw the headline number; a willful pattern of disregard will.
Two practical implications. First, documentation matters as much as posture. A team that can show a Data Processing Impact Assessment, a documented vendor inventory, a working consent log and a timely breach notification has multiple mitigating factors on its side. A team that ships a breach report 96 hours late with no DPIA on file has the opposite.
Second, the Board can impose penalties per event, not per data principal affected. A breach affecting 2 million users is one breach for penalty purposes — but the gravity factor (data volume) will push the number up the band. Conversely, multiple distinct breaches (e.g. a Section 8 security failure and a separate Section 6 withdrawal failure) can attract separate penalties from separate bands. Aggregate exposure is therefore not just the headline number — it's the headline number multiplied by the count of distinct obligations breached.
What this means for budgeting: don't plan compliance against the ₹250 crore worst-case. Plan against a Board that will pick a sensible mid-band number, multiplied by however many obligation buckets you fail. Two demonstrable failures at ₹50 crore each is ₹100 crore of theoretical exposure — and even at a 20 % mitigation discount that's still serious money. The cheapest compliance bet is to close the obvious gaps (consent banner, withdrawal flow, breach playbook, Grievance Officer) and document each closure with evidence.
Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.