A single DPDP Act penalty can reach ₹250 Crore under the Digital Personal Data Protection Act 2023, and for a Bangalore SaaS startup with low double-digit-crore ARR, that is an extinction-level event. For a Bangalore SaaS startup with annual recurring revenue in the low double-digit crores, that is an extinction-level event. This guide breaks down exactly which breach types attract which penalty bands, how the Board calculates the amount, and what controls reduce exposure.
The article moves top-down: the penalty structure, each breach type with real-world examples, the Board’s calculation methodology, and a control-maturity map that links technical measures to penalty reduction.
What the DPDP Act penalty structure actually is
The Act creates a tiered penalty framework administered by the Data Protection Board. Unlike GDPR, where supervisory authorities have broad discretion, the DPDP Act specifies maximum penalties by breach category. The Board has latitude within the band but cannot exceed the statutory ceiling.
| Breach category | Maximum penalty | Section reference |
|---|---|---|
| Failure to take reasonable security safeguards | ₹250 Crore | Section 8(5) read with Section 33 |
| Failure to notify the Board of a personal data breach | ₹200 Crore | Section 8(6) read with Section 33 |
| Failure to comply with Significant Data Fiduciary obligations | ₹150 Crore | Section 10 read with Section 33 |
| General failure to comply with Data Fiduciary duties | ₹50 Crore | Section 33(1) |
| Failure to comply with Data Principal duties | ₹10,000 | Section 15 read with Section 33 |
Breach type 1: Failure to take reasonable security safeguards (₹250 Crore max)
This is the highest penalty tier. It applies when a Data Fiduciary fails to implement “reasonable security safeguards” to protect personal data from unauthorised access, use, disclosure, alteration, or destruction.
What triggers this penalty
- Unencrypted databases exposed to the internet
- Missing access controls on production systems
- Failure to patch known critical vulnerabilities
- Absence of incident-response capability
- Lack of audit logging for sensitive data access
Real-world India context
In 2023–2024, multiple Indian fintech and HealthTech platforms exposed production databases containing Aadhaar-linked records, PAN numbers, and mobile numbers. Under the DPDP Act, such exposures now fall directly into the ₹250 Crore penalty band if the Board determines that reasonable safeguards were absent.
Breach type 2: Failure to notify the Board (₹200 Crore max)
Even if a breach occurs, timely notification can reduce penalty exposure. The Act requires notification “as soon as reasonably practicable” after becoming aware of a personal data breach.
What the notification must include
- Nature of the breach
- Categories and approximate number of Data Principals affected
- Likely consequences
- Measures taken or proposed to address the breach
- Contact details for further information
Common failure mode
Organisations discover breaches through external researchers or regulator tip-offs rather than internal detection. Late notification — or no notification — moves the penalty into the ₹200 Crore band even if the underlying control failure is modest.
Breach type 3: Significant Data Fiduciary non-compliance (₹150 Crore max)
Significant Data Fiduciaries (SDFs) face additional obligations: Data Protection Officer, data protection impact assessments, periodic audits, and record-keeping. Failure to meet any of these obligations attracts penalties up to ₹150 Crore.
Who is likely to be designated an SDF
- Large social-media platforms
- Major e-commerce marketplaces
- National-scale fintech wallets
- HealthTech platforms with millions of patient records
- EdTech platforms with pan-India student data
Breach type 4: General Data Fiduciary failure (₹50 Crore max)
This is the catch-all tier for failures that do not fall into the higher bands: invalid consent, excessive data collection, failure to honour Data Principal rights, or cross-border transfer violations.
How the Board calculates the actual penalty
The Act does not prescribe a formula, but the Board is likely to consider:
- Nature, gravity, and duration of the breach
- Number of Data Principals affected
- Whether the breach was intentional or negligent
- Steps taken to mitigate harm
- Prior compliance history
- Financial resources of the Data Fiduciary
Control-maturity map for penalty mitigation
| Control area | Basic (₹50 Crore exposure) | Intermediate (₹150 Crore exposure) | Advanced (₹250 Crore exposure) |
|---|---|---|---|
| Encryption | At rest only | At rest + in transit | At rest + in transit + field-level |
| Access control | Role-based | Role-based + MFA | Zero-trust + just-in-time |
| Logging | Basic event logs | SIEM with alerting | SOAR with automated response |
| Incident response | Playbook exists | Table-top tested quarterly | 24×7 retainer with sub-15-min MTTR |
| DPO / governance | Part-time assignee | Full-time DPO | Board-reporting DPO with independent audit |
Cross-framework mapping
- ISO 27001:2022 Annex A 5.9 (inventory) and 5.34 (privacy) map to the “reasonable security safeguards” obligation. See our ISO 27001 service page.
- SOC 2 CC6.1 (logical access) and CC7.2 (monitoring) support the control baseline that the Board will evaluate. See our SOC 2 service page.
- CERT-In Direction 20(3)/2022 incident reporting overlaps with DPDP breach notification timing. See our CERT-In runbook.
Common penalty-risk mistakes
- Assuming small size means low penalty. The Board can consider financial resources, but the statutory maximum applies regardless of revenue.
- Waiting for detailed rules before acting. The Act is in force. The obligation to implement safeguards exists today.
- Treating breach notification as a legal-only task. Technical detection capability determines whether you can notify “as soon as reasonably practicable.”
- Ignoring children’s data. The Act creates additional obligations for children’s data; a breach involving minors attracts heightened scrutiny.
- Failing to document decisions. The Board will ask for evidence of governance. Meeting minutes, risk registers, and audit reports matter.
Sector-specific penalty exposure in Bangalore
The penalty bands apply uniformly, but the probability of triggering each band varies materially by sector. Below is the application of the framework to the verticals we deliver into most often from Bengaluru.
BFSI — banks, NBFCs, payment aggregators
BFSI Data Fiduciaries face the highest correlated regulatory risk because three regulators — RBI, the Data Protection Board, and CERT-In — can act in parallel on the same incident. A payment-aggregator breach exposing card-number-equivalent data triggers RBI penalties under the Master Direction on Digital Payment Security, DPB penalties under the DPDP Act, and CERT-In reporting obligations under Direction 20(3)/2022. The penalties stack rather than substitute. Bangalore-headquartered BFSI Data Fiduciaries we have advised typically maintain a unified breach-response playbook that treats the worst-case regulator obligation as the operational floor — meaning the response is calibrated to RBI’s stricter incident timeline rather than only the DPDP Act’s “reasonable practicality” standard.
Fintech — lending, wealth, insurtech
Fintech penalty exposure concentrates on consent failures and data minimisation. The RBI Digital Lending Guidelines layer additional consent and disclosure obligations on top of DPDP, and the Account Aggregator framework introduces additional consent-revocation semantics. The compounding effect is that a single non-compliant consent flow can trigger DPB penalties, RBI supervisory action, and contractual breach exposure with downstream lenders simultaneously. Bangalore lending fintechs we have engaged with typically build a consent-state-machine layer that abstracts across all three obligation regimes.
HealthTech — telemedicine, diagnostics, EHR
The Act’s emerging guidance treats health data as sensitive personal data, which moves all related breaches toward the higher penalty bands. In addition, the Telemedicine Practice Guidelines and the National Digital Health Mission ABDM expectations add sector-specific obligations that, if breached alongside DPDP obligations, compound penalty exposure. Bangalore HealthTech platforms with telemedicine consultations and EHR integrations should plan for a unified clinical-data-protection programme rather than separate DPDP and DISHA tracks.
EdTech — children’s data, K-12, professional learning
EdTech faces the most concentrated children’s-data risk under the Act. The verifiable-parental-consent obligation, the prohibition on tracking and behavioural monitoring of children, and the prohibition on targeted advertising directed at children all carry independent penalty exposure if breached. A consumer EdTech platform that fails on any one of these can reach the ₹50 Crore band; a platform failing on multiple simultaneously can move into the higher bands depending on how the Board interprets the cumulative effect.
SaaS — B2B exporters and consumer products
B2B SaaS faces lower direct penalty exposure than consumer-facing platforms because the Data Principal volume is smaller, but the sub-processor flow-through obligations are operationally significant. A B2B SaaS company whose customer experiences a breach due to the SaaS company’s processor-level failure can be liable through the customer’s Data Fiduciary responsibilities. Bangalore SaaS platforms increasingly maintain robust Data Processing Agreements that flow DPDP obligations through to sub-processors and provide audit-rights to customer Data Fiduciaries.
How penalty severity is calculated in practice
The Act provides a non-exhaustive list of factors the Board considers, but operational understanding of how those factors interact is what compliance teams need. From the early enforcement actions and consultation guidance, six factors emerge as primary drivers.
Number of Data Principals affected. The single largest multiplier. A breach affecting 100 Data Principals and one affecting 10 million face dramatically different penalty exposure even within the same penalty band.
Sensitivity of the personal data exposed. Exposure of name and email is materially different from exposure of Aadhaar, PAN, biometric, or financial-account data. Children’s data, health records, and sexual-orientation data all carry heightened sensitivity treatment.
Duration of the breach before detection. A breach detected within hours of occurrence and remediated within the day attracts lower penalty than a breach undetected for weeks.
Adequacy of pre-breach controls. The Board considers whether reasonable security safeguards were in place. Organisations that can demonstrate ISO 27001 certification, SOC 2 Type II attestation, and current VAPT reports have a defensible position; organisations without any independent audit have a weaker one.
Speed and quality of breach response. Notification to the Board “as soon as reasonably practicable,” transparent communication with affected Data Principals, and effective remediation all reduce penalty exposure.
Prior compliance history. First-time offenders attract less severe penalties than repeat offenders. The Board has indicated that systemic non-compliance — multiple incidents over a 12-month window — can trigger penalty-band escalation.
Insurance and penalty mitigation
Cyber insurance markets in India have responded to the DPDP Act with policy products specifically covering DPB penalty exposure. Coverage availability varies by carrier and is increasingly conditioned on demonstrated compliance posture. Bangalore organisations should expect underwriters to ask for: current ISO 27001 or SOC 2 attestation, recent independent VAPT report, documented breach-response playbook, and evidence of regular tabletop exercises. Premiums for ₹50 Crore coverage typically range from ₹15–35 lakh per year for mid-sized SaaS platforms, scaling with Data Principal volume and sensitivity. The economic logic favours insurance for organisations with material penalty exposure but does not substitute for compliance investment — most policies exclude penalty coverage when the underlying breach was attributable to documented non-compliance.
Practical next steps
If you are quantifying board-level risk, use the control-maturity map to baseline your current state. If you need a full implementation roadmap, see our DPDP Act Complete Guide. If you want a downloadable checklist for your compliance team, see our DPDP Compliance Checklist.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
DPDP penalty FAQ
Are penalties retroactive to incidents before the Act came into force? No. The Act applies prospectively to incidents occurring after the effective date. However, ongoing processing activities that begin before the Act and continue after are subject to the Act for the post-effective-date conduct.
Can the Board impose penalties without a hearing? No. The Board must follow due process, including show-cause notices and opportunity to be heard. Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Are penalties tax-deductible? Generally no. Penalties imposed for statutory non-compliance are not allowable expenses for income-tax purposes. This effectively raises the economic cost above the headline penalty figure.
Does insurance cover DPDP penalties? Some Indian cyber-insurance policies cover DPB penalty exposure subject to specific exclusions. Coverage is typically conditioned on demonstrated pre-incident compliance posture. Verify policy terms before relying on coverage.
Can multiple penalty bands stack for a single incident? Yes. A breach involving security-safeguard failure (₹250 Crore) plus failure to notify (₹200 Crore) could face penalties in both bands. The Board determines the actual amount within statutory ceilings.
Does paying a penalty extinguish further liability? No. Penalties are administrative; civil liability to affected Data Principals (through class action or individual claims) and any criminal liability under other statutes can continue independently.
How does the Board prove a security-safeguard failure? Through investigation including documentation review, control inspection, and forensic analysis. Organisations with strong evidence of reasonable safeguards (independent audits, current VAPT, documented incident response) have a defensible position even when breaches occur.
Are first-time offenders treated more leniently? The Act allows the Board to consider prior compliance history. First-time offenders typically face penalties at the lower end of the applicable band; repeat offenders face escalating penalties.
What is the typical timeline from breach to penalty? From breach detection to Board adjudication typically takes 12–24 months including investigation, show-cause, hearing, and final order. The TDSAT appeal process adds 12+ months.
Can the Board penalise foreign Data Fiduciaries? Yes, where foreign entities are subject to the Act through processing of Indian Data Principal data. Enforcement against foreign entities involves international cooperation that may extend timelines.
Should I disclose past breaches proactively? Generally yes. The Act requires breach notification to the Board for incidents occurring after effective date. For pre-effective-date breaches with ongoing implications, voluntary disclosure with remediation evidence typically produces better outcomes than discovery during enforcement.
Does cyber-insurance fully indemnify against penalties? Rarely. Most policies exclude penalties attributable to documented non-compliance. The economic logic favours insurance as supplementary protection, not as substitute for compliance investment.
Operational checklist for penalty-mitigation posture
Specific operational practices reduce the probability of penalty exposure and the severity of penalties when exposure occurs.
Maintain current independent attestation. ISO 27001 or SOC 2 Type II attestation provides documented evidence of “reasonable security safeguards.” Organisations with current attestation have a defensible position even when breaches occur; organisations without face presumption of inadequate safeguards.
Conduct regular VAPT. Annual at minimum; quarterly for BFSI per regulator expectations. The VAPT report is part of the security-safeguards evidence base.
Operate documented incident response. Tabletop-tested incident-response playbook, retainer with empanelled firm, demonstrated ability to meet the six-hour CERT-In window.
Track risks formally. Risk register reviewed monthly, with treatment plans and ownership. The Board examines this register during enforcement; absence is a finding.
Document board-level review. Quarterly board review of cybersecurity posture, with minutes reflecting substantive discussion. Pro-forma board approvals without substance are findings.
Maintain vendor DPAs. All processors with personal-data access have current DPAs. Vendor compromises that lead to personal-data exposure are penalty-band-affecting events; the organisation’s DPA discipline matters in severity assessment.
Train staff annually. Documented security-awareness training with completion tracking. Phishing-led incidents are common; demonstrating training reduces severity assessment.
Preserve audit trails. Comprehensive logging with tamper-evident storage. Audit trails are essential evidence during Board investigation.
Test backup integrity. Quarterly restore testing with documented evidence. Ransomware penalty severity is materially affected by demonstrated recovery capability.
Engage proactively with regulators. Voluntary disclosure of compliance gaps with remediation plans typically produces better outcomes than discovery during enforcement.
Sample penalty calculation scenarios
For Bangalore B2B SaaS founders modelling penalty exposure, illustrative scenarios.
Scenario 1. Mid-stage SaaS with 5 lakh active users; security-safeguard failure exposing user-account data; first-time offender; documented but inadequate ISO 27001 implementation; remediation completed within 30 days. Likely Board outcome: penalty in the ₹3–8 Crore range from the ₹50 Crore band, reflecting first-time status and demonstrated remediation.
Scenario 2. Consumer-facing fintech with 50 lakh active users; security-safeguard failure exposing UPI VPA + transaction history; first material incident; no current independent attestation; partial remediation at time of Board review. Likely Board outcome: penalty in the ₹15–40 Crore range from the ₹250 Crore band, reflecting volume of affected users, sensitivity of data, and absence of documented safeguards.
Scenario 3. Significant Data Fiduciary with 5 Crore active users; failure to notify of breach within reasonable timeline; second material incident in 24 months; SDF obligations partially implemented; mitigation actions delayed. Likely Board outcome: penalty in the ₹40–120 Crore range across multiple bands (notification failure + SDF non-compliance + general Data Fiduciary), reflecting repeat offender status and SDF designation.
These scenarios are illustrative; actual Board determinations consider case-specific factors not captured in the scenarios.
Quantifying penalty exposure for board reporting
For board-level risk reporting, penalty-exposure quantification requires structured analysis.
Probability assessment. Likelihood of penalty exposure given current control posture. Mature controls with current attestation reduce probability; control gaps increase it.
Magnitude assessment. Maximum penalty in each band given organisation size and data-handling profile.
Expected loss calculation. Probability × magnitude across penalty bands produces expected-loss estimate. The estimate informs insurance coverage and compliance investment decisions.
Sensitivity analysis. Variation in probability or magnitude assumptions produces different expected-loss estimates. Board reporting should include sensitivity analysis to communicate uncertainty.
Trend reporting. Changes in probability or magnitude over time. Improving control posture should reduce expected loss; emerging threats may increase it. Trend reporting highlights direction.
Comparative benchmarking. Where peer-organisation penalty exposure data is available, benchmarking provides context.
The quantification doesn’t predict actual penalties but informs investment decisions and board oversight. Mature programmes maintain quarterly penalty-exposure assessment as part of broader cybersecurity governance.
Penalty avoidance through proactive engagement
Beyond reactive compliance, proactive engagement with the Data Protection Board can reduce penalty exposure.
Public consultation participation. The Board issues consultation papers on emerging guidance. Participation in consultations produces visibility into Board priorities and influences guidance development.
Industry forum engagement. Industry forums (NASSCOM, DSCI, sector-specific associations) coordinate with the Board on common issues. Active participation produces earlier visibility into enforcement priorities.
Voluntary self-disclosure. When compliance gaps are identified internally, voluntary disclosure with remediation plans produces better outcomes than discovery during enforcement.
Best-practice documentation. Maintaining documentation that demonstrates best-practice approach reduces penalty severity in any enforcement action.