DPDPA Penalties Explained: What the ₹250 Crore Cap Means for Your Business

The Digital Personal Data Protection Act 2023 carries one of the largest administrative penalty schedules in Indian regulatory history. A single breach event can attract a penalty up to ₹250 crore — per event, not per year. Understanding exactly how this schedule works, who enforces it, and how organisations can reduce their exposure is no longer a compliance-department concern. It is a board-level financial risk question.

1. The Penalty Schedule: What Schedule I of the DPDPA Actually Says

Section 33 of the DPDPA 2023 delegates penalty amounts to Schedule I of the Act. That schedule creates five distinct penalty tiers, each linked to a specific obligation. These are statutory caps — the maximum the Data Protection Board may impose. Actual penalties within each tier depend on the specific facts of the case.

2. Who Is Liable: Data Fiduciaries, Processors, and Their Officers

The DPDPA imposes penalties on Data Fiduciaries and Data Processors as entities. However, the Act does not limit accountability to the organisation alone. Section 33(2) allows the Board to extend proceedings to officers of the organisation who are responsible for the conduct of the business — including directors, the CEO, and key managerial personnel — where the breach occurred with their knowledge, consent, or through neglect.

This officer-level accountability mirrors similar provisions in the Companies Act and the IT Act, and creates personal exposure for executives who cannot demonstrate that they took reasonable steps to implement and oversee a functioning compliance programme.

3. The ₹250 Crore Trigger: What Actually Constitutes an Adequate Safeguard

The highest penalty tier — ₹250 crore — is triggered by failure to implement adequate security safeguards under Section 8(5) where a data breach results. This raises a critical question: what constitutes “adequate security safeguards” under the Act?

The Act itself does not specify a minimum technical standard. It delegates the specification of safeguards to rules to be issued by the Government. Until those rules are issued, the assessment will be contextual — the Board will evaluate whether the organisation’s security measures were appropriate to the volume, sensitivity, and nature of the data it processed, against what a reasonable organisation in that position would have implemented.

• Volume: A platform processing 10 million user records is expected to maintain more sophisticated controls than one processing 10,000.
• Sensitivity: Health data, financial data, and biometric data attract a higher standard of care than general contact data.
• Industry context: Sector-specific regulatory frameworks (RBI, SEBI, IRDAI, NHA) will inform the adequacy standard for regulated entities.
• Demonstrated governance: Organisations with documented, tested, and audited security programmes are materially better positioned than those with nominal IT controls and no governance structure.

4. The Data Protection Board: How Enforcement Works

The Data Protection Board of India is the enforcement and adjudicatory body established under the DPDPA. It investigates complaints from Data Principals, initiates suo motu proceedings where warranted, and conducts inquiries that may result in directions to cease processing, mandatory remediation, or financial penalties.

5. The Voluntary Undertaking: Can You Negotiate with the Board?

Section 32 of the DPDPA introduces a voluntary undertaking mechanism. At any stage during an inquiry, a Data Fiduciary or Data Processor may offer the Board a voluntary undertaking to take specified remediation actions. If the Board accepts the undertaking, the inquiry is suspended or closed in relation to those matters.

This mechanism is significant for two reasons. First, it allows organisations to limit penalty exposure by demonstrating proactive remediation intent. Second, and critically, if the organisation fails to comply with the accepted undertaking, the Board may impose an additional penalty of up to ₹250 crore for that failure alone.

6. Factors That Reduce Penalty Exposure

The Board is not required to impose the maximum penalty in every case. The following factors influence the Board’s assessment and can materially reduce the penalty imposed:

• Prompt breach notification: Organisations that notified the Board and CERT-In within prescribed timelines demonstrate regulatory responsiveness.
• Prior compliance investments: A documented, tested compliance programme at the time of the breach demonstrates pre-existing good faith.
• Proactive cooperation: Organisations that respond promptly and completely to Board requests during inquiry are treated more favourably than those that delay or obstruct.
• Remediation before enforcement: Steps taken between the breach and the penalty assessment — including security improvements, policy overhauls, and data governance changes — can reduce the assessed penalty.
• No prior violations: An organisation’s track record of compliance with the DPDPA and related regulatory frameworks is a mitigating factor.
• Harm containment: Where the organisation took immediate steps to contain the breach and limit harm to Data Principals, this weighs in its favour.

7. How SIRI Law LLP Limits Your Exposure

SIRI Law LLP provides legal representation in Data Protection Board proceedings and proactive penalty-reduction advisory for organisations that have suffered or are at risk of suffering a breach. Our integrated model combines legal expertise with technical cybersecurity capabilities to address both the regulatory and the remediation dimensions simultaneously.