DPDP penalties go up to ₹250 crore — and there's no cure period
The DPDP Act sets maximum penalties as high as ₹250 crore for security failures. They're ceilings the Board assesses case-by-case, not automatic fines — but there's no grace period to fix things after a breach.
What the law says
The Schedule to the DPDP Act, 2023 (read with section 33) sets maximum penalties the Data Protection Board can impose after a hearing:
| Failure | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards (s.8(5)) | up to ₹250 crore |
| Failure to notify a personal-data breach (s.8(6)) | up to ₹200 crore |
| Breach of children's-data obligations (s.9) | up to ₹200 crore |
| Failure of Significant Data Fiduciary duties (s.10) | up to ₹150 crore |
Why it matters
These are caps, not fixed fines. The Board decides the actual amount based on the nature and gravity of the breach. But two things make them serious: the ceilings are very high, and there is no statutory "cure period" — you don't get a window to fix the problem before a penalty can apply.
What this means for you
Don't read "₹250 crore" as "this will bankrupt me on day one" — but don't dismiss it either. The right response is to have reasonable security in place before anything goes wrong, because there's no fix-it-later safety net.
What to do now
ProjectPut reasonable security safeguards in place now — encryption, access control, logging, a breach-response plan — because penalties have no cure period once a breach occurs.
- you want to size the financial risk of non-compliance
- you handle sensitive or large volumes of personal data
DPDP Act, 2023 (India Code) · DPDP Act 2023, Schedule (with s.33)
Don't just read it — find out where you stand.
A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.
General information, not legal advice. Verify against the cited primary source and confirm specifics with a qualified advisor before acting.