The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

DPDPA Penalty Framework: Understanding the Rs 250 Crore Maximum

The Schedule of Penalties

The Schedule to DPDPA 2023 establishes a tiered penalty framework, with monetary penalties ranging from Rs 10,000 to Rs 250 crore depending on the nature and severity of the contravention. Section 33 confers upon the Data Protection Board of India the authority to impose these penalties following adjudication.

Penalty Schedule Overview

Failure to fulfil general obligations (Section 8)Up to Rs 50 crore

Failure to notify breach (Section 8(6))Up to Rs 200 crore

Failure to implement security safeguardsUp to Rs 250 crore

Children data processing violations (Section 9)Up to Rs 200 crore

Contravention by Data Principal (false complaints)Up to Rs 10,000

The Rs 250 Crore Maximum: Security Safeguard Failures

The highest penalty tier of Rs 250 crore applies to failures in implementing reasonable security safeguards to prevent personal data breaches. This reflects the legislative intent to prioritise data security, recognising that inadequate security measures can result in widespread harm to Data Principals.

Critical Compliance Point

The Rs 250 crore penalty applies where a breach occurs AND the organisation failed to implement reasonable security safeguards. Organisations with robust security that suffer breaches despite reasonable measures face lower penalty exposure.

Factors in Penalty Determination

Section 33(2) requires the Board to consider the following factors when determining penalty quantum:

Nature, gravity and duration of the breach
Type of personal data affected
Repetitive nature of the breach
Whether breach resulted from action or failure to act
Mitigation actions taken by the Data Fiduciary
Whether penalty is proportionate and effective

Comparison with Global Penalty Regimes

Jurisdiction	Maximum Penalty	Calculation Basis
India (DPDPA)	Rs 250 crore (~USD 30M)	Fixed caps per violation type
EU (GDPR)	EUR 20M or 4% global turnover	Higher of fixed or percentage
UK (UK GDPR)	GBP 17.5M or 4% global turnover	Higher of fixed or percentage
USA (CCPA)	USD 7,500 per intentional violation	Per violation basis

Unlike GDPR which links maximum penalties to global turnover, DPDPA establishes fixed caps. For large multinational corporations, the Rs 250 crore maximum may represent a smaller proportion of annual revenue than GDPR penalties. However, for Indian SMEs, the penalty caps remain substantial.

Breach Notification Penalty: Rs 200 Crore

The Rs 200 crore penalty for breach notification failures underscores the regulatory emphasis on transparency. Combined with Rule 7 requirements for 72 hour detailed reporting, organisations must establish robust incident response capabilities.

Notably, the penalty applies to "failure to take reasonable security safeguards to prevent personal data breach" AND "failure to notify the Board and affected Data Principal". Organisations failing both obligations face potential cumulative exposure.

Risk Mitigation Strategies

To minimise penalty exposure, organisations should:

Implement documented security measures aligned with industry standards
Establish and test incident response procedures
Maintain evidence of compliance activities and decision making rationale
Conduct regular security assessments and address identified gaps
Train personnel on breach identification and escalation
Secure cyber insurance appropriate to data processing risk profile

Conclusion

The DPDPA penalty framework establishes significant financial consequences for non compliance, with the Rs 250 crore maximum for security safeguard failures sending a clear message regarding data protection priorities. Organisations should view compliance investment not merely as regulatory obligation but as risk mitigation against potentially substantial financial exposure. The Data Protection Board determinations, once published, will provide further guidance on penalty application in practice.