DPDPA Penalties 2026: Complete Official Guide

The Digital Personal Data Protection Act, 2023 empowers the Data Protection Board of India (DPBI) to impose significant monetary penalties for non-compliance. Unlike earlier drafts, DPDPA 2023 does NOT prescribe criminal penalties—all penalties are financial. This guide details the official penalty structure as defined in The Schedule of the Act.

Official Penalty Schedule (The Schedule)

Understanding Each Penalty Category

₹250 Crore: Security Safeguard Failures

The highest penalty under DPDPA applies to organizations that fail to implement 'reasonable security safeguards' as required under Section 8(5). This penalty can be triggered even if no actual data breach occurs—the mere failure to have adequate security measures is sufficient. Organizations must maintain one-year security logs and implement technical and organizational measures appropriate to the risk.

₹200 Crore: Breach Notification Failures

₹200 Crore: Children's Data Violations

Section 9 and Rule 10 impose strict requirements for processing children's personal data (anyone under 18 years). Violations include failure to obtain verifiable parental/guardian consent, processing that causes harm to children, tracking or behavioral monitoring, and targeted advertising. Rule 11 extends similar protections to persons with disabilities through lawful guardian consent requirements.

₹150 Crore: Significant Data Fiduciary Violations

The Data Protection Board of India

Established on November 13, 2025, the DPBI operates as a 'digital office' with all proceedings conducted via digital modes. The Board has powers to investigate breaches, adjudicate liability, and impose penalties. Appeals against DPBI decisions go to the Appellate Tribunal (Rule 22). The Board's composition is defined in Rules 17-21.

How to Avoid Penalties

Don't risk penalties up to ₹250 crore. Get your organization DPDPA-compliant before the May 2027 deadline with CynorSense's comprehensive compliance assessment.