Penalties & Enforcement Under India’s DPDP Act 2023: 18‑Month DPBI Action Plan for Indian Companies

The Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules) have moved India’s data protection regime from coming soon to enforcement architecture. The Data Protection Board of India (DPBI) has been notified and constituted, and is now operational, based in the National Capital Region.​

What has not yet fully started is the most visible part of its mandate: large‑scale investigations, penalties, and enforcement orders. Based on current notifications and public timelines, those powers are expected to be fully in play by May, 2027.​

For organisations across Bengaluru’s tech ecosystem, Mumbai’s fintechs, Delhi’s e‑commerce platforms, and Hyderabad’s data‑driven businesses, that enforcement date is identical. The DPDP Act does not stagger penalties by sector. What will differ is how prepared each organisation is when the DPBI starts asking questions.

This FAQ is designed to help Indian companies understand what DPDP Act penalties look like, when they become real, and what must be built in the next 18 months.

1. What is the maximum penalty under the DPDP Act?

The highest monetary penalty under the DPDP Act is up to INR 250 crore per breach, for failure to implement reasonable security safeguards that leads to a personal data breach. This cap applies to violations of Section 8(5) of the DPDP Act, as specified in the Schedule to Section 33.​

2. What are the different penalty slabs in the DPDP Act?

Section 33 read with the Schedule creates distinct caps depending on the type of contravention. For data fiduciaries, the core slabs are:​

• Up to INR 250 crore – Failure to implement reasonable security safeguards leading to a personal data breach [Section 8(5)].​
• Up to INR 200 crore – Failure to notify a personal data breach to the DPBI and affected individuals [Section 8(6)].​
• Up to INR 200 crore – Breach of additional obligations relating to children’s data (Section 9).​
• Up to INR 150 crore – Breach of additional obligations of Significant Data Fiduciaries (Section 10).​
• Up to INR 50 crore – Any other violation of the DPDP Act or DPDP Rules by a data fiduciary not falling in the above buckets.​
• Up to INR10,000 – On a data principal for breach of duties under Section 15 (for example, filing frivolous or false complaints).​

3. Are these penalties per company, per year, or per incident?

The DPDP Act frames penalties per breach/per instance of non‑compliance, not as a single annual cap for an organisation. Each significant contravention identified in an inquiry can attract its own penalty up to the applicable Schedule limit.​

4. Can one incident lead to multiple penalties?

Yes. A single cyber incident can involve multiple distinct contraventions—for example: weak safeguards [Section 8(5)], delayed or missing notification [Section 8(6)], and children’s data issues (Section 9). The DPBI can, in principle, levy separate penalties for each category, subject to proportionality, which means exposure can be cumulative rather than limited to just the highest slab.​

5. Does the DPBI always impose the maximum amount of penalty?

No. Section 33(2) of the DPDP Act requires the DPBI to consider factors such as:

• nature and gravity of the breach;
• duration; 
• type of personal data involved; 
• repetitiveness; 
• mitigation steps and gain made or loss averted, 

before fixing the penalty amount. In practice, many first‑time or well‑mitigated breaches are likely to see penalties well below the statutory caps, though this will evolve with precedent.​

6. When do these penalties actually become enforceable?

The DPDP Rules have operationalised the DPBI, complaint portal, and timelines, and set a phased 18‑month schedule by the end of which the full penalty framework under the DPDP Act becomes enforceable. As phased obligations kick in (security, breach notification, children’s data, SDF governance), DPBI can start inquiries and impose penalties aligned with the Schedule.​ There is no statutory soft launch or grace period written into the DPDP Act.​

7. Who can be penalised: only the company, or also individuals?

The primary addressee of penalties is the data fiduciary (organisation) and, where applicable, a Significant Data Fiduciary or a consent manager. The DPDP Act also allows a limited penalty of up to INR 10,000 on data principals for breach of their statutory duties, such as filing false or frivolous complaints.​

8. Can a data fiduciary (organisation) make a voluntary undertaking to the DPBI?

Yes. Section 32 of the DPDP Act  permits the DPBI to accept a voluntary undertaking from a data fiduciary, which can include remedial steps, timelines and audits. The DPBI may also suspend the inquiry while the undertaking is complied with. Breach of that undertaking, however, can itself attract a penalty up to the slab applicable to the original contravention.​

9. Is there an appeal if the organisation disagrees with a penalty?

Orders of the DPBI, including penalty orders under Section 33 of the DPDP Act, are appealable to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within the prescribed period (typically 60 days). Further appeals can lie to higher courts, including the Supreme Court of India, on questions of law.​

10. You’ve received a DPBI notice. What would the investigation likely look like, and what should an organisation do in the first 7 days?

Once the remaining enforcement provisions and DPDP Rules are fully live (expected around May 2027), DPBI inquiries will run as digital, time bound proceedings with civil court-like powers under Section 28. The DPBI can summon individuals, call for documents, inspect records and systems, and issue interim orders, while following principles of natural justice.​

1. Day 0–1: Triage the notice

• Confirm what the notice is: complaint, breach‑related intimation, or suo motu inquiry reference under Section 28.​
• Map exactly which provisions are in play (Sections 8, 9, 10, 13, 15 etc.) and what information/documents are requested, including timelines.​

2. Day 1–3: Freeze facts and evidence

• Trigger your incident‑response/regulatory‑response playbook so that logs, emails, system records and tickets are preserved, not “cleaned up”.​
• Lock in a factual chronology: when the event happened, when it was detected, who knew what, and what actions were taken, including any external notifications already made.​

3. Day 2–5: Build a coherent, candid first response

• Coordinate one consolidated response from Legal/GC, Privacy, Security and Business, rather than fragmented replies from multiple teams.​
• Answer the DPBI’s questions directly, attach documentary support, and clearly flag anything still under forensic investigation instead of offering vague or defensive denials.​

4. Day 3–7: Prepare for a full inquiry

• Assume the Board may decide there are “sufficient grounds to proceed” and inquire into your wider compliance posture under Section 28(5).​
• In that week, organise: current data protection policy, DPIAs (if any), training records, breach playbooks, vendor contracts, consent and retention practices, so they can be produced quickly if the inquiry is expanded.​

If, after inquiry, the DPBI finds a contravention, it can proceed under Section 33 with directions and penalties, and any order can be appealed to TDSAT within the statutory timelines.

11. What should Indian companies build in the next 18 months?

The 18‑month window to May 2027 is not a nice to have runway. It is the only period before the DPBI’s full penalty powers switch on. Organisations that use this time to hard‑wire DPDP into their operations will enter enforcement with evidence on their side. Those that do not will have to build under investigation pressure.​ At a minimum, organisations should aim to have the following in place:

• A documented data protection policy and data map
• A designated Data Protection Officer (if required)
• Demonstrable consent records
• A written breach response protocol
• Vendor and processor contracts updated for DPDP
• Training and awareness evidence
• Risk assessments and audits
• Data Protection Impact Assessments and privacy risk assessments for high‑risk uses of personal data (mandatory for Significant Data Fiduciaries, good practice for others)
• Periodic internal or external audits to test that policies, consents, and breach processes work in practice.

Organisations that can show the Board this kind of operational readiness—on paper and in logs—will be in a far stronger position if and when something goes wrong.

Wrapping Up 

In May 2027, enforcement begins with no written grace period in the DPDP Act. Some organisations will cross that line with tested policies, logs, contracts, and teams that understand what to do. Others will cross it with slide decks and aspirational plans.​

In the DPBI’s eyes, the dividing line will not be size or sector. It will be whether leadership used the time between now and enforcement to build real, demonstrable compliance—or assumed that timelines would slip.

For Indian organisations that want to lead on digital trust, the question over the next 18 months is not ‘what is the maximum penalty?’ but ‘if the DPBI called us tomorrow, could we tell our DPDP story end‑to‑end—and prove it?’

Suggested Reading

1. India’s DPDP Act, 2023: How Data Principals and Data Fiduciaries Are Redefining Data Protection, Digital Trust, and Leadership in India’s Digital Economy | Rainmaker
2. India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses | Rainmaker 
3. Significant Data Fiduciary Under India’s DPDP Act: Boardroom Duties, DPO Role, DPIAs and AI Risk Governance | Rainmaker 
4. Reimagining Consent in India’s Digital Age: What the DPDP Act & Rules 2025 Mean for Data Privacy and Compliance | Rainmaker 
5. DPDP Rules, 2025 Compliance: 2026 FAQs for Indian Companies | Rainmaker 
6. Consent Isn’t a Pop‑Up Anymore: DPDP Act, DPDP Rules 2025, CMS and Consent Managers – FAQs for Indian Companies | Rainmaker