Everything you need to know about penalty amounts, maximum fines, Data Protection Board enforcement, significant data fiduciary obligations, and compliance timelines under India’s Digital Personal Data Protection Act, 2023.

Digital Personal Data Protection Act, 2023  ·  Enacted: August 11, 2023  ·  Last updated: April 2026

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s landmark data privacy legislation, enacted on August 11, 2023 after receiving Presidential assent. It governs the processing of digital personal data within India and, in certain cases, outside India where data of Indian citizens is involved.

The Act replaces the earlier fragmented framework and introduces a comprehensive rights-based regime for Data Principals (individuals whose data is processed) and clear obligations for Data Fiduciaries (entities that determine the purpose and means of data processing).

Key fact: The DPDP Act 2023 was published in the Official Gazette on August 11, 2023. The Rules are notified separately; as of early 2026, the final Rules are awaited, meaning full enforcement has not yet commenced — but organisations must begin compliance preparation now.

Enacted

Aug 2023

Presidential assent received August 11, 2023

Maximum Penalty

₹250 Cr

Per violation — highest in India’s legal history for data breaches

Adjudicator

DPB

Data Protection Board of India

Applies To

All

All data fiduciaries processing Indian citizens’ personal data

Full DPDP Act Penalty Schedule — Exact Amounts

The DPDP Act lays out penalties in Schedule I of the Act. Penalties are imposed by the Data Protection Board of India after following the due process of inquiry. The schedule below lists all violations and their corresponding maximum fines.

#	Nature of Non-Compliance / Violation	Maximum Penalty	Relevant Section
1	Breach of children’s personal data obligations — failure to implement age-gating, obtain parental/guardian consent, or processing that causes harm to a child	₹200 Crore	Section 9 read with Schedule I
2	Failure to take security safeguards — absence of reasonable security measures to prevent a personal data breach	₹250 Crore	Section 8(5) read with Schedule I
3	Failure to notify Data Protection Board and affected data principals of a personal data breach	₹200 Crore	Section 8(6) read with Schedule I
4	Non-compliance by Significant Data Fiduciaries with their additional obligations (Section 10 duties)	₹150 Crore	Section 10 read with Schedule I
5	Failure to comply with additional obligations relating to processing of children’s data (processing contrary to the prohibition)	₹200 Crore	Section 9 read with Schedule I
6	Obstruction of inquiry / failure to cooperate with the Data Protection Board during proceedings	₹10,000	Schedule I
7	Breach of any other provision of the DPDP Act or Rules made thereunder (residual category)	₹50 Crore	Schedule I

Important: These are maximum penalty amounts. The Data Protection Board will determine the actual fine based on factors such as: nature, gravity and duration of the breach; type of personal data affected; repetitive nature; measures taken to mitigate harm; proportionality; and whether the entity voluntarily reported the breach.

Maximum Penalty Under the DPDP Act: ₹250 Crore

“The maximum penalty under the Digital Personal Data Protection Act 2023 is ₹250 crore — for failure to implement adequate security safeguards leading to a personal data breach.”

Schedule I, DPDP Act, 2023

The single highest penalty of ₹250 crore (approximately USD 30 million) is prescribed for failure to implement reasonable security safeguards to prevent a personal data breach under Section 8(5). This is not an aggregate cap — each violation can attract a separate penalty.

How is the maximum penalty determined?

The Data Protection Board considers multiple factors before levying a penalty. The ₹250 crore figure is a ceiling — not an automatic fine. The Board will assess:

• Nature, gravity, and duration of the non-compliance
• Type and sensitivity of data involved
• Whether the violation was repetitive
• Harm caused to Data Principals
• Steps taken by the entity to mitigate damage
• Whether the entity notified the Board promptly
• Proportionality between the fine and the entity’s scale

Voluntary undertaking: The DPDP Act allows a data fiduciary to offer a voluntary undertaking to the Board, which may reduce or eliminate penalties — a key compliance tool to be aware of.

Significant Data Fiduciaries — Banks, Fintech & Large Platforms

The DPDP Act introduces the concept of a Significant Data Fiduciary (SDF) — an entity that the Central Government may notify as such based on the volume and sensitivity of personal data processed, risk to rights, potential impact on sovereignty and security, risk to electoral democracy, security of the State, or public order.

Who qualifies as a Significant Data Fiduciary?

While the government has not yet published the final list, the following types of entities are widely expected to be designated as SDFs:

Financial Sector

Banks & NBFCs

Large banks, payment platforms, insurance companies processing millions of customers’ financial data

Technology

Big Tech Platforms

Social media, e-commerce, and search platforms with large Indian user bases

Healthcare

Health Tech

Entities processing sensitive health or biometric data at scale

Telecom

Telcos

Mobile and internet service providers with national reach

Additional obligations for SDFs

Significant Data Fiduciaries face obligations beyond those of ordinary data fiduciaries under Section 10 of the Act:

• Appointment of a Data Protection Officer (DPO) based in India
• Appointment of an independent Data Auditor
• Conducting periodic Data Protection Impact Assessments (DPIAs)
• Any other measure specified by the Central Government

Obligation	Applies To	Penalty for Non-Compliance
DPO Appointment	Significant Data Fiduciaries only	₹150 Crore
Data Auditor Appointment	Significant Data Fiduciaries only	₹150 Crore
DPIA Conduct	Significant Data Fiduciaries only	₹150 Crore
Security Safeguards	All Data Fiduciaries	₹250 Crore
Breach Notification	All Data Fiduciaries	₹200 Crore
Children’s Data Compliance	All Data Fiduciaries	₹200 Crore

What does this mean for banks specifically?

Banks and financial institutions in India are among the most scrutinised entities under the DPDP Act because they process extremely sensitive financial and identity data at massive scale. For banks:

• Consent must be free, specific, informed, unconditional, and unambiguous — pre-ticked boxes or bundled consents are not valid
• Digital marketing and cross-selling communications require fresh, purpose-specific consent
• Customers have the right to withdraw consent at any time, and banks must have a mechanism to honour this
• Data breach notification must be given to both the Data Protection Board and the affected customer
• If notified as an SDF, the bank must appoint an India-based DPO and undergo independent audits

Penalties for Breach of Children’s Data

Maximum penalty for breach of a child’s data: ₹200 crore under Section 9 read with Schedule I of the DPDP Act, 2023.

The DPDP Act treats the personal data of children (under 18 years of age) with heightened protection. Section 9 imposes the following specific obligations before any data fiduciary can process a child’s data:

• Obtain verifiable consent from a parent or lawful guardian of the child
• Must not process data in a manner that is detrimental to the well-being of a child
• Must not undertake tracking or behavioural monitoring of children
• Must not undertake targeted advertising directed at children

The government may, by rules, exempt certain classes of data fiduciaries from some of these requirements where the processing is verifiably safe, for example, educational institutions.

The penalty for processing a child’s data in violation of these norms is up to ₹200 crore per violation, making it one of the most severe categories of non-compliance under the Act.

Data Protection Board of India (DPB)

The Data Protection Board of India is the statutory body established under the DPDP Act to adjudicate complaints and impose penalties. It is a digital-first, independent regulatory body.

Nature

Independent Body

Established under the DPDP Act, not under existing regulators like TRAI or SEBI

Process

Digital-First

Complaints filed and proceedings conducted digitally

Appellate

TDSAT

Telecom Disputes Settlement & Appellate Tribunal hears appeals against DPB orders

Powers

Civil Court

Powers of a civil court for summoning, examining on oath, etc.

How does the DPB impose penalties?

The Board follows a structured inquiry process:

1. A complaint is filed by a Data Principal, or the Board takes suo motu cognizance
2. The Board issues a notice to the data fiduciary
3. The data fiduciary has an opportunity to be heard
4. The Board can call for records, summon persons, and examine evidence
5. The Board passes an order — which may include a penalty, directions, or both
6. The data fiduciary can appeal to TDSAT within the prescribed period

Voluntary undertaking: Under Section 32, a data fiduciary may submit a voluntary undertaking at any stage of inquiry to the Board, committing to not repeating the breach and to take specified measures. The Board may accept this and close the proceedings, significantly reducing or eliminating the penalty.

Enactment Date, Rules & Enforcement Timeline

A common query is about the effective date and enforcement status of the DPDP Act. Here is the complete timeline:

August 3, 2023

The Digital Personal Data Protection Bill, 2023 passed by both Houses of Parliament.

August 11, 2023

Presidential assent received. The DPDP Act, 2023 published in the Official Gazette. This is the enactment date.

2024–2025

Ministry of Electronics and Information Technology (MeitY) issued draft Rules for public consultation. Industry feedback collected. Deliberations ongoing.

2025–2026

Final Rules awaited. The Act comes into force on a date(s) to be appointed by the Central Government via notification in the Official Gazette. Different provisions may be notified separately. Pending

Post-Rules Notification

Full enforcement begins. Data Protection Board constituted. Complaint filing possible. Penalties enforceable. Compliance transition period likely given to data fiduciaries. Critical

As of April 2026: The DPDP Rules have not been finalised. The Act is enacted but not yet in force. However, organisations — especially banks, fintech companies, and significant data fiduciaries — should treat this period as preparation time, not downtime. Penalties apply from enforcement date.

Compliance Checklist for Data Fiduciaries

To avoid penalties under the DPDP Act, data fiduciaries — especially banks and significant data fiduciaries — should take the following steps:

Step	Action Required	Priority
1	Conduct a data audit — map all personal data collected, processed, stored, and shared	Critical
2	Review and revamp consent mechanisms — ensure consent notices are plain-language, specific, and unbundled	Critical
3	Implement a consent withdrawal mechanism that is as easy as giving consent	Critical
4	Establish data breach response and notification procedures with timelines	Critical
5	Implement security safeguards — encryption, access controls, and audit logs	Critical
6	Review children’s data processing — put age-gating and parental consent in place	Critical
7	If likely to be notified as SDF: identify and appoint a Data Protection Officer	High
8	Engage an independent Data Auditor (for SDFs)	High
9	Train staff on DPDP Act obligations and data principal rights	Medium
10	Update contracts with data processors to include DPDP-compliant clauses	Medium

Frequently Asked Questions

What is the maximum penalty under the DPDP Act 2023?

The maximum penalty under the Digital Personal Data Protection Act 2023 is ₹250 crore, applicable for failure to implement adequate security safeguards to prevent a personal data breach, under Section 8(5) read with Schedule I of the Act.

What is the maximum penalty for breach of a child’s data under the DPDP Act?

The maximum penalty for non-compliance with obligations relating to processing of children’s personal data under Section 9 of the DPDP Act is ₹200 crore.

What is the maximum penalty for non-compliance by a Significant Data Fiduciary?

For non-compliance with their additional obligations under Section 10 of the DPDP Act — such as failure to appoint a DPO or Data Auditor — Significant Data Fiduciaries face a maximum penalty of ₹150 crore. They are also subject to all other penalties applicable to ordinary data fiduciaries.

Who imposes penalties under the DPDP Act?

Penalties are imposed by the Data Protection Board of India (DPB), which is a statutory, independent, digital-first adjudicatory body established under the DPDP Act. Appeals against DPB orders lie to the Telecom Disputes Settlement & Appellate Tribunal (TDSAT).

Is the DPDP Act in force yet?

The DPDP Act was enacted and received Presidential assent on August 11, 2023. However, it comes into force on a date(s) to be appointed by the Central Government through an Official Gazette notification. As of April 2026, the final Rules are still awaited and the Act has not been fully notified into force. Organisations should use this time to prepare.

Does the DPDP Act apply to banks?

Yes, the DPDP Act applies to all data fiduciaries processing personal data of Indian citizens digitally, including banks and financial institutions. Banks that process data at large scale and sensitivity are likely to be notified as Significant Data Fiduciaries, attracting additional obligations including DPO appointment, independent audits, and DPIAs.

What is the penalty for failure to notify a data breach?

Failure to notify the Data Protection Board and affected Data Principals of a personal data breach under Section 8(6) attracts a maximum penalty of ₹200 crore.

What is the penalty for obstruction of the DPB’s inquiry?

Failure to comply with or obstruction of the Board’s proceedings — for example, not responding to notices or not producing records — attracts a relatively modest penalty of ₹10,000, though non-compliance with Board directions can carry broader consequences.

What is the penalty for any other general violation of the DPDP Act?

For breach of any provision of the DPDP Act or the Rules not specifically covered above, the maximum penalty is ₹50 crore under the residual penalty provision in Schedule I.

Can penalties be reduced or waived?

Yes. The DPDP Act provides a voluntary undertaking mechanism under Section 32. A data fiduciary can approach the Data Protection Board at any stage of the inquiry and offer an undertaking to not repeat the breach and take remedial steps. The Board may accept this and close proceedings, which can significantly reduce or eliminate the penalty.