What Is the DPDP Act, 2023?
The Digital Personal Data Protection Act, 2023 is India's first comprehensive personal data protection legislation. The Act regulates how organisations (referred to as 'Data Fiduciaries') collect, process, store, and handle the digital personal data of individuals (referred to as 'Data Principals').
The Act establishes obligations for Data Fiduciaries including:
• Processing personal data only for lawful purposes and with valid consent
• Implementing reasonable security safeguards to prevent data breaches
• Notifying the Data Protection Board and affected Data Principals in the event of a personal data breach
• Honouring Data Principal rights including the right to access, correct, and erase personal data
• Appointing a Data Protection Officer for Significant Data Fiduciaries (as designated by the central government)
• Meeting additional obligations for cross-border data transfers (to countries permitted by the central government)
Can Businesses Really Be Fined Rs 250 Crore?
Yes - but with important context. The Schedule to the DPDP Act, 2023 prescribes a tiered penalty structure. The maximum penalty of Rs 250 crore applies specifically to failures by Data Fiduciaries and Data Processors to implement and maintain reasonable security safeguards, resulting in a personal data breach. Lower penalties apply to other categories of non-compliance.
Violation Category (per Schedule to DPDP Act 2023) vs Maximum Penalty
Failure to implement reasonable security safeguards (resulting in data breach) | Rs 250 crore
Failure to notify the Data Protection Board of a personal data breach | Rs 200 crore
Breach of obligations relating to children's personal data | Rs 200 crore
Breach of additional obligations of Significant Data Fiduciaries | Rs 150 crore
Breach of other obligations under the Act or Rules | Rs 50 crore
Breach of voluntary undertaking given to the Data Protection Board | Rs 10,000 crore (note: this is a separate provision)
These are maximum penalties. The Data Protection Board of India (once constituted) will assess each case on its specific facts, considering the nature and gravity of the breach, the number of Data Principals affected, whether safeguards were in place, whether the organisation cooperated with the Board, and any prior history of non-compliance.
What the Rs 250 Crore Penalty Is Not
Several important clarifications should be noted:
• The penalty is not automatic - the Data Protection Board must find a violation following an inquiry process
• The penalty schedule has not yet come into force - Rules must be notified and the Board must be constituted first
• The Rs 10,000 crore figure sometimes cited in media relates to breach of a voluntary undertaking - a specific and distinct provision, not the general penalty framework
• Penalties are per incident and per finding - not per individual affected Data Principal
Which Violations Are Most Likely to Attract Large Penalties?
Failure to implement reasonable security safeguards
This is the highest-risk category. 'Reasonable security safeguards' is not defined in the Act - the Rules will provide further guidance. In practice, regulators globally assess security safeguards by reference to industry standards (ISO 27001, NIST frameworks), the sensitivity of data processed, and the organisation's size and resources. Weak cybersecurity practices - unsecured databases, absent access controls, no encryption of sensitive data - represent the clearest route to this category of violation.
Failure to notify a data breach
The Act requires Data Fiduciaries to notify the Data Protection Board 'in the prescribed manner' upon becoming aware of a personal data breach. Delayed or absent notification can add a second penalty exposure on top of any penalty for the breach itself.
Processing children's personal data without verifiable parental consent
The Act imposes strict obligations regarding processing personal data of individuals below 18 years. This is particularly relevant for consumer-facing apps, edtech platforms, gaming apps, and social media services.
Impact on Fintech and Digital Businesses
Fintech companies, digital lending platforms, payment aggregators, investment platforms, and SaaS businesses are among the organisations most likely to be designated as Significant Data Fiduciaries given the volume and sensitivity of personal and financial data they process. Such designation will carry additional obligations.
Beyond regulatory penalties, the commercial impact of a data breach or non-compliance finding can include:
• Suspension of operations pending Board inquiry
• Customer attrition and reputational damage
• Loss of institutional partnerships and investor confidence
• Civil claims from affected Data Principals
• Increased cybersecurity insurance premiums
Common Compliance Gaps Businesses Should Address Now
No data inventory
Many organisations do not have a complete map of what personal data they collect, where it is stored, who can access it, how long it is retained, and which vendors process it. Without this foundational visibility, compliance is structurally impossible.
Inadequate consent management
The DPDP Act requires consent to be free, specific, informed, unconditional, and unambiguous - given through a clear affirmative action. Pre-ticked boxes, bundled consents, and consent buried in T&C will not meet this standard.
Weak third-party vendor management
Data Fiduciaries are responsible for ensuring that Data Processors (vendors) they engage comply with the Act. Without contractual obligations and oversight mechanisms, third-party processing creates unmanaged compliance exposure.
No incident response framework
Given the breach notification obligation, businesses need a tested incident response plan - including triage procedures, containment steps, Board notification workflow, and Data Principal communication protocols.
How to Reduce DPDP Penalty Risk
• Conduct a data protection audit and build a complete data inventory
• Review and update consent mechanisms across all user touchpoints
• Implement and document reasonable security safeguards aligned with applicable standards
• Build a breach detection and notification workflow before the Rules come into force
• Include DPDP compliance obligations in vendor and data processor contracts
• Train all employees who handle personal data on obligations under the Act
• Appoint a designated privacy officer or compliance lead for DPDP readiness
Conclusion
The DPDP Act, 2023 will reshape how Indian businesses collect, process, and protect personal data. Penalties of up to Rs 250 crore for failures to implement adequate security safeguards signal that data governance is now a board-level strategic priority - not an IT function. While the full enforcement machinery is not yet operational, businesses that begin building compliance infrastructure now will be better placed when the Rules are notified and the Data Protection Board begins its work.
At KP Regtech, we help businesses build practical DPDP-aligned compliance frameworks, data governance systems, cybersecurity readiness programmes, and regulatory documentation tailored to evolving MEITY and sector-specific requirements.