Updated At Apr 18, 2026

India · DPDP Act 2023 Board & CXO guide 9 min read

DPDP Act penalty: board-level view of fines and 72-hour breach timelines

What senior leaders need to know about DPDP penalties up to ₹250 crore and the 72-hour breach-notification framework, translated into risk, governance, and incident-response decisions.
The Digital Personal Data Protection Act, 2023 (DPDP Act) gives India a modern data-protection regime. For senior leaders, the two numbers that matter most are the potential size of monetary penalties and the very short breach-notification timelines. This guide reframes both as board-level risk and operating decisions, not just a legal compliance issue.
Key takeaways
  • DPDP penalties are capped per violation head, with the most serious failures exposing organisations to fines that may extend to ₹250 crore.
  • The Data Protection Board of India (DPBI) has wide discretion: it looks at gravity, duration, harm, mitigation, and repeat offences, not just the size of the breach.
  • Breach duties are two-stage: immediate intimation to the DPBI and affected individuals, followed by a more detailed report within 72 hours.
  • CERT-In’s six-hour cyber-incident reporting rule can apply alongside DPDP, so escalation paths must support multiple regulators at once.
  • Investments in governance, security, vendor contracts, and rehearsed incident response directly reduce penalty exposure, downtime, and reputational damage.

Board-level view of DPDP penalties and breach obligations

Under the DPDP Act, monetary penalties are organised by violation type. For the most serious failures—such as not implementing reasonable security safeguards to prevent personal data breaches—the maximum penalty may extend to ₹250 crore per instance, while several other core obligations, including breach notification and data principal rights, carry caps of up to ₹200 crore.[1]
The DPDP Rules 2025 turn these numbers into operational pressure: they require immediate intimation of qualifying personal-data breaches to the Data Protection Board of India and affected individuals, plus a more detailed follow-up report within 72 hours. For most organisations, that compresses detection, investigation, legal review, and communications into a single long weekend.
  • What is our realistic “worst credible case” exposure across all DPDP penalty heads, not just the headline ₹250 crore figure?
  • Do we have a repeatable way to detect, escalate, and assess breaches fast enough to meet the immediate intimation and 72-hour reporting expectations?
  • Are accountability and budgets for DPDP compliance clearly owned across legal, technology, operations, and business units, including vendor management?

What the DPDP Act actually prescribes: penalty slabs and triggers

Section 33 of the DPDP Act empowers the Data Protection Board of India to impose monetary penalties within the maxima set out in the Schedule. In deciding the quantum, the Board must consider factors such as the nature, gravity, and duration of the breach, the type and volume of personal data affected, whether the violation is repetitive, the gain or loss involved, and the steps taken to mitigate harm and comply.[1]
Selected DPDP penalty heads and maximum monetary penalties (₹ crore), mapped to business ownership. Exact amounts are ceilings; the Board decides the actual figure.[1]
Obligation / failure Max penalty (₹ crore) Primary business owners
Failure to implement reasonable security safeguards to prevent personal data breaches (Section 8(5)) Up to 250 CIO/CISO, IT & security, product/engineering, vendor management
Failure to notify the DPBI and affected data principals of a personal data breach (Sections 8(6)–(7)) Up to 200 DPO/privacy, legal, communications, customer operations, IT
Failure to honour data principal rights (e.g., access, correction, erasure, grievance redress) Up to 200 Customer operations, product owners, legal, IT
Failure by a Significant Data Fiduciary to meet additional obligations (e.g., DPO appointment, DPIAs, audits) Up to 150 Board, CXOs, risk, compliance, legal
Other DPDP contraventions (e.g., children’s data safeguards, consent managers, record-keeping), as specified in the Schedule Typically up to 200 (head-specific) Business heads, marketing, HR, product, legal, governance
When you look at the Schedule through a business lens, a few patterns stand out:
  • Security failures are uniquely expensive: the single highest cap is reserved for not taking reasonable security safeguards to prevent personal data breaches.
  • Breach notification and data principal rights handling can generate large, repeatable exposures, especially for consumer-facing or high-volume digital businesses.
  • The highest penalty heads cluster around four themes: security safeguards, breach notification, data principal rights, and governance of significant data fiduciaries.[3]

Frequent missteps that increase DPDP penalty risk

  • Treating DPDP as a one-time legal project instead of an ongoing, cross-functional risk and operations programme.
  • Not assigning a clear incident commander and escalation path, leading to paralysis when the first serious breach occurs.
  • Underinvesting in logging, monitoring, and documentation, making it hard to demonstrate that “reasonable security safeguards” were in place.
  • Assuming vendors will absorb DPDP risk without matching contractual terms, audit rights, and technical controls on your side.

The 72-hour breach-notification duty and its operational impact

Rule 7 of the DPDP Rules 2025 establishes a two-stage breach-notification process. Once you become aware of a qualifying personal data breach, you must intimate the DPBI and affected data principals without undue delay, and then provide an updated report to the Board within 72 hours, covering prescribed incident, impact, and mitigation details.[2]
Separately, CERT-In’s cyber-incident directions require specified security incidents to be reported within six hours of noticing them. For many real-world breaches, your organisation may have to satisfy both DPDP and CERT-In timelines in parallel, rather than choosing one or the other.[4]
A practical way for leaders to operationalise the 72-hour requirement is to think in terms of a fast, cross-functional incident-response sprint:
  1. Detect and validate the incident (0–2 hours)
    Ensure monitoring, alerts, and reporting channels allow frontline teams and vendors to flag anomalies quickly, and have a simple process to confirm whether a suspected issue is a real incident.
    • Maintain 24x7 contact points for security and operations teams.
    • Define thresholds for what counts as a potential personal data breach that must be escalated immediately.
  2. Mobilise the response team (0–6 hours)
    Activate an incident “war room” with the DPO or privacy lead, CISO, IT operations, legal, communications, and affected business owners, led by a clearly designated incident commander.
    • Use pre-defined channels, checklists, and templates; avoid inventing them in the middle of a crisis.
    • Confirm whether external partners (cloud, processors, MSSPs) are engaged and aligned on timelines.
  3. Decide regulatory triggers (within ~12 hours)
    Assess whether the incident involves digital personal data covered by DPDP, and whether it falls within CERT-In’s reportable categories or any sectoral regulator’s rules.
    • Map facts against your DPDP breach definition and internal materiality thresholds.
    • Document the reasoning behind your decision to notify or not; this record is important if questioned later.
  4. Send initial notifications (ideally within 24 hours)
    For incidents that do trigger DPDP, prepare and dispatch an initial intimation to the DPBI and affected individuals as soon as you have enough reliable facts, rather than waiting to know everything.
    • Use clear, jargon-free language that explains what happened and what you are doing about it.
    • Align timing and messaging with CERT-In and any sectoral regulator to avoid conflicting statements.
  5. Investigate root cause and mitigation (24–48 hours)
    Deepen forensic analysis, identify affected systems and data sets, close immediate vulnerabilities, and start implementing medium-term fixes and monitoring enhancements.
    • Ensure logs, evidence, and decisions are preserved in case of later regulatory investigation.
    • Update management and key stakeholders with a concise situational report and plan.
  6. Submit and refine the 72-hour DPBI report (by 72 hours and beyond)
    Prepare the more detailed DPDP report for the Board, ensuring it covers required content and is consistent with any earlier intimation and external communications. Continue to provide updates if new material facts emerge.
    • Align legal, technical, and communications teams on the final narrative and key lessons learned.
    • Feed insights back into security, training, and vendor-management improvements to reduce recurrence.
Key breach-notification channels your incident playbook should cover.
Trigger event Primary recipient(s) Content focus Timing expectation
Confirmed or likely DPDP personal data breach Data Protection Board of India (DPBI) Brief description of incident, affected systems or services, likely impact, and acknowledgement that a fuller report will follow. Without undue delay, followed by a more detailed report within 72 hours of becoming aware of the breach.
Same DPDP-triggering breach, where individuals’ data is at risk or compromised Affected data principals (customers, employees, partners) Clear explanation of what happened, what categories of data may be affected, what you are doing, and what they should do (if anything). Without undue delay, and generally aligned with regulator notifications to avoid surprises.
Cyber incident falling within CERT-In directions (e.g., targeted intrusion, DDoS, ransomware, critical-system compromise) CERT-In (Indian Computer Emergency Response Team) Technical description, affected infrastructure, indicators of compromise, and logs as required for analysis and coordination. Within 6 hours of noticing the incident, independent of DPDP timelines.
Incident with significant business or customer impact that may or may not trigger DPDP/CERT-In reporting Internal leadership (CXOs, board, risk committee) Impact on customers, operations, and finances; regulatory analysis; proposed response plan and external communication approach. Per your internal risk thresholds, typically within hours of initial confirmation.

Designing a DPDP-compliant governance and incident-response framework

DPDP penalties and breach timelines are ultimately managed through everyday decisions about systems, people, and processes. Boards and CXOs should push for a framework that assigns clear accountability, embeds security and privacy into operations, and rehearses how the organisation will perform under a 72-hour clock.
A concise checklist for building a DPDP-aligned governance and incident-response framework:
  1. Clarify your DPDP roles and risk appetite
    Identify which entities in your group are data fiduciaries or processors under DPDP, and agree at board level on how much regulatory, financial, and reputational risk you are willing to tolerate.
    • Document role assumptions for group companies and key vendors to avoid confusion in an incident.
    • Link DPDP risk appetite to budgets for security, privacy, and resilience initiatives.
  2. Map critical data flows and systems tied to high penalties
    Focus on systems that, if breached, would trigger the highest penalty heads—mass consumer databases, payment-related data, employee repositories, and integrations with major processors or platforms.
    • Maintain an inventory of personal data stores, retention periods, and cross-border transfers.
    • Tie each high-risk system to an accountable business owner and technical lead.
  3. Define decision rights and escalation paths for breaches
    Create a simple RACI covering detection, triage, regulatory analysis, approvals, and external communication so that no one is guessing who can speak for the organisation at 2 a.m.
    • Ensure your DPO or privacy lead has a direct line to the CISO, GC, and at least one board-level committee.
    • Document backup delegates for all key roles to handle leave and time-zone issues.
  4. Implement and evidence security safeguards aligned to DPDP risk
    Strengthen controls such as access management, encryption, vulnerability management, backup and recovery, and endpoint protection, prioritised by the critical data flows you have mapped.
    • Capture evidence—policies, logs, test results, audit reports—that you can later use to demonstrate “reasonable security safeguards.”
    • Align cyber-insurance, business continuity, and DPDP compliance so that they reinforce each other rather than operating in silos.
  5. Tighten contracts and oversight for processors and partners
    Update contracts with processors to require DPDP-aligned security, breach-notification SLAs, cooperation on investigations, and rights to audit or obtain independent assurance reports.
    • Ensure vendor breach-notification timelines are shorter than your DPDP obligations, not the other way round.
    • Classify processors by risk level and adjust oversight (due diligence, monitoring, review) accordingly.
  6. Rehearse breaches and report learnings to the board
    Run tabletop exercises that simulate realistic DPDP and CERT-In scenarios, including incomplete information, press scrutiny, and cross-border issues, then brief the board on identified gaps and remediation plans.
    • Use exercises to validate whether you can genuinely reach key decisions and notifications within your internal SLAs.
    • Track improvement over time with simple metrics such as mean time to detect, escalate, decide, and notify.
From a return-on-investment perspective, the following initiatives often deliver outsized reductions in DPDP penalty risk relative to cost:
  • Reducing unnecessary personal-data collection and retention, which directly shrinks the blast radius of any breach.
  • Centralising logging and incident monitoring, so you can evidence security safeguards and reconstruct events quickly.
  • Standardising breach-notification templates and approval flows across business units to avoid delays and inconsistencies.
  • Rolling out focused training for high-impact roles—IT, support, sales, HR, and vendor managers—on what a DPDP breach looks like and how to escalate it.
  • Embedding DPDP checkpoints into change management (for new products, vendors, and markets) so risk is addressed before go-live, not after an incident.
Turn this guide into a DPDP penalty and breach-response checklist for your organisation, and schedule a 60–90 minute session with your DPO, CISO, and legal counsel to walk through it and identify gaps before your next board or risk-committee meeting.

Common questions Indian leaders ask about DPDP penalties and breach reporting

FAQs

No. The Schedule sets maximum penalties per violation head, and Section 33 requires the DPBI to consider factors like the nature, gravity, duration, impact, repetitiveness, and mitigation steps before deciding the amount. In many cases, especially where organisations act responsibly and transparently, actual penalties can be significantly lower than the ceiling.

  • However, leaders should not assume penalties will always be nominal; serious or repeated non-compliance can justify using a large portion of the available cap.
  • Your ability to show documented safeguards, prompt response, and genuine remediation will strongly influence outcomes.

The 72-hour period is generally understood to run from when you become aware of a qualifying personal data breach, not from the moment an attacker first accessed your systems (which you may only learn later). You are not expected to know every detail before notifying; the regime is designed for an initial intimation followed by a more complete report as facts become clearer.

  • Escalate potential incidents quickly so that the “awareness” point is identified and recorded.
  • Use your initial notification to be transparent about what is known and what is still being investigated, and follow up as you learn more.

Under the DPDP Act, the data fiduciary is the person or entity that determines the purpose and means of processing digital personal data. The Act applies to processing in India and also to processing outside India when it is in connection with offering goods or services to data principals within India, so overseas group entities can fall in scope when they target Indian users.[1]

  • Within a group, more than one entity may potentially qualify as a data fiduciary; you should clarify roles contractually and operationally.
  • Vendors that merely process data on your behalf are generally processors, but weak contracts can blur accountability at the worst possible time.

DPDP, CERT-In, and sector regulators (such as RBI, SEBI, IRDAI, or TRAI) create parallel obligations, not alternatives. A single incident may need to be notified to several authorities, each with different formats and deadlines, as well as to affected individuals.

  • Your incident playbooks should include a simple decision tree for which regulators to inform, in what sequence, and with which templates.
  • Align legal, compliance, and communications teams so that messaging remains consistent across all notifications and public statements.

The DPDP Act’s primary enforcement tool is monetary penalties on data fiduciaries and processors, not jail terms for management. That said, Indian corporate and sectoral laws can, in some circumstances, attribute responsibility to directors and officers where there is neglect or complicity in non-compliance, and other statutes (like the IT Act) may carry criminal consequences in severe cases.

  • Boards should treat DPDP compliance as part of their broader duties around internal controls, risk management, and oversight of management.
  • Directors should seek tailored legal advice on personal exposure in light of their company’s structure and sectoral obligations.

A pragmatic approach is to combine scenario analysis with simple metrics. Model a handful of realistic incidents—a major consumer-data breach, a vendor compromise, a rights-handling failure—and estimate potential DPDP penalties, downtime, revenue impact, and brand damage for each, then compare those to the cost of improving safeguards and response.

  • Track leading indicators like time to detect, time to escalate, time to decide on notifications, and training coverage for high-risk teams.
  • Present the board with side-by-side views: “do nothing” risk exposure versus the cost and impact of specific compliance investments.
Sources
  1. The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) - Government of India – India Code
  2. Digital Personal Data Protection Rules, 2025 - Government of India – Gazette of India (reproduced)
  3. Decoding the Digital Personal Data Protection Act, 2023 - EY India
  4. Top 10 operational impacts of India’s DPDPA – Data breaches - International Association of Privacy Professionals (IAPP)

Related pages

Updated At Apr 18, 2026

DPDP Readiness Checklist for HealthTech Product Teams

A business-style article for technical evaluators on dpdp readiness checklist for healthtech product teams, tailored to healthcare workflows where patient

 Updated At Apr 18, 2026

ABDM and DPDP: Synchronizing Health Records and Privacy Rules

A business-style article for technical evaluators on abdm and dpdp— synchronizing health records and privacy rules, tailored to healthcare workflows where

 Updated At Apr 18, 2026

Collections and Recovery Workflows: Communication Preferences under DPDP

A business-style article for decision-makers about collections and recovery workflows— communication preferences under dpdp, aimed at regulated finance teams

 Updated At Apr 18, 2026

RBI vs DPDP: Erasure When KYC Retention Still Applies

A business-style article for decision-makers about rbi vs dpdp— erasure when kyc retention still applies, aimed at regulated finance teams balancing customer

 Updated At Apr 18, 2026

Running Retail Media and First-Party Audiences after DPDP

A business-style article for business buyers focused on running retail media and first-party audiences after dpdp so retail and D2C teams can grow first-party

 Updated At Apr 18, 2026

WhatsApp Marketing under DPDP Rules 2025

A business-style article for business buyers focused on whatsapp marketing under dpdp rules 2025 so retail and D2C teams can grow first-party data programs

 Updated At Apr 18, 2026

Loyalty Programs and DPDP: Can Discounts Depend on Data Sharing?

A business-style article for business buyers focused on loyalty programs and dpdp— can discounts depend on data sharing so retail and D2C teams can grow

 Updated At Apr 18, 2026

Cookie-Less Growth in India: First-Party Data without Breaking DPDP

A business-style article for business buyers focused on cookie-less growth in india— first-party data without breaking dpdp so retail and D2C teams can grow

 Updated At Apr 18, 2026

Flutter Guide for Child-Safe Onboarding

A business-style technical guide for technical evaluators that covers flutter guide for child-safe onboarding, implementation details, and the controls needed

 Updated At Apr 18, 2026

Testing DPDP Consent Flows: A QA Checklist

A business-style technical guide for technical evaluators that covers testing dpdp consent flows— a qa checklist, implementation details, and the controls