How much could a DPDP violation actually cost your business?

The DPDP Act's headline penalty number — ₹250 crore — is a ceiling per default, not a starting point. The Schedule to the Act lays out five graded bands: ₹250 crore for Section 8(5) security-safeguard failures, ₹200 crore for breach-notification failures, ₹200 crore for children-specific failures under Section 9, ₹150 crore for Significant Data Fiduciary failures under Section 10, and ₹50 crore for everything else. A separate ₹10,000 sits at the bottom for Data Principals who file frivolous complaints.

**Section 33(2) is the scaling formula.** When the Data Protection Board actually sets a number, the Act tells it to weigh six factors: nature, gravity and duration of the breach; type and nature of personal data affected; repetitive nature of the breach; whether the breach was deliberate or negligent; mitigation steps taken; and whether the Fiduciary cooperated. The first three push the number up. The last three pull it down. A documented, well-defended Fiduciary with a one-off misconfiguration sits in a very different band from a serial offender with no DPIA on file.

**Practical math for an Indian SMB.** Worst plausible case for a small consumer-facing site: a security finding under Section 8(5) — say, unencrypted backups exposed via a misconfigured S3 bucket affecting ~10,000 Data Principals. Headline band: ₹250 crore. After Section 33(2) discounts — no repetition, prompt remediation, breach notified within 72 hours, full cooperation — the realistic enforcement number is closer to ₹5–25 lakh for a first incident. Still painful, but not extinction-level. The discount evaporates if the Board finds you had no security baseline at all.

**Practical math for a mid-market site.** 1–5 million Indian users. Same Section 8 finding. The 'gravity' factor scales with user count and data sensitivity, so the band moves into the ₹1–5 crore range even with strong mitigation. Multiple distinct failures stack — a Section 6 withdrawal-flow failure AND a Section 8 security failure are two distinct obligations and can attract two separate penalties. Aggregate exposure for a sloppy mid-market Fiduciary is typically the sum of several mid-band fines.

**Practical math for a Significant Data Fiduciary.** Once designated under Section 10, the SDF obligations open three new penalty surfaces: missing DPO, missing independent audit, missing DPIA. Each is potentially ₹150 crore. A first-year SDF that has not yet appointed an India-resident DPO is exposed across all three — and the gravity factor scales with the SDF's user base, which is by definition large. The realistic enforcement number for a meaningfully non-compliant SDF is mid-double-digit crore, climbing with repeat offences.

**What pulls penalties down.** Documented DPIA on the processing in question. Evidence of breach notification within 72 hours. A working Grievance Officer with documented response times. A vendor inventory with signed DPAs on file. Re-scan reports showing the issue has been remediated. The Board will explicitly weigh these as 'mitigation steps' under Section 33(2)(e). Investing ₹5–10 lakh annually in compliance evidence buys orders of magnitude of penalty discount.

**What pushes penalties up.** No documented incident response. The same finding flagged twice across audits. Deliberate concealment of the breach. Failure to notify the Board or affected users. A pattern of grievances closed past the 30-day SLA. Each of these maps to a Section 33(2) factor that the Board is required to take into account.

**Operational implication.** Do not budget compliance against the ₹250 crore worst case. Budget against the band the Board is statistically likely to pick — which is mid-band for a first violation with full cooperation, and high-band for repeat or wilful breaches. The [risk calculator](/risk-calculator) on this site gives you a per-section exposure estimate using the same Section 33(2) framework. Pair it with a [free scan](/scan) of your live site to map your current exposure surface, then prioritise fixes by which band each finding falls into.

The cheapest hedge against penalty exposure is documentation, not perfection. The Board will not penalise a Fiduciary with one observable gap and a paper trail of trying. It will penalise a Fiduciary with multiple observable gaps and no documentation that anyone even noticed. The difference between those two postures is a long weekend of work, not a six-month programme.