Are You Prepared for India's New Data Protection Penalties?

MSInfo Privacy Team

MSInfo Services

January 30, 20255 min read

The DPDPA introduces penalties of up to ₹250 crore for data breaches. Most organizations have no idea what this means for their risk exposure.

When the Digital Personal Data Protection Act 2023 was passed, one aspect received more attention than almost any other: the penalty schedule. For an Indian regulatory framework, the penalties are unprecedented in scale — and they represent a genuine financial risk that boards and CFOs need to understand.

The penalty schedule under the DPDPA is structured around specific violations. Failure to implement reasonable security safeguards to prevent a personal data breach can attract a penalty of up to ₹250 crore per violation. Failure to notify the Data Protection Board and affected Data Principals of a breach within the prescribed timeline can result in a penalty of up to ₹200 crore. Violations of children's data processing obligations — including processing personal data of a child without verifiable parental consent — attract penalties of up to ₹200 crore.

These penalties apply per violation — not in aggregate. A single data breach that exposes the records of thousands of customers could theoretically attract penalties for each affected individual, though the practical application of penalties will depend on how the Data Protection Board develops its enforcement approach through rules and precedent.

Beyond the direct penalties, the reputational damage from a DPDPA enforcement action could be more costly than the fine itself. Public disclosure of a data breach and regulatory action creates customer churn, damages partner relationships, and can affect share price for listed companies.

The key question for organizations is: what constitutes 'reasonable security safeguards'? The Act does not prescribe specific technical controls — it creates an outcome-based standard that will be interpreted by the Data Protection Board over time. Organizations that align their security programs with recognized frameworks (ISO 27001, NIST, OWASP) are best positioned to demonstrate that their safeguards were reasonable, even if a breach occurred.

MSInfo Services helps organizations conduct DPDPA risk assessments that quantify their penalty exposure under different breach scenarios and identify the priority controls needed to reduce that exposure.