₹250 Crore DPDPA Fine: Who Is at Risk in 2026?

The headline number gets repeated everywhere: ₹250 crore. That is the maximum penalty under the Digital Personal Data Protection Act, 2023. But "250 crore" is a ceiling for the worst category of violation — most fines will be far smaller. Understanding the penalty structure helps you allocate compliance budget rationally rather than panicking.

The DPDPA penalty schedule

The Schedule to the DPDPA lists penalty ceilings tied to specific violations:

• ₹250 crore — Failure to take reasonable security safeguards to prevent a personal data breach (Section 8(5))
• ₹200 crore — Failure to notify the Board and affected Data Principals of a breach (Section 8(6))
• ₹200 crore — Non-compliance with children's data obligations (Section 9)
• ₹150 crore — Failure to fulfill Significant Data Fiduciary obligations (Section 10)
• ₹50 crore — Other obligations under the Act
• Up to ₹10,000 — On Data Principals for false complaints or filing fake/duplicate identity

Who is most at risk

1. Companies with poor security hygiene. The largest penalty applies to security failures. If you store passwords without bcrypt, leave S3 buckets public, or skip MFA on admin panels, you are sitting on the ₹250 crore exposure.

2. Companies handling children's data. EdTech, gaming, and social apps with under-18 users face ₹200 crore exposure. The Board is expected to be especially vigilant here given recent EdTech scandals.

3. Significant Data Fiduciaries. Once notified as an SDF, you face an additional ₹150 crore exposure for missing DPO, DPIA, or audit obligations.

4. Fintech and health-tech. The combination of sensitive data + public scrutiny means these sectors will likely see early enforcement actions.

What does the Board consider when setting the actual fine?

Section 33 lists the factors. Boards in other jurisdictions (UK ICO, Irish DPC) typically consider:

• Nature, gravity, and duration of the breach
• Number of Data Principals affected
• Whether the violation was intentional or negligent
• Mitigation measures taken by the Data Fiduciary
• Cooperation with the Board
• Categories of personal data affected
• Previous violations

This is good news for businesses that take compliance seriously. A company with documented controls, a tested incident response plan, and prompt cooperation will face dramatically smaller penalties than an uncooperative one with no controls.

Realistic risk profile by company size

Bootstrapped/early-stage: Realistic exposure ₹1-10 lakh for typical first violations. The Board has signalled it will not bankrupt small businesses for first-time, low-impact violations as long as cooperation is good.

Growth-stage SaaS/e-commerce: Realistic exposure ₹10 lakh - ₹5 crore. A breach affecting tens of thousands of users, combined with delayed notification, can easily land in this range.

Enterprise / SDF: Realistic exposure ₹5-50 crore. The maximum ₹250 crore is reserved for catastrophic failures with millions of records and willful negligence.

How to reduce your exposure right now

1. Do a security baseline audit. Encryption in transit and at rest, MFA everywhere, no plaintext credentials, regular backups, principle of least privilege. See item 7 of our checklist.
2. Have an incident response plan. Even a single-page runbook is better than nothing. Practice it once a year.
3. Publish a DPDPA-compliant privacy policy. A correct policy is direct evidence of good faith. Generate one in 2 minutes.
4. Appoint a grievance officer publicly. Fast, free, and demonstrates compliance.
5. Document everything. Records of processing activities, consent logs, sub-processor lists, breach register, training records. The Board's leniency depends on what you can show.

What about insurance?

Cyber liability and privacy liability insurance is now available from Indian insurers (HDFC ERGO, ICICI Lombard, Bajaj Allianz). Coverage typically caps around ₹25-50 crore. Premiums are reasonable (₹50,000-3 lakh per year for ₹5 crore cover). For any company with material data processing, this is now table stakes.

Bottom line

The ₹250 crore number is real but it is not the number to plan against. Plan against the realistic ₹1-50 crore band that fits your size, and invest in the controls that move you from "uncooperative offender" to "compliant operator." The discount is enormous. See the full penalty page for section-by-section detail.