Skip to content
Aanetic
⚠️DPDP Act

DPDP Act Penalties: Avoiding ₹250 Crore Fines in 2026

Aanetic GRC Team·16 April 2026·6 min read

In short

Under India's DPDP Act 2023, the Data Protection Board can levy penalties up to ₹250 Crore per violation for inadequate security safeguards, ₹200 Crore for breach-notification and children's-data failures, and ₹150 Crore for not honouring Data Principal rights. Penalties are per-incident and can accumulate — making prevention far cheaper than cure.

The penalty tiers

The highest tier — up to ₹250 Crore — applies to inadequate security safeguards. Breach-notification and children's-data failures sit at up to ₹200 Crore, and failing Data Principal rights at up to ₹150 Crore.

Per-incident and cumulative

Because penalties apply per violation, a single breach affecting many Data Principals — or several distinct lapses — can stack into very large liability.

How to reduce exposure

Strong security, valid consent, accurate RoPA, tested breach response and documented assessments reduce both the likelihood and the assessed severity of violations.

FAQ

Up to ₹250 Crore per violation for inadequate security safeguards, with other tiers at ₹200 Crore and ₹150 Crore; penalties are per-incident and can accumulate.

#DPDP Act penalties#DPDP fines India 2026#₹250 crore penalty#DPDP penalty structure

Related articles

DPDP Act 2023 Compliance Checklist for Indian Businesses (2026)

A step-by-step DPDP Act 2023 checklist that takes Indian businesses from unsure to audit-ready in 2026.

💻

DPDP Act for SaaS & IT/ITeS Companies in India (2026)

SaaS and IT/ITeS firms often act as Data Processors. Here's what the DPDP Act means for you in 2026.

Get DPDP & SOC 2 Type 2 ready

Aanetic takes Indian companies from gap assessment to certified — book a free consultation.

Talk to an expertBrowse services