DPDP Act Penalties: What Indian Companies Need to Know in 2026

Understanding the DPDP Act penalty framework

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India's first comprehensive data protection legislation. Enacted on 11th August 2023, it establishes a framework for processing digital personal data with rights for data principals (individuals) and obligations for data fiduciaries (organisations that process personal data). For Indian companies — particularly HR teams that process large volumes of employee and candidate personal data — understanding the penalty structure is not optional. The fines are among the highest in the world, and the Act applies to every organisation that processes digital personal data in India, regardless of size.

Unlike the EU's GDPR, which calculates penalties as a percentage of global revenue, the DPDP Act prescribes fixed maximum penalty amounts for specific types of violations. The Data Protection Board of India (DPB) — the adjudicatory body established under the Act — determines the actual penalty within these maximums based on the nature, gravity, and duration of the breach, the type of personal data affected, the actions taken by the data fiduciary to mitigate damage, and whether the breach was repetitive. The Act explicitly states that penalties are not criminal in nature — they are financial penalties imposed through an administrative process, not criminal prosecution.

Penalty amounts by violation type

The DPDP Act's Schedule (referred to as the Table in Section 33) prescribes specific penalty ranges for different types of violations. Here is the complete breakdown:

• •Breach of personal data / failure to notify (Section 15): Up to ₹250 crore per instance. This is the highest penalty and applies when a data fiduciary fails to implement reasonable security safeguards resulting in a data breach, or fails to notify the DPB and affected data principals of a breach. For HR teams, this covers scenarios like: candidate database leaks, employee PII exposure through unsecured systems, payroll data breaches, and failure to report such breaches within the prescribed timeline.
• •Failure to fulfil obligations regarding children's data (Section 9): Up to ₹200 crore. This applies to processing data of individuals below 18 years without verifiable parental consent, or engaging in tracking, behavioural monitoring, or targeted advertising directed at children. While less directly relevant to HR, companies that run apprenticeship or internship programmes for minors (common in India's manufacturing and retail sectors) must be aware of this.
• •Failure to fulfil additional obligations as Significant Data Fiduciary (Section 10): Up to ₹150 crore. Significant Data Fiduciaries (SDFs) — organisations designated by the government based on volume of data processed, sensitivity, risk to data principals, or impact on sovereignty — have additional obligations including appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments (DPIAs), and periodic independent audits.
• •Failure to fulfil general obligations (Sections 8 and 9): Up to ₹50 crore. This covers: processing data without valid consent, processing data for purposes not specified in the consent notice, failing to maintain accuracy of data, failing to erase data when the purpose is fulfilled or consent is withdrawn, and failing to implement reasonable security safeguards.
• •Failure to comply with DPB directions: Up to ₹50 crore. If the DPB issues directions to a data fiduciary (e.g., to delete data, modify processing practices, or implement specific safeguards) and the fiduciary fails to comply, this penalty applies.
• •Breach by data principal (Section 15): Up to ₹10,000. Data principals (individuals) can also be penalised for providing false information when exercising their rights, filing frivolous complaints, or impersonating others while providing personal data.

Consent management: the foundation of compliance

Consent is the cornerstone of the DPDP Act. For HR teams, consent management affects every stage of the employee lifecycle — from recruitment to exit. The Act requires that consent must be: Free — not coerced or conditional on employment (you cannot say "consent to data processing or you will not be hired" without a legitimate legal basis). Specific — consent must be obtained for each distinct purpose of processing. A blanket consent covering "all HR purposes" is unlikely to be considered valid. Informed — the data principal must be given a clear notice (in English or any of the 22 languages in the Eighth Schedule of the Constitution) explaining what data is being collected, for what purpose, and who it will be shared with. Unambiguous — consent must be a clear affirmative action (opt-in). Pre-ticked checkboxes do not constitute valid consent.

For HR specifically, you need separate consent for: processing resumes and application data during recruitment, conducting background verification checks, processing payroll data (though this may fall under "legitimate use" for employment contracts), sharing employee data with third-party vendors (insurance providers, payroll processors, benefits administrators), using AI tools to screen or evaluate candidates (as discussed in our AI recruitment guide), storing employee data in cloud systems (especially if data is transferred outside India), and retaining candidate data after the recruitment process concludes. Each consent must be accompanied by a notice that clearly specifies the data being collected, the purpose, the retention period, and the process for withdrawing consent.

Data breach notification requirements

The DPDP Act requires data fiduciaries to notify both the Data Protection Board and each affected data principal in the event of a personal data breach. While the Act does not specify an exact notification timeline (unlike GDPR's 72-hour window), it uses the phrase "without unreasonable delay" — which the DPB will interpret based on the circumstances of each breach. Practically, companies should aim to notify within 72 hours of becoming aware of a breach, in line with global best practices.

The notification must include: a description of the nature of the breach, the categories of personal data affected, the approximate number of data principals affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate adverse effects. For HR teams, common breach scenarios include: unauthorised access to the HRMS or ATS database, email-based phishing attacks that compromise employee data, inadvertent sharing of employee PII (e.g., sending a salary sheet to the wrong email), and security vulnerabilities in third-party HR tools. Having an incident response plan that covers HR data breaches specifically — with pre-drafted notification templates and a clear escalation path — is essential. Failure to notify can attract the highest penalty of ₹250 crore.

The Data Protection Board of India (DPB)

The Data Protection Board of India is the adjudicatory body established under Section 18 of the DPDP Act. The DPB is responsible for: determining non-compliance, imposing penalties, directing remedial actions, and handling complaints from data principals. The Board operates as a digital-first body — proceedings are conducted virtually, and filings are made electronically. The Chairperson and Members are appointed by the Central Government for a term of 2 years (renewable).

Key points about DPB proceedings: the DPB follows the principles of natural justice — a data fiduciary will be given an opportunity to be heard before any penalty is imposed. The DPB can initiate proceedings based on complaints from data principals, references from the Central or State Government, or suo motu (on its own) based on a data breach report. Appeals against DPB decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The DPB can also issue directions to data fiduciaries to take remedial measures — such as deleting improperly collected data, implementing additional security safeguards, or modifying processing practices. Non-compliance with these directions attracts a separate penalty of up to ₹50 crore.

Practical compliance steps for Indian companies

Achieving DPDP compliance is not a one-time project — it requires ongoing processes and governance. Here are the practical steps every Indian company should take, roughly in order of priority:

• •Step 1: Data mapping and inventory. Document every type of personal data you collect, where it is stored, who has access, the purpose of processing, and the legal basis (consent or legitimate use). For HR, this includes: employee PII, payroll data, performance reviews, medical records, candidate resumes, interview recordings, and background verification reports.
• •Step 2: Update consent mechanisms. Review and update all points where you collect personal data — application forms, onboarding documents, HRMS self-service portals, and third-party vendor agreements. Implement granular consent collection with clear notices.
• •Step 3: Implement data retention and deletion policies. Define retention periods for each data category (e.g., candidate data: 12 months post-rejection, employee data: 8 years post-exit for statutory compliance, payroll records: as per Income Tax Act requirements). Implement automated deletion for expired data.
• •Step 4: Secure your data. Implement reasonable security safeguards — encryption at rest and in transit, access controls based on role, regular security audits, and employee training on data handling. The "reasonable security safeguards" standard means the safeguards should be proportional to the volume and sensitivity of data processed.
• •Step 5: Establish a breach response process. Create an incident response plan, designate a response team, prepare notification templates, and conduct tabletop exercises. Speed of response directly affects both the impact of the breach and the DPB's assessment of your compliance posture.
• •Step 6: Review vendor agreements. All third-party processors (payroll vendors, ATS platforms, background verification agencies, cloud hosting providers) must have Data Processing Agreements (DPAs) that bind them to DPDP-compliant practices. As a data fiduciary, you are responsible for the actions of your processors.

Using a DPDP-compliant recruitment platform eliminates a significant portion of compliance risk. Workro is built with DPDP compliance at its core — with consent tracking for candidate data, configurable retention policies, role-based access controls, encrypted data storage, and audit trails for all data processing activities. This means your recruitment data processing is compliant from day one, without your HR team having to build these controls manually.

DPDP Act vs GDPR: key differences for Indian companies

Indian companies with global operations or European clients often need to comply with both the DPDP Act and GDPR. While the laws share common principles (consent, purpose limitation, data minimisation), there are important differences. The DPDP Act uses fixed penalty caps (up to ₹250 crore) while GDPR uses percentage-based penalties (up to 4% of global annual turnover — which could be much higher for large companies). The DPDP Act applies only to digital personal data, while GDPR applies to all personal data (including paper records). The DPDP Act has fewer data principal rights compared to GDPR (notably, no explicit right to data portability or right to object to processing). The DPDP Act allows the Central Government to exempt certain entities from its provisions for national security or public order reasons — a provision absent in GDPR. For practical purposes, if you are already GDPR-compliant, achieving DPDP compliance requires relatively modest additional effort. If you are starting from scratch, building for DPDP compliance first and then layering GDPR requirements is the most efficient approach.