Penalties and Enforcement under the Digital Personal Data Protection Act, 2023

Posted on

The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a robust framework for penalizing non-compliance with personal data handling obligations in India. This blog post examines its penalties, enforcement mechanisms, and official guidelines, drawing from the Act’s provisions and related rules. As a CERT-In empanelled organization, Certcube Labs Pvt Ltd plays a key role in supporting compliance through audits and advisory services.

Overview of the DPDP Act

The DPDP Act, assented on August 11, 2023, regulates digital personal data processing by data fiduciaries and processors. It mandates consent-based processing, data minimization, and security safeguards while granting data principals rights like access and erasure. Enforcement emphasizes civil penalties over criminal sanctions, prioritizing deterrence through financial impositions up to ₹250 crore per significant breach.

The Act’s Schedule specifies maximum penalties for key violations, determined by the Data Protection Board of India (DPB) after inquiry. Factors influencing penalty amounts include breach gravity, data sensitivity, repetition, mitigation efforts, and proportionality. The DPDP Rules, 2025, notified in November 2025, operationalize these with an 18-month compliance window.

Key Penalties under the Schedule

Penalties target specific obligations, with the highest for security lapses reflecting their criticality.

ViolationRelevant SectionMaximum Penalty (₹)Description
Failure to implement reasonable security safeguards8(5)250 croreIncludes inadequate measures leading to personal data breaches due to negligence.
Non-notification of breach to DPB or data principals8(6)200 croreMandatory prompt reporting required; delays or omissions penalized heavily.
Breach of children’s data obligations9200 croreCovers failure to obtain verifiable parental consent or tracking/profiling minors.
Significant Data Fiduciary (SDF) additional obligations10150 croreEncompasses skipping Data Protection Impact Assessments (DPIAs), audits, or appointing Data Protection Officers (DPOs).
Data principal duties violation1510,000Rare; applies to individuals providing inaccurate information or obstructing fiduciaries.
Other general non-compliancesGeneral50 croreIncludes consent failures, improper retention, or rights non-fulfillment.

These caps ensure proportionality; minor issues attract lower fines.

The Data Protection Board (DPB)

The DPB, established under Section 18, is the primary enforcement body with quasi-judicial powers. Appointed by the Central Government, members include domain experts serving five-year terms. It handles complaints, conducts inquiries, imposes penalties, and issues directions.

Inquiries trigger on complaints or suo motu, offering hearings for natural justice. The Board may accept Voluntary Undertakings (Section 32) for corrective actions, suspending penalties if complied with. Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days, then Supreme Court.

Inquiry and Penalty Determination Process

DPB inquiries follow structured guidelines per Section 33 and Rules.

  1. Complaint Receipt: Data principals or fiduciaries file via portal; DPB verifies jurisdiction.
  2. Preliminary Assessment: Determines if breach is “significant” based on harm potential.
  3. Inquiry Initiation: Notices issued; evidence collection, including audits if needed.
  4. Hearing: Opportunity for defense; Board evaluates factors like:
    • Breach nature, gravity, duration.
    • Affected data volume/sensitivity.
    • Repetition or gains from violation.
    • Mitigation timeliness.
    • Proportionality and deterrence impact.
  5. Order: Monetary penalty, directions, or undertaking acceptance; public disclosure for deterrence.

Official guidelines stress digital processes for efficiency, with Rules detailing formats and timelines.

Enforcement Mechanisms and Powers

Beyond penalties, DPB wields broad powers:

  • Directions: Cease processing, erase data, or appoint auditors (Section 34).
  • Blocking Access: Recommends government under Section 37 for repeated offenders.
  • Audits and DPIAs: Mandatory for SDFs; DPB verifies compliance.
  • Mutual Assistance: International cooperation for cross-border issues.

The Central Government oversees DPB via rules, ensuring alignment with national interests. Post-2025 Rules, enforcement ramps up with monitoring tools and annual reports.

CERT-In’s Role in Data Protection Enforcement

CERT-In complements DPB under the IT Act, 2000, handling cybersecurity incidents including data breaches. Organizations report breaches to CERT-In within 6 hours for technical response, paralleling DPDP’s DPB notification.

This dual regime ensures technical mitigation (CERT-In) and accountability (DPB). CERT-In provides threat intelligence, vulnerability assessments, and coordinates responses, aiding DPDP compliance indirectly.

Role of CERT-In Empanelled Organizations

CERT-In empanels auditors for Information Security Audits, crucial for DPDP readiness like security safeguards and DPIAs. These firms conduct Vulnerability Assessments, Penetration Testing (VAPT), and compliance audits for regulators like RBI, IRDAI, NABARD.

Certcube Labs Pvt Ltd is a CERT-In empanelled auditor specializing in cybersecurity services aligned with DPDP. They offer:

  • VAPT for Section 8(5) safeguards.
  • DPIA support for SDFs.
  • Audit trails for breach notifications.
  • Compliance with DPDP Rules, including consent management and children’s data handling.

As a Delhi-based firm, Certcube Labs assists in regulatory audits (e.g., RBI SAR, IRDAI, CICRA), training, and remediation, helping avoid penalties. Their expertise ensures organizations meet “reasonable security” standards, reducing DPB inquiry risks.

Penalty Calculation Factors in Detail

Section 33(2) mandates considering nine factors for calibrated penalties.

  • Nature/Gravity/Duration: Intentional prolonged breaches attract higher fines.[
  • Data Type: Sensitive data (health, finance) weighs heavier.
  • Harm Caused: Actual loss to principals amplifies penalties.
  • Repetition: Prior violations multiply severity.
  • Mitigation: Swift remediation lowers amounts.
  • Gains: Undue profits from breach added.
  • Proportionality: Turnover-linked where apt.
  • Deterrence: Ensures future compliance.
  • Impact on Violator: Financial strain balanced.

Examples: A bank’s unpatched server breach exposing 1M records might hit ₹100-200 crore; quick fixes cap it lower.

Practical Implications for Organizations

Fiduciaries must integrate DPDP into governance: appoint DPOs, automate consents, encrypt data, and simulate breaches. SDFs (e.g., large platforms) face annual audits. Costs of non-compliance dwarf implementation; ₹250 crore dwarfs typical remediation.

Training staff and vendors is vital; ignorance isn’t a defense. Leverage CERT-In empanelled auditors like Certcube Labs for gap assessments.

Case Studies and Global Comparisons

Though enforcement is nascent (post-2025 Rules), analogous IT Act cases show CERT-In’s rigor. Globally, DPDP mirrors GDPR’s 4% turnover cap but uses fixed rupees for predictability. Singapore’s PDPA caps at SGD 1M; US lacks federal equivalent.

Compliance Roadmap

  1. Gap Analysis: Audit current practices via CERT-In auditors.
  2. Tech Implementation: Tools for consent, encryption.
  3. Training: On breach reporting.
  4. Monitoring: Continuous DPIAs.
  5. Mock Drills: CERT-In/DPB simulations.

Certcube Labs provides tailored roadmaps, ensuring audit-ready status.

Conclusion: Prioritizing Compliance

DPDP’s penalties underscore data protection as a business imperative. Proactive measures via empanelled experts like Certcube Labs mitigate risks effectively. Organizations ignoring this face financial ruin; compliance builds trust.

Leave a Reply

Your email address will not be published. Required fields are marked *