₹250 crore is not a ceiling that applies only to the most egregious violations. It is the penalty for a single category of failure — inadequate security safeguards — that most Indian enterprises are currently exposed to. The DPDP Act, 2023’s penalty schedule is not designed to warn. It is designed to hold.
Most penalty guides list the numbers. This one explains what triggers them and what your Databricks estate must do to prevent each one.
What you will master in this guide:
- The complete DPDP penalty schedule and the section behind each fine
- What specific failure triggers each penalty — not just the amount
- The data engineering controls that directly shield against the top 3 penalties
- The cumulative exposure your organization carries right now
For the full compliance roadmap, read the DPDP readiness on Databricks: complete guide 2026.
What Is the Full DPDP Penalty Schedule for 2026?
The DPDP Act’s penalty schedule is defined in the Schedule appended to the Act and in Section 33. The Data Protection Board of India (DPBI) — established under Section 18 — has the authority to investigate complaints, conduct inquiries, and impose penalties. The Board became operational on November 13, 2025. It can act today.
Here is the complete 2026 DPDP penalty schedule:
| Violation | Governing Section | Maximum Penalty |
|---|---|---|
| Failure to implement reasonable security safeguards | Section 8(5) | ₹250 crore |
| Failure to notify DPBI of a personal data breach | Section 8(6) | ₹200 crore |
| Failure to notify affected data principals of a breach | Section 8(6) | ₹200 crore |
| Non-fulfillment of data principal rights requests | Section 11 / Rule 14 | ₹50 crore per violation |
| Violation of Significant Data Fiduciary obligations | Section 10 | ₹150 crore |
| Non-compliance with DPBI directions or orders | Section 33 | ₹50 crore |
| Violation of consent obligations | Section 6 | ₹200 crore |
| Violation of data retention / purpose limitation obligations | Section 8 | ₹150 crore |
| Other violations not separately specified | Schedule | ₹50 crore |
Penalties are per violation — not per incident. A single breach that triggers both the security safeguard failure (₹250 crore) and the notification failure (₹200 crore) simultaneously creates ₹450 crore in combined exposure. This is not a theoretical risk. It is the default outcome of a poorly instrumented data estate.
What Triggers the ₹250 Crore Security Safeguard Penalty?
This is the penalty most boards don’t fully understand. The ₹250 crore exposure does not require a breach to have occurred. It applies when a Data Fiduciary fails to implement reasonable security safeguards — whether or not that failure results in a breach.
“Reasonable security safeguards” is defined by the Board through guidelines, but current best practice maps to:
- Encryption of personal data at rest and in transit → Unencrypted Delta tables containing personal data are a direct exposure
- Access controls at column and row level → Unity Catalog column masking and row-level security are not optional governance — they are penalty shields
- Audit logging of all access to personal data → Passive logs that are not actively monitored and alerting are not “reasonable”
- Anomaly detection on data access patterns → A breach you detect 2 weeks late does not extend your notification window — it eliminates it
Zomato processes delivery addresses, payment data, and behavioral profiles for over 100 million users. An estate of that scale without column-level access controls and active anomaly detection on PII access is not a compliance gap. It is a ₹250 crore liability waiting for the Board to receive the first complaint.
The ₹250 crore penalty does not require a breach. It requires the absence of reasonable safeguards. Most Databricks estates are already exposed.
What Triggers the ₹200 Crore Breach Notification Penalty?
The 72-hour rule is the most operationally demanding requirement in the Act. Section 8(6) requires notification to the DPBI within 72 hours of becoming aware of a personal data breach. Affected data principals must be notified immediately thereafter.
Here’s what most compliance teams get wrong: the window starts from detection, not from when the breach occurred. A breach that happened 3 weeks ago but was detected today gives you 72 hours from today. A detection system that identifies breaches 5 days after they occur gives you negative 48 hours.
The failure mode is not missing the deadline intentionally. The failure mode is:
- No automated breach detection configured on Unity Catalog audit logs → Manual investigation timelines cannot meet the 72-hour window at enterprise scale
- Breach notification process not pre-built and tested → A notification process being drafted after detection is already too slow
- Notification template not pre-approved by legal → Every hour spent drafting is an hour closer to ₹200 crore
The 72-hour breach notification penalty is not a compliance problem. It is a detection and automation problem.
What Triggers the SDF Penalty of ₹150 Crore?
The Significant Data Fiduciary (SDF) designation carries a separate penalty tier of up to ₹150 crore for violations of SDF-specific obligations. Those obligations include:
- Failure to appoint an India-resident Data Protection Officer
- Failure to conduct annual Data Protection Impact Assessments (DPIAs)
- Failure to submit to annual data audits by an independent auditor
- Non-compliance with data localization requirements if notified
The SDF penalty is cumulative with the base penalty schedule. An SDF that also fails on security safeguards faces ₹250 crore + ₹150 crore = ₹400 crore in combined exposure from 2 simultaneous violations.
The assessment question your compliance team must answer before May 2027: has your organization been designated as an SDF, or is it at risk of designation? Large BFSI, fintech, and healthtech enterprises processing data for millions of Indian users are the most exposed.
The Cumulative DPDP Penalty Exposure Model
This is the section most DPDP penalty guides skip.
Penalties are not mutually exclusive. A single compliance failure can trigger multiple simultaneous penalties. Here is a realistic exposure model:
| Scenario | Violations Triggered | Combined Exposure |
|---|---|---|
| Security breach with no automated detection | Security safeguard (₹250Cr) + Breach notification failure (₹200Cr) | ₹450 crore |
| SDF designation missed, DPO not appointed | SDF obligation (₹150Cr) | ₹150 crore |
| Rights requests ignored for 60 days | Rights fulfillment failure × volume of requests (₹50Cr each) | ₹50 crore+ |
| Consent collected without purpose specification | Consent violation (₹200Cr) | ₹200 crore |
| Worst-case combined scenario | Security + Breach notification + SDF + Consent | ₹800 crore+ |
The worst-case combined scenario is not hypothetical. It is the outcome of an organization that ran workshops but never built compliant infrastructure.
Final Verdict
The DPDP penalty schedule is not a deterrent for bad actors. It is a financial consequence for organizations that understood their obligations and still didn’t build the systems to fulfill them. ₹250 crore for security failures. ₹200 crore for missed breach notification. ₹150 crore for SDF non-compliance. All simultaneously available. All Board-enforceable from November 2025.
The only question is whether your Databricks estate closes the exposure before the first enforcement notice arrives — or after.
For the implementation roadmap that directly mitigates these penalties, read DPDP readiness roadmap: implementation, operating model, and audit preparation.
FAQ: DPDP Act Penalties
₹250 crore — for failure to implement reasonable security safeguards under Section 8(5). This is the highest single penalty in the schedule and can be combined with other simultaneous violations, creating total exposure well above ₹250 crore.
Yes. Penalties are per violation, not per incident. A data breach that also triggers a notification failure creates ₹250 crore (security) + ₹200 crore (notification) = ₹450 crore in combined exposure from a single event.
Failure to notify the Data Protection Board of India within 72 hours of becoming aware of a personal data breach, or failure to notify affected data principals immediately thereafter. The window starts from detection — a slow detection system eliminates your notification window.
Up to ₹50 crore per violation under Section 11 and Rule 14. Since rights requests are individual — each unfulfilled request is a separate violation — this penalty can multiply rapidly at enterprise scale.
The Data Protection Board of India became operational on November 13, 2025 and can investigate complaints and impose penalties today. Full enforcement of all penalty provisions activates May 13, 2027, but Phase 1 violations are already actionable.
Unity Catalog column masking and row-level security (₹250Cr security penalty shield), automated breach detection alerting on PII access (₹200Cr notification penalty shield), and automated rights fulfillment pipelines with 7-day SLA (₹50Cr rights penalty shield). Each technical control maps directly to a penalty category.
Sinki.ai’s DPDP compliance suite – Audit Gap Finder, Consent Manager, and Data Erasure
Directly addresses the top 3 penalty exposures natively inside your Databricks workspace.
