All articles

The ₹250 crore question: what DPDP non-compliance actually costs

Ayush Joshi12 March 2026
The ₹250 crore question: what DPDP non-compliance actually costs
DPDPpenaltiesriskdata breach

DPDP penalties run to ₹250 crore — but the headline number isn't the whole story. Here's what actually triggers a penalty, and the everyday failures that put SMEs at risk.

The number that gets everyone's attention is ₹250 crore. It's the maximum penalty under the DPDP Act, and it's real. But the headline figure is also the least useful part of the conversation — because most businesses won't fail in one dramatic ₹250 crore event. They'll fail quietly, in small everyday ways, and the penalties for those are what should actually worry you.

Let's break down what non-compliance really costs, and how businesses get there.

What the ₹250 crore is for

The Act sets out a schedule of penalties, with the highest reserved for failing to take reasonable security safeguards to prevent a personal-data breach. That's the ₹250 crore ceiling — and it exists because a breach of poorly-protected data can harm a very large number of people.

It's a ceiling, not a flat fine. The Data Protection Board weighs the nature and gravity of the failure, how many people were affected, whether it was repeated, and what the business did (or didn't do) about it. A small business with modest data isn't looking at ₹250 crore for a minor lapse — but "it won't be the maximum" is cold comfort when the other penalties are still substantial and stack up per failure.

The failures that actually catch SMEs

Here's where the real risk lives — not in one catastrophic breach, but in the routine obligations businesses don't even know they have:

Ignoring a deletion request. A customer asks you to delete their data. You don't have a process, the email gets lost, nothing happens. That's a failure to honour a Data Principal's rights — with its own penalty, and the clock was running the whole time.

Not reporting a breach. A leaked spreadsheet, a compromised login, an ex-employee who still has access. You either don't notice, or you notice and don't report it in time. The reporting obligation isn't optional, and the windows are tight.

Mishandling data you shouldn't have collected. Holding more than you need, keeping it longer than you should, using it for things the person never agreed to. Each is a failure waiting to be found.

No records to show. When the Board asks what you hold, why, and on what basis — and you can't answer — the absence of records is itself a problem. "We didn't keep track" is not a defence.

Notice the pattern: none of these is a hacker breaking down your door. They're ordinary gaps in ordinary businesses. And every one of them carries a penalty, assessed per instance.

Why "we'll deal with it if we get caught" doesn't work

Two reasons.

First, enforcement under DPDP is complaint-driven as much as audit-driven. It only takes one disgruntled customer, one ex-employee, or one competitor to file a complaint — and now the Board is looking at a business that has no records, no process, and no defence.

Second, the cost of getting compliant after a problem is far higher than the cost of being compliant before one. Once there's a complaint or a breach, you're not building a calm compliance process — you're scrambling under scrutiny, often with legal counsel on the clock, trying to reconstruct records that should have existed all along.

The real math

The honest way to think about DPDP cost isn't "what's the maximum fine." It's: what would one breach, one ignored request that becomes a complaint, or one Board inquiry actually cost my business — in penalties, in legal fees, in time, and in the customer trust that doesn't come back?

Against that, continuous compliance is cheap. It's the difference between a manageable ongoing cost and an unbounded, unpredictable one.

That's the case for getting ahead of it — and for not doing it alone. We built Pramaan to make the everyday obligations visible and handled, so the small failures that turn into big penalties simply don't slip through.

This article is general information, not legal advice. Penalty outcomes depend on the specific facts and the Data Protection Board's assessment. If you'd like to understand your actual exposure, book a free compliance review.

Start here

Get a free DPDP exposure review.

Find out, with no obligation, where your business stands under DPDP — and what it would take to be continuously compliant. A short call with our team.

  • A plain-language read on your actual exposure
  • The specific obligations that apply to your business
  • No jargon, no pressure — just a clear picture

Book your review

We'll get back to you within one business day.

By submitting you agree to be contacted about your review. We don't share your details.