Estimate your
DPDP penalty exposure
Answer six quick questions. Get a section-wise breakdown of what the DPDP Act could cost your company, grounded in the actual Schedule and Section 33(2) factors.
Start the calculatorThis is an indicative estimate, not legal advice. Actual penalties are determined case-by-case by the Data Protection Board of India.
Understanding each penalty category
- Five penalty categories apply to companies, with maximums from ₹50 crore to ₹250 crore.
- The Data Protection Board decides actual amounts case-by-case using seven factors under Section 33(2). Mitigation is the biggest lever.
- Substantive obligations start around 13 May 2027. The window to prepare is now.
This page is an educational explainer, not legal advice. For binding opinions, consult a qualified Indian privacy lawyer.
A quick glossary before we get into the details. Under the DPDP Act, a Data Fiduciary is your company if you decide what personal data to collect and why (most SaaS businesses fall here). A Data Processor is a vendor that handles personal data on your behalf. A Data Principal is the individual whose data is being processed, your user or customer. These five penalty categories are the ones Data Fiduciaries need to plan for.
This is the highest penalty in the DPDP Act, and it targets the basics. Rule 6 of the DPDP Rules 2025 defines what "reasonable" means: encryption or tokenization of personal data, access controls on systems that touch it, audit logs retained for at least one year, backups for continuity, and contractual security clauses with every data processor you use.
Most SaaS companies already do some of this. The gap is usually in the audit trail (logs retained for one year, not three months) and in processor agreements (your third-party vendors need DPDP-compliant Data Processing Agreements, not just generic terms).
When you become aware of a personal data breach, Section 8(6) requires you to notify both the Data Protection Board and the affected individuals. Rule 7 of the DPDP Rules 2025 specifies the timeline: an initial report to the Board without delay, a detailed report within 72 hours, and notification to each affected Data Principal without delay.
A common confusion: the 6-hour rule you may have heard about comes from a separate CERT-In directive under the IT Act, not from DPDP. A serious breach could trigger both obligations, but they are different laws with different requirements. The Board notification must include the nature and extent of the breach, likely consequences, mitigation measures, and findings on the cause.
Under DPDP, "child" means anyone under 18. That is broader than most international privacy laws (GDPR allows member states to set the threshold between 13 and 16; COPPA in the US uses 13). If your product allows users between 13 and 17 to sign up, DPDP requires verifiable parental consent before you process their data.
On top of consent, Section 9 prohibits tracking, behavioural monitoring, and targeted advertising directed at children. Rule 10 requires you to verify that the parent is an identifiable adult, using reliable identity details or government-issued virtual tokens like DigiLocker. EdTech, gaming, and social platforms face the highest exposure here.
If the Central Government designates your company as a Significant Data Fiduciary (SDF) based on data volume, sensitivity, or risk to rights, you face additional obligations under Section 10 and Rule 13. These include appointing an India-based Data Protection Officer, conducting an annual Data Protection Impact Assessment and audit, and performing due diligence on algorithms that affect Data Principals' rights.
The Central Government may also require SDFs to keep certain personal data within India, the only data localization mechanism in DPDP. Most mid-market SaaS companies are unlikely to be designated as SDFs initially, but companies processing data of millions of Indian users should plan for it.
This is the catchall for everything else in the Act: consent collection failures (Section 6), inadequate privacy notices (Section 5), retention beyond the specified purpose (Section 8(7)), not publishing DPO contact information (Section 8(9)), and failing to resolve grievances within the 90-day window set by Rule 14(3) for grievance redressal.
At ₹50 crore, this is the lowest company-facing maximum, but it covers the widest surface area. Many of the gaps this calculator flags, like missing consent mechanisms or unclear privacy notices, fall under this category.
Three scenarios, three different exposure profiles
These are composite examples based on common patterns in the Indian SaaS ecosystem. No company is named. The numbers come from this calculator's methodology, applying Section 33(2) factors to realistic inputs.
Customer database exposed through misconfigured S3 bucket
A mid-market B2B SaaS company discovers that a staging database with 80,000 customer records was publicly accessible for three weeks. The data includes names, work emails, and company names. No financial or health data. They have no documented breach response plan and take four days to notify the Board.
Primary exposure: Section 8(5) for the misconfigured access controls and Section 8(6) for the late notification. The lack of a response plan increases the estimate because mitigation actions (a key Section 33(2) factor) were absent.
Estimated range: ₹2 crore to ₹18 croreFinancial data breach with delayed disclosure
A fintech lending platform suffers a breach affecting 500,000 users. The exposed data includes PAN numbers, bank account details, and loan histories. The company becomes aware of the breach but waits two weeks before notifying anyone, attempting an internal fix first.
Primary exposure: Section 8(5) for the security failure, Section 8(6) for the delayed notification, and Schedule Item 7 for likely consent or retention gaps that surface in investigation. Financial data pushes the "type and nature of personal data" factor higher. The two-week delay aggravates the breach notification penalty, and continuing operations without disclosure is a separate aggravating factor under Section 33(2).
Estimated range: ₹25 crore to ₹120 croreStudent data processed without parental consent
An EdTech platform with 200,000 student users (ages 12-17) collects behavioural analytics and uses it for personalized content recommendations. They have no parental consent mechanism and no age verification beyond a date-of-birth field.
Primary exposure: Section 9 for children's data processing without verifiable parental consent, plus the tracking and behavioural monitoring prohibition. The scale (200,000 minors) and the sensitivity (children's behavioural data) both push the estimate higher. However, the company is a first-time offender with no prior incidents, which is a mitigating factor.
Estimated range: ₹10 crore to ₹60 croreCommon questions about DPDP penalties
When does DPDP enforcement actually start?
The substantive provisions of the DPDP Rules 2025 (including security safeguards, breach notification, children's data, and Data Principal rights) come into force eighteen months after notification, which puts the practical compliance deadline at approximately 13 May 2027. Some administrative provisions (Board appointment, procedures) are already in force since the Rules were notified on 13 November 2025. Consent Manager registration requirements start around November 2026.
Is the breach notification deadline 6 hours or 72 hours?
Under DPDP, the detailed breach report to the Data Protection Board must be filed within 72 hours of becoming aware of the breach (Rule 7(2)(b)), with an initial notification sent without delay. The 6-hour rule comes from a separate CERT-In directive under the IT Act 2000 for cybersecurity incidents reported to CERT-In. A serious breach involving personal data could trigger both obligations under both laws.
How does the Data Protection Board determine the actual penalty amount?
Section 33(2) of the Act lists seven factors the Board considers: the nature, gravity, and duration of the breach; the type of personal data affected; whether the violation is repeated; whether the company gained from non-compliance; mitigation actions taken and their timeliness; proportionality and deterrent effect; and the likely impact of the penalty on the company. Mitigation is the biggest single lever. A documented, tested breach response plan can substantially reduce exposure.
Can founders and directors be held personally liable?
Yes. Section 33 of the DPDP Act provides for personal liability of officers of a company. If a contravention is committed with the consent or connivance of, or is attributable to neglect on the part of any director, manager, secretary, or other officer, that person can be held liable alongside the company.
Does DPDP apply to companies outside India?
Yes. Section 3 of the Act extends DPDP to processing of personal data outside India if that processing is connected to offering goods or services to individuals within India. A US SaaS company with Indian users, or a European e-commerce site that ships to Indian addresses, falls under DPDP for the personal data of those Indian users.
What counts as "reasonable security safeguards" under DPDP?
Rule 6 of the DPDP Rules 2025 defines the minimum standard: encryption or tokenization of personal data, access controls on systems, audit logs with at least one year of retention, backup capabilities for continuity, contractual security clauses with data processors, and technical and organisational measures to ensure effective observance. Companies already following SOC 2 or ISO 27001 controls will find significant overlap, but the one-year log retention and processor contract requirements catch many off guard.
Is this calculator a substitute for legal advice?
No. This calculator provides indicative estimates based on the DPDP Act 2023 and DPDP Rules 2025. Actual penalties are determined case-by-case by the Data Protection Board of India, which has not yet issued enforcement decisions. The Board is being constituted during the implementation window (November 2025 to May 2027). For binding opinions on your company's specific situation, consult a qualified Indian privacy lawyer.
The calculator tells you what you might owe. Neriq shows you exactly where the gaps live, and which enterprise deals they're blocking.
Join the waitlist →How this calculator works
This estimates a likely penalty range using the seven factors named in Section 33(2) of the Act: nature, gravity and duration of the breach; type and sensitivity of personal data affected; repetitive nature of the contravention; whether the person realised gain or avoided loss; mitigation actions taken and timeliness; proportionality and deterrent effect; and likely impact of the penalty on the person.
Mitigation is the biggest single lever. A documented, tested breach response plan can reduce exposure substantially.
This is an indicative estimate, not legal advice. Actual penalties are determined case-by-case by the Data Protection Board of India. The Rules' substantive provisions come into force in phases starting around May 2027 (eighteen months after notification, per Rule 1). For binding legal opinions, consult a qualified Indian privacy lawyer.
The full Neriq platform.
Evidence your auditor can verify. Built for the way enterprise deals actually close.
- Connect your stack. Mapped against what auditors and enterprise buyers actually ask about.
- Find what's broken. SOC 2, ISO 27001, and DPDP gaps ranked by deal impact.
- Ship the evidence. Audit-ready exports buyers actually accept.