1. How many individuals’ personal data do you hold?
2. Do you have reasonable security safeguards (encryption, access control, logging, tested)?
3. Do you have a documented breach detection & notification process (to the Board and affected persons)?
4. Do you have consent, privacy notice, grievance redressal and erasure mechanisms for data principals?
5. Do you process data of children (under 18)?
6. Could you be a Significant Data Fiduciary (large-scale or sensitive data)? If so, do you have a DPO, DPIA and independent audit?
How DPDP penalties work
₹250 crore is real
The Schedule to the DPDP Act, 2023 sets a maximum penalty of ₹250 crore for failing to take reasonable security safeguards to prevent a data breach — the single largest cap in the Act.
Penalties stack by obligation
Different failures carry separate caps — breach notification (₹200 cr), children’s data (₹200 cr), Significant Data Fiduciary duties (₹150 cr) and other provisions (₹50 cr) — so exposure adds up across gaps.
Gaps are fixable now
The Board weighs nature, gravity and duration. Closing gaps with a DPDP readiness plan before enforcement is the most reliable way to reduce both exposure and the odds of action.
