What the DPDP Act 2023 penalty framework actually says
Section 33 of the DPDP Act 2023 lists penalty slabs adjudicated by the Data Protection Board of India. The headline figures are: up to ₹250 crore for failure to take reasonable security safeguards; up to ₹200 crore for failure to notify a personal-data breach; up to ₹150 crore for failure to fulfil additional obligations of a Significant Data Fiduciary; up to ₹50 crore for breach of obligations regarding children's personal data. These are not aggregate caps for an organisation — they apply per contravention, and the Board has discretion to apply them in parallel.
When DPDP Act 2023 penalties apply to an Indian startup
Any entity — including a one-person startup — that processes personal data of Indian residents for a commercial purpose qualifies as a Data Fiduciary under Section 2(i) of the Act. There is no revenue floor, no employee count threshold, and no carve-out for pre-revenue or pre-funding stage. The moment your product collects an Indian resident's email, mobile number, name, address, location, payment data, or any identifier that reasonably links back to them, you are inside the Act's perimeter.
Step-by-step: how to stay out of the penalty band
First, inventory your personal-data surface — every field, every consent surface, every processor your data touches. Second, implement reasonable security safeguards proportionate to the data you process (Schedule I) — encryption at rest and in transit, access controls, vulnerability management, breach detection. Third, stand up a consent management workflow with clear withdrawal mechanisms in the language of the data principal's choice. Fourth, build the data-principal rights workflow (access, correction, erasure, grievance) with response timelines. Fifth, document your breach response with the 72-hour Board notification clock built into the playbook. Sixth, maintain vendor Data Processing Agreements for every processor in your chain.
Inventory personal data — fields, surfaces, processors
Implement Schedule I security safeguards proportionate to surface
Consent management with withdrawal in the principal's language
Data-principal rights workflow with documented SLAs
Breach response playbook with 72-hour Board notification timing
Vendor DPA library for every processor
Common mistakes Indian SMBs make
The most common Indian SMB mistake is treating DPDP compliance as a policy-document exercise: drafting a privacy policy, posting it on the website, and calling it done. The Board's enforcement model is evidence-based — what matters is not whether you have a policy but whether you have the operational evidence that you followed it. The second-most-common mistake is missing the 72-hour breach notification window because the incident-response playbook lives in someone's head, not in writing. The third is letting third-party processors operate without DPAs, which makes you liable for their failures upstream.
How Bachao.AI automates DPDP compliance
Bachao.AI's DPDP module ships the operational workflows the Act actually requires — data inventory, consent management, breach playbook, data-principal rights, vendor DPA tracking — as software, not slide-decks. The platform timestamps every action, generates board-ready quarterly reports, and produces the evidence trail your DPO needs when the Board's adjudicating officer asks for it.
DPDP Act 2023 alignment
Every penalty exposure described on this page maps directly to a section of the Act and its published Rules. Bachao.AI's platform tracks each obligation against its statutory source — so when your compliance team audits our mapping, they can trace every check back to the legislation it implements.
Don't find out you were a Data Fiduciary at the Board hearing
Run a free DPDP baseline assessment. We'll show you exactly where your startup sits against the seven Schedule I obligations.