Penalties and Adjudication: The Cost of Non-Compliance
Jerisaliant
Author
Shifting from Criminal to Civil Penalties
A major relief in the DPDPA 2023 compared to earlier drafts is the removal of criminal penalties for company executives. There is no jail time. However, the financial penalties have been significantly rationalized and increased to ensure they act as a genuine deterrent.
The Penalty Schedule
The Act specifies maximum penalties for different types of contraventions:
| Contravention | Max Penalty (INR) |
|---|---|
| Failure to take reasonable security safeguards to prevent a personal data breach | Up to ₹250 Crore |
| Failure to notify the Board or Data Principal of a personal data breach | Up to ₹200 Crore |
| Non-fulfillment of additional obligations in relation to children | Up to ₹200 Crore |
| Non-fulfillment of obligations by Significant Data Fiduciary | Up to ₹150 Crore |
Adjudication Process
Penalties are not automatic. The Data Protection Board (DPB) will conduct an inquiry. Before imposing a penalty, the Board will consider:
- The nature, gravity, and duration of the breach.
- The type of personal data affected.
- Whether the person has realized a gain or avoided a loss.
- The action taken to mitigate the breach.
This nuanced approach encourages businesses to be proactive. Proving that you had "reasonable security safeguards" despite a breach could significantly reduce your liability.
Ensure DPDPA Compliance Today
Ready to make your business compliant? Run a free gap assessment or talk to our experts.