The Real Consequences of DPDPA Non-Compliance: Penalties, Personal Liability and Business Impact
The DPDP Act doesn't just fine companies — it creates personal liability for directors, triggers operational suspensions, and reshapes B2B procurement. Here's the full picture of what non-compliance actually costs Indian businesses in 2026.
When most boards discuss DPDPA non-compliance, the conversation centres on the headline number: ₹250 crore in maximum penalties under Section 33. That number is meant to focus the mind, and it does.
But the financial penalty is only one of six categories of consequence the DPDPA creates. The others — personal liability for directors and DPOs, forced operational suspension, B2B procurement exclusion, customer trust erosion, and cross-border restriction — are arguably more consequential for an ongoing business than a single fine, however large.
This piece walks through all six. If your organisation is processing the personal data of Indian users — whether you are based in Bengaluru or Berlin — these are the consequences you should be planning around.
1. Financial Penalties: What's Underneath the ₹250 Crore Headline
The Schedule attached to Section 33 of the Digital Personal Data Protection Act sets out a graded penalty structure. The Data Protection Board determines the actual penalty in any given case, taking into account the factors listed in Section 28 — including the nature, gravity and duration of the contravention, the type and nature of personal data affected, and any prior history.
| Contravention | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent personal data breach | ₹250 crore |
| Failure to notify the Board and affected data principals of a breach | ₹200 crore |
| Non-fulfilment of additional obligations relating to children | ₹200 crore |
| Non-fulfilment of additional obligations of a Significant Data Fiduciary | ₹150 crore |
| Breach of duties by a Data Principal | ₹10,000 |
| Other contraventions of the Act or Rules | ₹50 crore |
The cap of ₹250 crore is per instance, not lifetime. An organisation that suffers two distinct breaches in two years can in principle face cumulative penalties.
Equally important is what the Board can do before issuing a penalty: under Section 28(7), the Board can issue interim orders during inquiries, including orders to suspend processing until the matter is determined. For a digital business, that interim order can be more disruptive than the eventual fine.
2. Personal Liability for Directors and DPOs
Section 9 of the DPDPA introduces a provision that should be read carefully by every board and every Data Protection Officer in India. When an offence under the Act has been committed by a company, every person who, at the time of the offence, was 'in charge of, and was responsible to, the company for the conduct of its business' is also deemed to be guilty.
This is not a theoretical concern. Section 9 inverts the default — the burden is on the individual to prove that the contravention was committed without their knowledge or that they exercised due diligence to prevent it. For directors, founders, CEOs, CISOs and DPOs, this means that DPDPA compliance is not solely a corporate concern. It is a personal one.
The closest precedent is the analogous provision in the Income Tax Act, which has been interpreted by Indian courts to apply broadly to those with operational control. The same interpretive logic is likely to apply to the DPDPA.
The practical implication for boards is that the audit trail of consent decisions, breach response, and rights handling becomes a personal protection mechanism, not just an organisational one. If you are a director, you want demonstrable evidence that the company exercised due diligence — and that evidence has to come from your consent infrastructure, your data protection processes, and your training records.
3. Operational Suspension: The Business Continuity Risk
The DPDPA empowers the Data Protection Board not only to fine but to direct an organisation to cease specified processing activities. For a fintech or a digital advertising platform, suspension of processing is an existential event, not a financial inconvenience.
Examples of how this consequence plays out in practice:
- A consumer app that has been collecting precise location without granular consent receives an order to suspend that processing pending compliance — affecting the entire product experience overnight.
- An ad-tech platform with insufficient consent granularity is ordered to halt the use of behavioural data — collapsing core revenue.
- A data processor handling payroll for multiple clients faces a suspension that cascades into client breach of their own contractual obligations.
This is the consequence Indian businesses most consistently underestimate. A ₹50 crore fine is recoverable. A two-week suspension of core processing during a high-traffic period may not be.
4. B2B Procurement Exclusion
Within enterprise India, DPDPA compliance is fast becoming a non-negotiable in vendor onboarding. Banks, NBFCs, insurers, large pharma, and the major industrial conglomerates are all asking the same question in their security questionnaires: are you DPDPA compliant, and can you attest to it in writing?
An organisation that cannot provide a credible answer is increasingly being excluded from procurement processes — not after a public incident, but at the front door. The consequence is invisible until you trace which deals you didn't get to the final round of, and why.
The same dynamic applies to organisations partnering with EU and UK customers. India's adequacy status remains contested, and customers operating under GDPR are increasingly insisting on DPDPA compliance as a precondition for any data flow into India. Non-compliance becomes a tax on cross-border revenue.
5. Reputational and Customer Trust Damage
Cisco's 2024 Data Privacy Benchmark Study found that 94% of consumers said they would not buy from a company that did not adequately protect their data. The figure is consistent with comparable Indian studies from DSCI and LocalCircles, which show rapidly rising consumer awareness of privacy rights post-DPDPA.
The consequence of a publicly reported breach goes beyond immediate churn. It includes:
- Search-engine memory. A breach disclosure becomes the top result for the brand for months. Even after remediation, the news article persists.
- Customer acquisition cost inflation. Performance marketing channels show measurably higher CPAs for brands carrying recent privacy incidents.
- Insurance premium escalation. Cyber-liability insurers re-rate post-incident, with premium increases of 40% to 80% common in Indian renewals.
The fine is one-time. The brand cost compounds.
6. Cross-Border Data Transfer Restrictions
The DPDPA permits cross-border transfer of personal data except to countries specifically restricted by the Central Government. The flip side is that organisations not in compliance with the DPDPA at home will struggle to demonstrate adequate protection abroad — closing off legitimate use cases like cloud hosting, offshored support, and global analytics.
For Indian SaaS companies in particular, where the customer base is global and the data architecture necessarily multi-region, DPDPA compliance is the foundation that makes cross-border data movement defensible. Without it, every cross-border processing arrangement is exposed.
What These Consequences Mean Together
Read in isolation, each consequence is manageable. Read together, they describe a regulatory environment where non-compliance is not a single line on a risk register — it is a category of risk that touches almost every part of the business.
The Section 9 personal liability changes the conversation in the boardroom. The operational suspension power changes the conversation in the engineering team. The procurement exclusion changes the conversation with the sales team. The reputational compounding changes the conversation with marketing. And the financial penalty makes sure the CFO is in the room for all of it.
The organisations that have understood this best are not the ones that have spent the most on compliance. They are the ones that have built consent and data rights as operational infrastructure, not as a compliance afterthought.
The Five-Point Checklist to Avoid Becoming a Case Study
- Map your personal data. What you collect, where it lives, why, who you share it with, for how long. Without this, every downstream control is a guess.
- Implement granular, purpose-based consent. The blanket consent model that worked for the IT Act will not survive the DPDPA. You need explicit, specific, informed consent for each purpose.
- Build data principal rights workflows. Access, correction, erasure, and nomination — with audit trail — within the 90-day Rules timeframe.
- Establish 72-hour breach notification. A documented incident response plan, rehearsed twice a year, with template communications and Board-notification logic.
- Train your leadership team. Section 9 makes compliance a personal protection issue. Annual privacy training is no longer optional for the executive team.
For most Indian businesses, items two, three and four can be substantially handled by a competent consent management platform. The cost of doing this properly is meaningfully lower than the cost of not.
How Consently Helps Reduce Non-Compliance Risk
Consently is built specifically for the DPDPA — not GDPR with an Indian flag. Three design choices are particularly relevant to non-compliance risk:
- Auditable consent records. Every consent action — capture, withdrawal, modification — is stored as an immutable artefact with cryptographic timestamping. This is the audit trail that protects directors under Section 9.
- Zero-PII Consent ID. Our consent records use a deterministic identifier (CNST-XXXX format) that contains no personal data. Even if the consent layer were compromised, the breach surface is meaningfully smaller.
- Mumbai data residency. Consent records — themselves personal data — are stored in India by default. This eliminates the cross-border consent record exposure most legacy CMPs carry.
For Indian SMEs, the platform is free up to 5,000 consents per month. For growing businesses, ₹999 per month. For enterprises, ₹2,499 per month flat — including 22 Eighth Schedule languages, full DSAR workflows, and audit-ready records.
Frequently Asked Questions
What is the maximum penalty under the DPDP Act?
The maximum penalty under Section 33 of the Digital Personal Data Protection Act is ₹250 crore per instance, applicable to a failure to take reasonable security safeguards to prevent a personal data breach.
Can company directors be held personally liable under DPDPA?
Yes. Section 9 of the DPDPA provides that when a company commits a contravention, every person who at the time was in charge of, and responsible to, the company for the conduct of its business is also deemed to be guilty. The burden is on the individual to prove the contravention occurred without their knowledge or that they exercised due diligence.
What happens if a business doesn't comply with the DPDP Act?
Consequences include monetary penalties up to ₹250 crore per instance, suspension of specified processing activities by Board order, personal liability for directors and DPOs under Section 9, exclusion from B2B procurement processes, customer trust damage, insurance premium escalation, and restrictions on cross-border data transfer.
How quickly must a personal data breach be reported under the DPDPA?
The DPDPA Rules effectively require notification of personal data breaches to the Data Protection Board and affected data principals within 72 hours of becoming aware of the breach.
Is DPDPA applicable to small businesses?
Yes. The DPDPA applies to any organisation processing the personal data of Indian users in connection with the offering of goods or services. There is no small business exemption — though the obligations on Significant Data Fiduciaries are more onerous than on standard fiduciaries.
What is a Significant Data Fiduciary under DPDPA?
A Significant Data Fiduciary (SDF) is an organisation notified by the Central Government on the basis of the volume and sensitivity of personal data processed, the risks to data principals, and impact on national sovereignty and security. SDFs face enhanced obligations including mandatory DPO appointment and periodic data protection impact assessments.
Need a DPDPA risk assessment for your organisation? Talk to the Consently team — we will walk through where your current posture sits across all six categories of consequence.