DPDPA Penalty Risk Indicator
A structured self-assessment tool based on the six statutory factors under Section 33(2) of the DPDPA. Select your breach category, rate each factor, and get an indicative risk band.
This tool produces a risk indicator only — not a predicted penalty figure. The Data Protection Board determines all actual penalties.
Select the provision your business may have failed to comply with. This determines the applicable Schedule cap under Section 33(1).
About the DPDPA Penalty Framework
Section 33(1) — Schedule Caps
The Act prescribes maximum penalty caps for each category of non-compliance. These are upper limits — the Board may impose any amount up to the cap based on the facts of the case.
- Section 8(5) — Security safeguardsup to ₹250 Cr
- Section 8(6) — Breach notificationup to ₹200 Cr
- Section 9 — Children's dataup to ₹200 Cr
- Section 10 — SDF obligationsup to ₹150 Cr
- Other provisions of Act/Rulesup to ₹50 Cr
- Section 15 — Data Principal dutiesup to ₹10,000
Section 33(2) — Factors the Board Considers
In determining the actual penalty, the Board must take into account all six statutory factors. There is no prescribed formula — the Board exercises discretion.
- 1Nature, gravity, and duration of the breach
- 2Type of personal data affected
- 3Repetitive nature of the non-compliance
- 4Whether the person gained financially or avoided loss
- 5Steps taken to mitigate loss to Data Principals
- 6Whether the Board has previously taken action