Penalties under the DPDPA
Complete guide to penalty structure, amounts, and compliance strategies to avoid violations
The Digital Personal Data Protection Act, 2023 (DPDPA) has established a multi-tier complaint mechanism that allows the Data Principles to seek redressal of their grievances at multiple levels.
What is important is for the Data Principle to first exhaust the grievance redressal mechanism that is provided to him by the Data Fiduciary or the Consent Manager, as the case may be, and then approach the Data Protection Board of India.
After exhausting the redressal mechanisms provided by the Consent Manager and the Data Fiduciary, if the grievance of the Data Principal has not been resolved, then he/she can approach the Data Protection Board of India.
The Board gives the Data Principal the opportunity to be heard, thus upholding the principle of natural justice and imposes hefty penalties on the one infringing the provisions of the DPDP Act or the DPDP Rules.
Section 33 of the DPDP Act deals with penalties under the legislation. But how does the Board decide the amount of penalty? There are several factors that are taken into consideration by the Data Protection Board in order to ensure that the penalties are proportionate to the damage caused and are sufficient to ensure deterrence in case of future violations.
Key Factors Include:
The nature, gravity and duration of the data breach
The type and nature of sensitive personal data affected by the breach
If the breach is repetitive in nature
The gain/loss that has been suffered by the individual due to the data breach
What were the actions taken to mitigate the risk of data breach
This list is not exhaustive in nature. There are several other factors that the Data Protection Board of India may take into consideration including the steps that were taken by the Data Fiduciary to ensure the protection of personal data, their effectiveness and timeliness, etc. These factors play a crucial role in deciding the most appropriate monetary penalty.
| Entity | Breach of Provision | Maximum Penalty |
|---|---|---|
| Data Fiduciary | Failure on the part of the Data Fiduciary to take reasonable security safeguards to protect the personal data under Section 8(5) of the DPDP Act | ₹250 crores |
| Data Fiduciary | Failure to provide notice of data breach to the Data Protection Board of India and the affected individuals under Section 8(6) of the DPDP Act | ₹200 crores |
| Data Fiduciary | Failure to observe the obligations regarding the sensitive personal data of children under Section 9 of the DPDP Act | ₹200 crores |
| Data Fiduciary | Failure to comply with the additional obligations under Section 10 of the DPDP Act | ₹150 crores |
| Data Principal | Failure to fulfill the duties provided under Section 15 of the DPDP Act | ₹10,000 |
| Any Entity | Breach of any other provision of the DPDP Act or the DPDP Rules | ₹50 crores |
In order to avoid such hefty penalties, experts at Data> Nuance suggest the following best practices:
1. Comprehensive Compliance Assessment
Assess the current situation of your business and organisation to check if they are complying with the provisions of the DPDP Act and DPDP Rules including consent and notice requirements, provisions for handling the data of children, ensuring compliance with the obligations including establishing a structured procedure for data breach notifications.
Fulfill all the gaps in compliance by ensuring you comply with the DPDP Act and the Rules. At Data> Nuance we have it all covered for you.
2. Establish Grievance Redressal Mechanisms
After the gaps in compliance are fulfilled, establish grievance redressal mechanisms to ensure that your consumers have their grievances covered. This in turn will save you from hefty penalties under the legislation.
3. Additional Protective Measures
After ensuring compliance with the provisions of the DPDP Act and establishing a comprehensive mechanism for grievance redressal, take a step further to add additional measures to ensure the protection of sensitive personal data. For example:
Define the time period for which your organisation will retain the data
Implement technologies to ensure the protection of data
Conduct awareness campaigns among the stakeholders
Update them with the recent government notifications
This enhances transparency, trustworthiness and accountability of an organisation.
Get Started with Data> Nuance
Stay compliant, stay safe. Reach out to Data> Nuance for an expert assessment on compliance with the provisions of the DPDP Act. Ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!