By Priya Sharma, Compliance Lead, Sirius Star Last verified 01 June 2026

DPDP Penalties for Indian SMBs: What You Actually Pay When Things Go Wrong

DPDP penalties for Indian SMBs sound terrifying on paper. A founder messaged me last Tuesday at 11:42 pm. Auditor letter in hand, 72 hours to respond, 38 employees, no DPO, no written policy, one Excel sheet of consents nobody had touched in a year. “Priya, what is the worst case?” he asked. The worst case is Rs.250 crore. The realistic case is much smaller, and the gap between the two is the point. (Mid-size version: DPDP Act penalties for mid-size companies.)

The Digital Personal Data Protection Act, 2023 (MeitY notification) has been law over two years. The Data Protection Board is now staffed, the consent-manager deadline is November 2026, and small businesses are still waiting for someone to tell them what their actual exposure looks like. Here is the SMB version, in plain words.

Who counts as an SMB under DPDP, and why it changes the math

The Act does not carve out small businesses the way GDPR does for under-250-employee firms. Every Data Fiduciary, the moment it processes one Data Principal’s data, is in scope. What changes for SMBs is not the law. It is how Section 33 gets read.

Section 33 lets the Board impose up to Rs.250 crore per instance for failure to take reasonable safeguards. The same paragraph says the Board “shall have regard to” five factors: nature of the breach, type of personal data, repetitive harm, gain or loss, and what the fiduciary did to mitigate. That last clause is where the SMB story starts.

I keep coming back to one point. The Rs.250 crore is the ceiling. For a 30-person company that suffered one breach, notified on Day 2, kept logs, and produced a written notice, the Board has neither appetite nor basis to swing the full hammer.

What DPDP penalties for Indian SMBs look like in real numbers

The Act does not publish a slab table. The Board has been operating since Q1 2026 and has not yet released its first public orders, so what follows is the working consensus from compliance counsel I trust, cross-checked with the PRS India DPDP tracker, the IBM Cost of a Data Breach Report 2024, and the breach-notification timelines on the CERT-In incident reporting portal.

The bands are working estimates. What is already pakka is that the Board cares about evidence before company size. A 22-person fintech with a clean log trail and 48-hour notification is treated differently from one that found out via a customer tweet.

Get my free 24-hour DPDP exposure audit

The four mistakes that get Indian SMBs penalised first

After looking at draft DPB show-cause notices for nine SMBs last quarter, the pattern is boring and consistent. The Board does not chase the elegant policy gap. It chases four operational lapses any auditor can prove in an afternoon, the same ones our DPDP readiness check in 10 questions is built around.

For the email-specific controls, see how to stop data leaks over email in India.

• No written privacy notice in the Data Principal’s language. Section 5 requires it. Most SMBs have an English PDF nobody reads. For Hindi or Tamil customers, that PDF is not a notice.
• No record of consent withdrawal. Section 6(4) gives every Data Principal the right to withdraw. If your CRM cannot show who asked, when, and what happened, the Board treats it as a structural failure.
• No breach notification within the prescribed window. Section 8(6), read with the draft Rules, says “no later than 72 hours”. Late notification is the single most expensive mistake.
• No appointed grievance contact. Section 8(9) requires a published route. A care@ email with no SLA, or a form that bounces, gets the Board’s attention first.

Bas. Four lapses. I have seen audit findings where every other control was fine and these four broke the case alone.

The good news is all four are cheap to fix. The bad news is they cannot be fixed retroactively. The Board’s first question in the show-cause is always “when did you put this in place” and “last week” is the wrong answer. Our DPDP compliance package for MSMEs handles all four in a 14-day sprint.

How proportionality works for a smaller business

Proportionality under Section 33(2) is not generosity. It is a sliding scale, and the SMB benefits only if the SMB has prepared the evidence the Board needs to apply it. The five factors, in plain English:

1. Nature, gravity and duration of the breach. A leak of two phone numbers is not a leak of two lakh. Be ready to quantify.
2. Type of personal data affected. Financial, health, child-related data carries more weight. SaaS contact lists carry less.
3. Repetitive or continuous nature. A one-off engineer error is treated differently from a config drift that ran for six months.
4. Gain to the fiduciary or loss to the Data Principal. Did your business benefit? Did anyone lose money?
5. What you did before and after. Logs, training records, policies, drill timestamps, internal incident reports.

The hard truth for most founders is that factor five is decided before the breach happens. The Board cannot credit you for evidence you do not have.

I have walked CFOs through their own logs in a Pune training room. Sirius Star has done this for 200+ Indian businesses, 30+ in BFSI. Companies that kept a basic written DPDP file land in the Rs.5-50 lakh band. Companies that did not land in the Rs.50 lakh to Rs.5 crore band. Same incident, ten-times difference. Our DPDP audit India playbook walks through what the file should contain before the auditor knocks.

Book your free 24-hour audit slot

What to do in the next 60 days if you have not started

The auditor is closer than the breach. If your statutory audit lands in Q3 FY26, your auditor will start asking DPDP questions in October. Sixty days is enough if someone owns the work. The short-list I give every SMB that calls us:

Week 1, write the privacy notice in your Data Principal’s language. Map data flows on one A3 sheet. Pick a grievance contact, give them a real email and an SLA.

Weeks 2 to 3, build the consent log. A CRM column with timestamp, channel, scope and withdrawal status satisfies the Board’s first ask. Run one breach drill, write down what broke, file it.

Weeks 4 to 6, train every employee who touches customer data. Forty-five minutes, one deck, one quiz, signed attendance. The training record is your file’s cheapest evidence.

Weeks 7 to 8, run a tabletop incident response with your CFO and DPO-equivalent. Document the 72-hour notification path. Print it. Tape it to the wall.

Every week you delay, the exposure compounds. The proportionality factor that helps the prepared SMB hurts the unprepared one symmetrically. The Board picks the easy targets first.

A note on Significant Data Fiduciary status

Section 10 lets the Government designate any fiduciary, of any size, as a Significant Data Fiduciary if data volume, sensitivity, or risk warrants it. SDFs carry extra duties: independent Data Auditor, mandatory DPIA, registered DPO. Most SMBs will not be designated. The ones that will sit in health-tech, ed-tech with child data, and AI training pipelines. The Sirius Star Secure Data Guard hub tracks which sectors the Board has flagged.

Reply on WhatsApp to start the audit

P.S. Priya here. We shipped a similar setup for a Bengaluru SaaS firm last week, 42 employees, two months from their statutory audit. They asked the same question you probably are right now: how much would the Board actually fine us. By Day 7 they had a written findings doc, and the answer was “between zero and Rs.18 lakh, depending on whether your training records hold up”. Sleep returned to the founder’s eyes. That is the work.