Statutory caps · DPDP Act 2023 Schedule

What is your maximum DPDP penalty exposure?

Eight questions. Sixty seconds. The Data Protection Board of India is now operational and the Schedule to the DPDP Act 2023 caps individual penalties at ₹250 crore per failure. Map your real WhatsApp data-handling practices to Sections 5, 6, 7, 8, 11 and 17 — and see the upper bound you would face if every weakness were treated as a separate breach.

8-question · ₹0 - ₹250 cr range Sections 5 / 6 / 7 / 8 / 11 / 17 3-tier remediation plan
Question 1 of 8 · Volume
How many WhatsApp contacts do you process per month?

Each contact is a Data Principal under the DPDP Act 2023. Volume directly drives Sec 8(5) reasonable-security exposure.

1,00050,0001,000,000
Question 2 of 8 · Sec 6
Do you have a written DPDP consent log for every WhatsApp opt-in?

Sec 6(1) — free, specific, informed, unconditional, unambiguous, with a producible record.

Question 3 of 8 · Sec 8(7) / Sec 11
Do you delete contact data within 30 days of opt-out?

Sec 8(7) requires erasure on withdrawal; Sec 11 obliges you to operationalise the right.

Question 4 of 8 · Sec 8(6)
Do you have a written 72-hour breach notification plan?

Rule 6 of the DPDP Rules 2025 — notify the Board and affected Data Principals within 72 hours of becoming aware.

Question 5 of 8 · Sec 9 · 3× aggravator
Do you process data of minors (under 18)?

Sec 9 — verifiable parental consent required, behavioural monitoring and targeted ads prohibited.

Question 6 of 8 · Sec 16 / Sec 17
Do you transfer personal data outside India?

Sec 16 negative-list regime + sectoral residency (RBI, IRDAI, MeitY).

Question 7 of 8 · Sec 10(2)(a)
Have you appointed a Data Protection Officer (DPO)?

Mandatory for Significant Data Fiduciaries; recommended for everyone above 50 lakh principals.

Question 8 of 8 · Sec 10
Are you (or likely to be notified as) a Significant Data Fiduciary?

Volume above 50 lakh principals, sensitive data routinely processed, automated decisioning, or risk to electoral / public order.

Frequently asked questions

How much can the Data Protection Board fine my business under the DPDP Act 2023?+

The Schedule to the Digital Personal Data Protection Act 2023 prescribes the following maxima per failure: up to ₹250 crore for a Data Fiduciary failing to take reasonable security safeguards to prevent a personal-data breach; up to ₹200 crore for failure to notify the Data Protection Board and affected Data Principals of a breach; up to ₹150 crore for failure to fulfil additional obligations in relation to children (Section 9) or as a Significant Data Fiduciary (Section 10); and up to ₹50 crore for breach of any other provision of the Act or Rules. The Board determines the actual quantum based on nature, gravity, duration, impact and willfulness of the breach.

Is this calculator legal advice?+

No. This is an educational fear-mapping tool that visualises the upper-bound statutory penalty exposure if every weakness you disclose were treated as a separate breach. The Data Protection Board exercises discretion under Section 33 of the DPDP Act 2023 when fixing the actual quantum. Always consult qualified Indian counsel before relying on any output of this tool in regulatory proceedings or board reporting.

Why does processing minor data multiply my exposure by 3?+

Section 9 of the DPDP Act 2023 imposes additional obligations on Data Fiduciaries processing personal data of children (under 18) — verifiable parental consent, prohibition on behavioural monitoring and on targeted advertising. Failure to meet these obligations attracts a separate ₹150 crore band and the Board has signalled in published guidance that child-data breaches will be treated as aggravating. Our model applies a conservative 3x multiplier on top of the base exposure to surface that aggravation.

How does the Significant Data Fiduciary status change the math?+

Section 10 lets the Central Government notify a Data Fiduciary as Significant based on volume, sensitivity, risk and impact. Significant Data Fiduciaries owe extra duties — appointing a DPO, conducting DPIAs, undergoing independent audits. A failure to discharge these duties opens the same ₹150 crore band as the children clause and the Board has indicated heavier sanction. Our model doubles your base exposure if you are (or are likely to be) an SDF.

What counts as a "whitelisted" country for cross-border transfer?+

Section 16 of the DPDP Act 2023 adopts a "negative list" regime — transfer is permitted to every country EXCEPT those restricted by Central Government notification. Sectoral regulators (RBI, IRDAI, SEBI, MeitY) may impose stricter India-only residency on payment, insurance, securities or health data on top of Section 16. The DPB has signalled it will issue an initial restricted-country list; treat any country not yet on a public allow-list with caution and route through a contractual model evaluation. A non-whitelisted transfer adds a ₹50 crore Section 17 band to your exposure.

My answers are saved on your server, are they?+

Only if you click the gated PDF download CTA at the bottom of the calculator. Your 8 answers, your computed exposure and your WhatsApp number are then POSTed to /api/v1/leads so we can WhatsApp you the remediation playbook. The slider movement, your in-flight answers and any back-and-forth in the calculator never leave your browser unless you choose to download. We hold the lead under DPDP Section 6 consent until you withdraw via [email protected].

Pair this with

Educational tool. Not legal advice. DPDP Act 2023 section refs as of 2026-05-21. Final penalty depends on Data Protection Board discretion under Section 33 (factors: nature, gravity, duration, impact and willfulness of the breach). Consult qualified Indian counsel before relying on this output in regulatory proceedings.