What actually happens to my brand if I don't comply, what are the real penalties?
The short answer
The Data Protection Board can fine up to ₹250 crore for failing to implement reasonable security safeguards and up to ₹200 crore for failing to notify a breach, ceiling figures big enough to make 'we'll deal with it later' an expensive bet even for a mid-size D2C brand, not just enterprise players. Beyond the fine, a breach involving customer payment or address data is a brand-trust event you don't recover from quickly in a review-driven category, so treat data-security basics (encrypted storage, limited internal access, a written incident-response process) as protecting revenue, not just avoiding a fine. Numbers are case-by-case ceilings set by the Board, not automatic maximums, but don't assume every lapse gets treated lightly either.
A quick summary to orient you. The real value is below: the resources worth your time, from people who've actually done it, not us.
Here are the resources
Hand-picked from around the web, each with a note on why it earns your time. India-specific ones carry a badge.
Why we picked it
A conversation with the government official directly responsible for the Act's implementation, the closest you'll get to hearing regulatory intent explained in plain terms rather than inferred from a law firm's memo.
Why we picked it
Written specifically for online sellers rather than enterprises, it maps DPDP obligations onto the actual data an ecommerce checkout collects, which is the version of this law that matters to a D2C founder.
Why we picked it
The primary government notification of the DPDP Rules 2025, worth having as the source of record when a consultant or vendor cites a specific obligation, so you can check the actual text.