Your DPDP exposure, probed deeply.

How this is calculated

The DPDP Act, 2023 sets a maximum penalty of ₹250 crore per violation category. Real penalties depend on industry, organisation size, breach severity, sensitive-data categories involved, vendor blast radius, and remediation posture. This calculator estimates a defensible order-of-magnitude exposure using 14 weighted inputs across six dimensions: scale (revenue + data volume + years), severity (sensitive-data categories + cross-border + children), governance (consent + DSR + vendor DPAs), readiness (breach SOP + DPO + audit cadence). It is not legal advice.

Inputs that drive the number

• Scale dimension: revenue tier × data-volume scale × years-of-cumulative-data multiply the realistic ceiling.
• Severity dimension: each sensitive-data category (health, financial, biometric, geolocation, children's data, religion/caste, sexual orientation) adds a multiplier — health and biometric are the heaviest.
• Governance maturity — consent management, DSR workflow, vendor DPAs — are inverse multipliers. Mature programs face dramatically smaller exposure.
• Breach readiness — formal SOP that's been drilled cuts exposure ~40% under DPB's mitigation guidance.
• DPO appointment — full-time DPO is a strong mitigating factor; fractional or none increases exposure.
• Audit recency — DPDP-aligned audit within last 12 months is treated as a partial remediation defense.

What this does NOT estimate

• Reputational damage from a public breach (often exceeds the regulatory penalty by 3–10×)
• Class-action exposure under emerging consumer-rights case law
• Specific Section 33 fines for failure-to-prevent breaches (case-by-case)
• Industry-specific overlays (RBI for banks, IRDAI for insurance, SEBI for brokers, etc.)

For a defensible legal opinion, engage Indian privacy counsel. For an architecture-and-cost analysis aligned to DPDP, see our DPDP field guide or book a 30-min call.