What is the maximum DPDPA penalty for data breaches?

Up to ₹250 Crore for failure to implement reasonable security safeguards under DPDPA Section 8(5). Penalties are assessed based on nature, gravity, duration, and harm caused.

What are Data Fiduciary obligations under DPDPA?

Under DPDPA Section 8, Data Fiduciaries must implement security safeguards, notify breaches to the Data Protection Board and affected individuals, ensure data accuracy, and erase data when no longer required.

How does DPDPA affect M&A due diligence?

Acquirers must assess target's data protection compliance including consent mechanisms, security measures, breach history, and vendor arrangements. Non-compliance risks become the acquirer's liability post-acquisition.

What happened in the Marriott-Starwood case?

Marriott acquired Starwood in 2016 without discovering a breach ongoing since 2014. The breach affected 339 million records. UK ICO fined Marriott £18.4 million for failing to secure systems post-acquisition.

M&A Data Liability Calculator India | <a href="https://amlegals.com/data-privacy/">DPDPA</a> Successor Liability Assessment | ₹250 Crore Penalty Risk

Vibe Data Privacy^™ M&A Data Liability Assessment

When You Acquire a Company,
You Acquire Its Data Liabilities

Under DPDPA 2023, acquiring companies inherit data protection obligations of the target. Non-compliant consent mechanisms, security gaps, and unreported breaches become the acquirer's responsibility. The Data Protection Board can impose penalties up to ₹250 Crore.

₹250 CrDPDPA Maximum Penalty

£18.4MMarriott Fine (Inherited Breach)

4 YearsBreach Undetected Post-Acquisition

The Marriott-Starwood Case

A precedent for M&A data liability

In 2016, Marriott acquired Starwood Hotels for $13.6 billion. Undiscovered during due diligence: a breach ongoing since 2014 affecting 339 million guest records. The breach remained undetected until September 2018.

UK ICO fined Marriott £18.4 million for failing to implement adequate security measures post-acquisition. The fine was reduced from an initial £99 million notice, but established that acquirers bear responsibility for inherited data security failures.

Under DPDPA Section 8(5), Data Fiduciaries must implement reasonable security safeguards. Section 8(6) requires breach notification to the Data Protection Board and affected individuals.

Estimated Liability

₹150Crore

60%of DPDPA Max

₹0Cap: ₹250 Cr

Formula

Deal Value×Risk %×Sector×0.5=Liability

Transaction Value (₹ Cr)?Total consideration: cash + stock + assumed debt

Risk Score?Compliance gap score from assessment (0-100)

Low60High

Target Sector?Data sensitivity varies by sector under DPDPA

Breakdown

Variable	Value	Basis
Transaction (A)	₹500 Cr	Consideration
Risk Score (B)	60%	Assessment
Sector (C)	1.2×	Sensitivity
Base Factor (D)	0.5	Standard
Raw	₹180 Cr	A×B×C×D
Final	₹150 Cr	Capped ₹250 Cr

Transaction₹500 CrTarget value

Liability₹150 Cr30% of deal

Risk Score60/100Medium

Value Erosion30%ROI Impact

Methodology

Five-Layer Liability Assessment

LAYER 01
Consent ArchaeologyVerify consent validity under DPDPA Section 6 requirements
Score45%

LAYER 02
Flow CartographyMap data movement across systems and processors
Score62%

LAYER 03
Retention AnalysisIdentify data held beyond purpose under Section 8(7)
Score78%

LAYER 04
Processor AuditAssess Data Processor compliance per Section 8(2)
Score55%

LAYER 05
Breach DetectionIdentify unreported incidents per Section 8(6)
Score38%

DPDPA Statutory Framework

Section 8(5) — Security Safeguards

Data Fiduciaries must implement reasonable security safeguards. Failure attracts penalty up to ₹250 Crore.

Section 8(6) — Breach Notification

Mandatory notification to Data Protection Board and affected individuals. Penalty up to ₹200 Crore for non-compliance.

Assess Acquisition Risk

Data protection gaps in target companies create liability exposure. Pre-closing assessment identifies risks for negotiation and structuring.

Schedule Assessment DPDPA Resources

M&A Data Liability Assessment

When You Acquire a Company,You Acquire Its Data Liabilities

The Marriott-Starwood Case

Estimated Liability

Breakdown

Consent Archaeology

Flow Cartography

Retention Analysis

Processor Audit

Breach Detection

DPDPA Statutory Framework

Section 8(5) — Security Safeguards

Section 8(6) — Breach Notification

Assess Acquisition Risk

When You Acquire a Company,
You Acquire Its Data Liabilities