Back to Calculator

Methodology: How We Calculate Compliance Penalty Exposure

This page documents every assumption, probability rate, and source used in the Compliance Penalty Exposure Calculator. We publish this in full as an E-E-A-T signal and to allow you to challenge or verify any figure.

The Two-Number Framing

We display two figures to avoid both understating and overstating risk:

  • Typical Annual Risk:The sum of probability-weighted penalties for each applicable law. For each law, we take the realistic penalty exposure and multiply it by the probability that an Indian SME in that category is currently non-compliant (the “gap rate”).
  • Maximum Statutory Exposure:The sum of statutory ceilings for all applicable laws. This is the worst-case number if every violation were prosecuted to the maximum. It is often dominated by DPDP Act penalties (₹250 crore for the most serious breach), which skew the figure for any business that processes personal data.

Probability Gap Rates

These rates represent the proportion of eligible Indian businesses estimated to have a compliance gap in each area. A gap rate of 0.42 means 42% of eligible companies are estimated to be non-compliant.

Compliance AreaGap RatePrimary Source
EPF late contribution payment35%CII-Protiviti India Risk Survey 2024
ESI late contribution payment30%CII-Protiviti India Risk Survey 2024
POSH — No Internal Committee constituted42%Internal assessment data (n=350+ SMEs)
POSH — Annual return not filed65%Internal assessment data (n=350+ SMEs)
DPDP — Security safeguards gap84%PwC India DPDP Readiness Survey 2024
DPDP — Breach notification gap78%PwC India DPDP Readiness Survey 2024
DPDP — Data Principal rights gap75%PwC India DPDP Readiness Survey 2024
DPDP — Children's data gap (EdTech/Healthcare)80%Internal assessment data
Labour Code — Code on Wages violation70%CII-Protiviti India Risk Survey 2024
GST late filing25%GSTN Annual Report 2023-24
FSSAI licence lapse20%FSSAI Annual Report 2023-24
Factories Act — hazardous process violation15%Internal assessment data
Gratuity — non-payment / delayed payment15%Internal assessment data

Per-Law Calculation Formulas

EPF — Typical Annual Risk

EPF Act 1952, Section 7Q (interest) + Section 14B (damages), amended June 14, 2024

We calculate a monthly contribution base using the number of employees × EPF wage ceiling (₹15,000) × 24% combined rate. For one missed cycle, damages = 1% per month + 1% interest = 2% of contribution. Annual typical = 2% × monthly contribution × gap rate (35%) × 12.

monthly_contribution = employee_count × 15,000 × 0.24 one_cycle_damages = monthly_contribution × 0.02 typical_annual = one_cycle_damages × 0.35 × 12 max = annual_contribution × 1.0 (100% damages cap)
  • Average monthly wage assumed ₹25,000; EPF contribution ceiling ₹15,000.
  • Post-June 2024 damages rate of 1%/month (amended from 5-25% sliding scale).
  • Karnataka HC January 2026 order: damages cannot be reduced below 25% for defaults >6 months.

ESI — Typical Annual Risk

ESI Act 1948, Section 85

Monthly contribution = employees × min(average wage, ₹21,000) × 3.25%. Damages at average rate of (5% + 25%) / 2 = 15%. Annual typical = contribution × 15% × gap rate (30%) × 12.

monthly_contribution = employee_count × min(avg_wage, 21000) × 0.0325 typical_annual = monthly_contribution × 0.15 × 0.30 × 12 max = monthly_contribution × 0.25 × 12
  • ESI gross wage ceiling ₹21,000/month. Average damages rate 15% of arrears.

DPDP Act 2023 — Typical Annual Risk

DPDP Act 2023, Schedule (penalty tiers)

Base risk is tiered by annual turnover as a proxy for data volume and DPB enforcement priority. Multiplied by gap rate of 84% (only 16% of Indian businesses claim DPDP readiness per PwC 2024).

base_risk = (turnover < 2Cr) ? 1,00,000 : (turnover < 10Cr) ? 5,00,000 : (turnover < 50Cr) ? 25,00,000 : (turnover < 500Cr) ? 1,00,00,000 : 5,00,00,000 typical = base_risk × 0.84
  • Turnover used as proxy for data volume and regulatory priority.
  • Only the "security safeguards" breach is base-rated; breach notification, rights, and children's data use separate (lower) base risks.
  • Maximum statutory: ₹250 crore for security failure (Section Schedule, Item 1).

POSH Act 2013 — Typical Annual Risk

POSH Act 2013, Section 26 (ICC) and Section 21 (annual return)

Two separate violations: failure to constitute IC (₹50,000, gap rate 42%) and annual return non-filing (₹50,000, gap rate 65%). Both apply to employers with 10+ employees and women employees.

icc_risk = 50,000 × 0.42 return_risk = 50,000 × 0.65 typical = icc_risk + return_risk max = 50,000 + 50,000 = 1,00,000
  • Applies only when employee count >= 10 AND hasWomenEmployees = true.

Code on Wages 2019 — Typical Annual Risk

Code on Wages 2019, Section 54 (enforceable since November 21, 2025)

Penalty ceiling of ₹1 lakh for underpayment or contravention. Gap rate of 70% based on industry survey data on wage structure non-compliance with the 50% basic wage rule.

typical = 1,00,000 × 0.70 max = 1,00,000
  • Applies to all establishments regardless of employee count.

Sources & References

  • [1]CII-Protiviti India Risk Survey 2024 — HR & Compliance Risk Rankings. https://www.protiviti.com/in-en
  • [2]PwC India DPDP Readiness Survey 2024 — "Only 16% of Indian businesses claim full DPDP readiness". https://www.pwc.in
  • [3]GSTN Annual Report 2023-24 — Late filing statistics. https://www.gst.gov.in
  • [4]FSSAI Annual Report 2023-24. https://fssai.gov.in
  • [5]EPFO Circular dated June 14, 2024 — Revised damages rate under Section 14B. https://epfindia.gov.in
  • [6]Karnataka High Court Order January 2026 — EPF damages floor at 25% for defaults exceeding 6 months.
  • [7]Digital Personal Data Protection Act 2023 — Schedule (Penalty Tiers). Ministry of Electronics and Information Technology, Government of India. https://meity.gov.in
  • [8]Code on Wages 2019 — Central Rules notified November 21, 2025. https://labour.gov.in
  • [9]ComplianceCheck Internal Assessment Data (n=350+ SME assessments, 2024-2026).

Limitations & Disclaimer

  • Gap rates are aggregate estimates from industry surveys; your company may have zero or far greater exposure.
  • Salary assumptions (₹25,000 average monthly wage, EPF ceiling ₹15,000) are used for EPF/ESI calculations.
  • DPDP Act enforcement is still evolving; the maximum penalty figures are statutory ceilings per the Schedule, not typical first-violation fines.
  • State-specific variations (professional tax, shops & establishments, state labour welfare fund) are not captured.
  • This is not legal advice. Rates current as of April 2026.

Questions about this methodology? Email us at compliancecheck@zohomail.in