The committee suggested a staggered approach to levying penalties, depending on the severity of the violation and the size of the entity. If an entity does not take prompt action in case of a data breach, does not register with DPA, does not undertake impact assessment, conduct a data audit or appoint a data protection officer or DPO, it can be fined a maximum of ₹5 crore or 2% of its global revenue, whichever is higher.