DPDP Breach Notification: 72-Hour Rule & India Reporting Mandates

A Breach You Do Not Report Is a Violation You Have Committed

Under the DPDP Act 2023, every Data Fiduciary has a legal obligation to report personal data breaches. The notification must go to two parties: the Data Protection Board of India and every affected Data Principal. Delayed, incomplete, or suppressed breach reporting carries its own penalties, independent of the breach itself.

This obligation exists regardless of company size, industry, or the volume of data involved. A breach affecting ten records carries the same notification obligation as one affecting ten million.

What Constitutes a Personal Data Breach

The Act defines a personal data breach as any unauthorised processing of personal data, or any accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. This definition is broad by design.

Examples include:

• External attacks: Ransomware, SQL injection, credential theft, or any unauthorised access by external actors
• Internal incidents: An employee accessing customer records without authorisation, or sharing data with an unauthorised third party
• Accidental exposure: A misconfigured database making personal data publicly accessible, or an email containing personal data sent to the wrong recipient
• Data loss: Hardware failure or cloud storage corruption resulting in permanent loss of personal data without backup
• Processor breaches: A third-party Data Processor experiencing a breach that affects personal data you entrusted to them

If personal data has been compromised in any way, the notification obligation is triggered.

Who Must Be Notified

The Data Protection Board of India

The Data Fiduciary must notify the Board with prescribed information about the breach. While the specific notification format will be defined through subordinate rules, international precedent and the Act’s intent indicate the notification must include:

• Nature and circumstances of the breach
• Categories and approximate number of Data Principals affected
• Categories of personal data involved
• Measures taken or proposed to address the breach
• Measures taken to mitigate potential harm to Data Principals

Affected Data Principals

Every individual whose personal data was compromised must be notified. The notification must be clear enough for the Data Principal to understand:

• What happened
• What personal data was involved
• What steps the business is taking to address the breach
• What the Data Principal can do to protect themselves

Vague notifications that obscure the nature or severity of the breach do not satisfy the obligation. The Act requires transparency, not damage control.

Timeline Requirements

The DPDP Rules, notified on November 13, 2025, establish a confirmed 72-hour notification window. A Data Fiduciary must notify the Data Protection Board within 72 hours of becoming aware of a personal data breach. Notification to affected Data Principals must follow as soon as practicable after the Board notification is dispatched.

Jurisdiction	Notification Deadline	Recipient
GDPR (EU)	72 hours	Supervisory Authority
DPDP Act (India)	72 hours	Data Protection Board
DPDP Act (India)	As soon as practicable	Affected Data Principals
CCPA (California)	“Expedient”	Affected individuals

Design your breach response procedures to support Board notification within 72 hours. Notification to Data Principals should follow within the same operational window. The two-step notification sequence — Board first, then principals — is the prescribed order under the Rules.

Breach Notification vs. Erasure Notice: Two Distinct Obligations

A common point of confusion in DPDP compliance practice is the conflation of breach notification with the Rule 8 erasure notice. These are separate obligations with different triggers, recipients, and timeframes.

Breach notification (Section 8 of the Act) is triggered by a personal data breach — an unauthorised or accidental compromise of personal data. The notification goes to the Data Protection Board within 72 hours, followed by notification to affected Data Principals.

Rule 8 erasure notice is triggered when a Data Fiduciary intends to delete personal data — whether because the processing purpose has ended, the data principal has withdrawn consent, or a statutory retention period has expired. The notice must be sent to the Data Principal at least 48 hours before the erasure is carried out. This is not a breach notification. It is a pre-deletion notice that gives the data principal an opportunity to review what is being deleted.

Obligation	Trigger	Recipient	Timeline
Breach notification	Personal data breach	Data Protection Board	Within 72 hours of awareness
Breach notification	Personal data breach	Affected Data Principals	As soon as practicable
Erasure notice (Rule 8)	Intended deletion of personal data	Affected Data Principal	Minimum 48 hours before deletion

Both obligations must be operationalised. A breach response plan covers the first. A data lifecycle management system — with scheduled deletion and automated pre-deletion notices — covers the second.

Penalties for Non-Compliance

The penalty framework treats breach notification failures as a distinct violation category.

• Failure to implement security safeguards to prevent breaches: up to ₹250 crore
• Failure to notify the Data Protection Board and affected Data Principals of a breach: up to ₹200 crore

These penalties are cumulative. A business that suffers a breach due to inadequate security and then fails to report it faces enforcement on both counts.

The Data Protection Board has the authority to investigate breaches on its own initiative or in response to complaints from affected Data Principals. A breach that becomes public knowledge before the Board receives formal notification will attract additional scrutiny.

Building a Breach Response Plan

Compliance requires preparation, not just reaction. Every Data Fiduciary should maintain a documented breach response plan covering four phases:

1. Detection

Establish monitoring systems that identify potential breaches in real time. This includes:

• Intrusion detection systems on network perimeters
• Access logging and anomaly detection on data stores
• Regular log review processes
• Employee reporting channels for suspected incidents

A breach that goes undetected for months is a breach that goes unreported for months.

2. Assessment

Once a potential breach is detected, assess its scope and severity:

• What data was affected?
• How many Data Principals are involved?
• Is the breach contained, or is it ongoing?
• What is the potential harm to affected individuals?

This assessment must happen within hours, not days.

3. Notification

Execute the notification procedure within the prescribed timeline:

• Notify the Data Protection Board with all required information
• Notify affected Data Principals through accessible channels
• Document every notification action with timestamps

4. Remediation

After notification, address the root cause:

• Contain the breach if it is ongoing
• Implement corrective measures to prevent recurrence
• Review and update security safeguards
• Conduct a post-incident review to identify process failures

The Role of Data Processors

If your Data Processor experiences a breach affecting personal data you entrusted to them, the notification obligation falls on you as the Data Fiduciary. Your contracts with Data Processors must include:

• An obligation for the Processor to notify you of any breach without undue delay
• Cooperation requirements for breach investigation and assessment
• Clear roles and responsibilities for the notification process

You cannot outsource data processing and then claim ignorance when a breach occurs. The Act holds the Data Fiduciary accountable.

Assess Your Breach Readiness

The DPDP compliance checklist includes breach notification as a core compliance area. To evaluate whether your current breach response capabilities meet the Act’s requirements, take the free Compliance Vault Assessment.