Breach Notification Under the DPDP Act: The Rules Every Business Must Follow
The DPDP Act 2023 mandates prompt breach notification to the Data Protection Board and affected individuals. Delayed reporting carries independent penalties.
A Breach You Do Not Report Is a Violation You Have Committed
Under the DPDP Act 2023, every Data Fiduciary has a legal obligation to report personal data breaches. The notification must go to two parties: the Data Protection Board of India and every affected Data Principal. Delayed, incomplete, or suppressed breach reporting carries its own penalties, independent of the breach itself.
This obligation exists regardless of company size, industry, or the volume of data involved. A breach affecting ten records carries the same notification obligation as one affecting ten million.
What Constitutes a Personal Data Breach
The Act defines a personal data breach as any unauthorised processing of personal data, or any accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. This definition is broad by design.
Examples include:
- External attacks: Ransomware, SQL injection, credential theft, or any unauthorised access by external actors
- Internal incidents: An employee accessing customer records without authorisation, or sharing data with an unauthorised third party
- Accidental exposure: A misconfigured database making personal data publicly accessible, or an email containing personal data sent to the wrong recipient
- Data loss: Hardware failure or cloud storage corruption resulting in permanent loss of personal data without backup
- Processor breaches: A third-party Data Processor experiencing a breach that affects personal data you entrusted to them
If personal data has been compromised in any way, the notification obligation is triggered.
Who Must Be Notified
The Data Protection Board of India
The Data Fiduciary must notify the Board with prescribed information about the breach. While the specific notification format will be defined through subordinate rules, international precedent and the Act’s intent indicate the notification must include:
- Nature and circumstances of the breach
- Categories and approximate number of Data Principals affected
- Categories of personal data involved
- Measures taken or proposed to address the breach
- Measures taken to mitigate potential harm to Data Principals
Affected Data Principals
Every individual whose personal data was compromised must be notified. The notification must be clear enough for the Data Principal to understand:
- What happened
- What personal data was involved
- What steps the business is taking to address the breach
- What the Data Principal can do to protect themselves
Vague notifications that obscure the nature or severity of the breach do not satisfy the obligation. The Act requires transparency, not damage control.
Timeline Requirements
The Act mandates “prompt” notification. The specific timeframe will be defined through rules, but the legislative intent is clear: notification must happen quickly.
For context, the GDPR mandates notification to the supervisory authority within 72 hours of becoming aware of a breach. India’s rules are expected to impose a comparable or stricter timeline.
| Jurisdiction | Notification Deadline | Recipient |
|---|---|---|
| GDPR (EU) | 72 hours | Supervisory Authority |
| DPDP Act (India) | “Prompt” (rules pending) | Data Protection Board + Data Principals |
| CCPA (California) | “Expedient” | Affected individuals |
Businesses should design their breach response procedures to support notification within 72 hours. If the final rules impose a shorter deadline, you can adjust. If they impose a longer one, you are already ahead.
Penalties for Non-Compliance
The penalty framework treats breach notification failures as a distinct violation category.
- Failure to implement security safeguards to prevent breaches: up to ₹250 crore
- Failure to notify the Data Protection Board and affected Data Principals of a breach: up to ₹200 crore
These penalties are cumulative. A business that suffers a breach due to inadequate security and then fails to report it faces enforcement on both counts.
The Data Protection Board has the authority to investigate breaches on its own initiative or in response to complaints from affected Data Principals. A breach that becomes public knowledge before the Board receives formal notification will attract additional scrutiny.
Building a Breach Response Plan
Compliance requires preparation, not just reaction. Every Data Fiduciary should maintain a documented breach response plan covering four phases:
1. Detection
Establish monitoring systems that identify potential breaches in real time. This includes:
- Intrusion detection systems on network perimeters
- Access logging and anomaly detection on data stores
- Regular log review processes
- Employee reporting channels for suspected incidents
A breach that goes undetected for months is a breach that goes unreported for months.
2. Assessment
Once a potential breach is detected, assess its scope and severity:
- What data was affected?
- How many Data Principals are involved?
- Is the breach contained, or is it ongoing?
- What is the potential harm to affected individuals?
This assessment must happen within hours, not days.
3. Notification
Execute the notification procedure within the prescribed timeline:
- Notify the Data Protection Board with all required information
- Notify affected Data Principals through accessible channels
- Document every notification action with timestamps
4. Remediation
After notification, address the root cause:
- Contain the breach if it is ongoing
- Implement corrective measures to prevent recurrence
- Review and update security safeguards
- Conduct a post-incident review to identify process failures
The Role of Data Processors
If your Data Processor experiences a breach affecting personal data you entrusted to them, the notification obligation falls on you as the Data Fiduciary. Your contracts with Data Processors must include:
- An obligation for the Processor to notify you of any breach without undue delay
- Cooperation requirements for breach investigation and assessment
- Clear roles and responsibilities for the notification process
You cannot outsource data processing and then claim ignorance when a breach occurs. The Act holds the Data Fiduciary accountable.
Assess Your Breach Readiness
The DPDP compliance checklist includes breach notification as a core compliance area. To evaluate whether your current breach response capabilities meet the Act’s requirements, take the free DPDP Gap Assessment.