DPDP Breach Notification Timeline: 72-Hour Rule (India 2026)

A Breach You Do Not Report Is a Violation You Have Committed

Under the DPDP Act 2023, every Data Fiduciary has a legal obligation to report personal data breaches. The notification must go to two parties: the Data Protection Board of India and every affected Data Principal. Delayed, incomplete, or suppressed breach reporting carries its own penalties, independent of the breach itself.

This obligation exists regardless of company size, industry, or the volume of data involved. A breach affecting ten records carries the same notification obligation as one affecting ten million.

The 72-Hour Notification Timeline at a Glance

The DPDP Rules, notified on November 13, 2025, set a confirmed 72-hour window. The clock starts the moment you become aware of a breach. The notification sequence is fixed: the Data Protection Board first, then affected Data Principals.

1. Detection (hour 0). You become aware of a breach. The 72-hour clock starts here, not when you finish investigating.
2. Assessment (hours 0 to 24). Scope the breach: what data, how many Data Principals, contained or ongoing.
3. Notification (within 72 hours). Notify the Data Protection Board with the prescribed information, then notify affected Data Principals as soon as practicable.
4. Remediation (after notification). Contain the cause, document every action with timestamps, and update your safeguards.

The detailed deadline table and the cross-jurisdiction comparison are in Timeline Requirements below. The four-phase response plan is covered in Building a Breach Response Plan.

The Two-Stage Board Notification

Rule 7 of the DPDP Rules operationalises Section 8(6) as a two-stage notification to the Data Protection Board. The two stages are not optional. The first preserves the timeline. The second carries the substance.

Stage 1: Initial intimation, without delay

The moment your incident response team confirms a personal data breach, send an initial intimation to the Board without delay. In practice this means within hours of confirmation, not days. The initial intimation states what you know so far:

• Nature of the breach: unauthorised access, accidental disclosure, data loss
• Approximate date and time of the breach
• Categories of personal data affected
• Approximate number of Data Principals affected
• Name and contact details of the Data Protection Officer or designated contact person

Stage 2: Detailed report, within 72 hours

Within 72 hours of becoming aware of the breach, submit the full incident report. This is the substantive filing. Rule 7 requires it to cover:

Required information	Detail
Breach description	Updated nature, extent, timing, and location of the breach
Data categories	Specific categories of personal data compromised, such as financial, health, or identity data
Scale of impact	Number of Data Principals affected and volume of records compromised
Detection timeline	When the breach occurred against when it was detected, and why the gap exists
Containment measures	Steps taken to contain the breach and prevent further exposure
Remediation actions	Technical and organisational measures implemented or planned
Protective measures	Steps Data Principals can take to protect themselves

The 72-hour deadline is absolute. The DPDP Rules carry no “where feasible” qualifier of the kind GDPR uses. If your investigation is incomplete at the 72-hour mark, file what you have and update the Board as new information emerges.

What Constitutes a Personal Data Breach

The Act defines a personal data breach as any unauthorised processing of personal data, or any accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. This definition is broad by design.

Examples include:

• External attacks: Ransomware, SQL injection, credential theft, or any unauthorised access by external actors
• Internal incidents: An employee accessing customer records without authorisation, or sharing data with an unauthorised third party
• Accidental exposure: A misconfigured database making personal data publicly accessible, or an email containing personal data sent to the wrong recipient
• Data loss: Hardware failure or cloud storage corruption resulting in permanent loss of personal data without backup
• Processor breaches: A third-party Data Processor experiencing a breach that affects personal data you entrusted to them

If personal data has been compromised in any way, the notification obligation is triggered.

Who Must Be Notified

The Data Protection Board of India

The Data Fiduciary must notify the Board with prescribed information about the breach. While the specific notification format will be defined through subordinate rules, international precedent and the Act’s intent indicate the notification must include:

• Nature and circumstances of the breach
• Categories and approximate number of Data Principals affected
• Categories of personal data involved
• Measures taken or proposed to address the breach
• Measures taken to mitigate potential harm to Data Principals

Affected Data Principals

Every individual whose personal data was compromised must be notified. The notification must be clear enough for the Data Principal to understand:

• What happened
• What personal data was involved
• What steps the business is taking to address the breach
• What the Data Principal can do to protect themselves

Vague notifications that obscure the nature or severity of the breach do not satisfy the obligation. The Act requires transparency, not damage control. The same plain-language standard that governs a privacy notice applies to breach notifications.

Timeline Requirements

The DPDP Rules, notified on November 13, 2025, establish a confirmed 72-hour notification window. A Data Fiduciary must notify the Data Protection Board within 72 hours of becoming aware of a personal data breach. Notification to affected Data Principals must follow as soon as practicable after the Board notification is dispatched.

Jurisdiction	Notification Deadline	Recipient
GDPR (EU)	72 hours	Supervisory Authority
DPDP Act (India)	72 hours	Data Protection Board
DPDP Act (India)	As soon as practicable	Affected Data Principals
CCPA (California)	“Expedient”	Affected individuals

Design your breach response procedures to support Board notification within 72 hours. Notification to Data Principals should follow within the same operational window. The two-step notification sequence, Board first then principals, is the prescribed order under the Rules.

Dual Reporting: The Board and CERT-In

This is where many organisations are caught out. The DPDP Act’s notification requirement does not replace the older obligation to report cyber incidents to CERT-In under the IT Act 2000 and the CERT-In Directions of 2022. Most real-world breaches qualify as both a personal data breach and a cybersecurity incident. When that happens, you report to both authorities, on two different clocks.

Authority	Legal basis	Deadline	Trigger
CERT-In	IT Act 2000 and CERT-In Directions 2022	Within 6 hours of noticing	Any cybersecurity incident, including data breaches
Data Protection Board	Section 8(6), DPDP Act 2023 and Rule 7	Initial intimation without delay, detailed report within 72 hours	Personal data breach
Affected Data Principals	Section 8(6), DPDP Act 2023	Without delay	Personal data breach

CERT-In and the Board are parallel obligations, not alternatives. The 6-hour CERT-In window is the tightest deadline in the set, so it usually fires first. Build your detection process to start both clocks the moment an incident is confirmed.

Breach Notification vs. Erasure Notice: Two Distinct Obligations

A common point of confusion in DPDP compliance practice is the conflation of breach notification with the Rule 8 erasure notice. These are separate obligations with different triggers, recipients, and timeframes.

Breach notification (Section 8(6) of the Act) is triggered by a personal data breach: an unauthorised or accidental compromise of personal data. The notification goes to the Data Protection Board within 72 hours, followed by notification to affected Data Principals.

Rule 8 erasure notice is triggered when a Data Fiduciary intends to delete personal data, whether because the processing purpose has ended, the data principal has withdrawn consent, or a statutory retention period has expired. The notice must be sent to the Data Principal at least 48 hours before the erasure is carried out. This is not a breach notification. It is a pre-deletion notice that gives the data principal an opportunity to review what is being deleted.

Obligation	Trigger	Recipient	Timeline
Breach notification	Personal data breach	Data Protection Board	Within 72 hours of awareness
Breach notification	Personal data breach	Affected Data Principals	As soon as practicable
Erasure notice (Rule 8)	Intended deletion of personal data	Affected Data Principal	Minimum 48 hours before deletion

Both obligations must be operationalised. A breach response plan covers the first. A data lifecycle management system, with scheduled deletion and automated pre-deletion notices, covers the second.

Penalties for Non-Compliance

The penalty framework treats breach notification failures as a distinct violation category.

• Failure to implement security safeguards to prevent breaches: up to ₹250 crore
• Failure to notify the Data Protection Board and affected Data Principals of a breach: up to ₹200 crore

These penalties are cumulative. A business that suffers a breach due to inadequate security and then fails to report it faces enforcement on both counts. Model your own exposure with the DPDP penalty calculator.

The Data Protection Board has the authority to investigate breaches on its own initiative or in response to complaints from affected Data Principals. A breach that becomes public knowledge before the Board receives formal notification will attract additional scrutiny.

Building a Breach Response Plan

Compliance requires preparation, not just reaction. Every Data Fiduciary should maintain a documented breach response plan covering four phases:

1. Detection

Establish monitoring systems that identify potential breaches in real time. This includes:

• Intrusion detection systems on network perimeters
• Access logging and anomaly detection on data stores
• Regular log review processes
• Employee reporting channels for suspected incidents

A breach that goes undetected for months is a breach that goes unreported for months.

2. Assessment

Once a potential breach is detected, assess its scope and severity:

• What data was affected?
• How many Data Principals are involved?
• Is the breach contained, or is it ongoing?
• What is the potential harm to affected individuals?

This assessment must happen within hours, not days.

3. Notification

Execute the notification procedure within the prescribed timeline:

• Notify the Data Protection Board with all required information
• Notify affected Data Principals through accessible channels
• Document every notification action with timestamps

4. Remediation

After notification, address the root cause:

• Contain the breach if it is ongoing
• Implement corrective measures to prevent recurrence
• Review and update security safeguards
• Conduct a post-incident review to identify process failures

The 72-Hour Response Timeline, Hour by Hour

The four phases above describe what to do. This is when to do it. Treat the bands below as the operational companion to your response plan.

Hours 0 to 4: detect and triage. Confirm that a personal data breach has occurred, not just a security alert. Activate the incident response team across legal, security, communications, the Data Protection Officer, and engineering. Open the incident log immediately, with timestamps for every action, because it becomes your evidence for the Board. If a cybersecurity incident is confirmed, the 6-hour CERT-In clock is already running.

Hours 4 to 24: assess, contain, send the initial intimation. Scope the categories and volume of personal data affected. Block unauthorised access, isolate affected systems, revoke compromised credentials, and secure forensic logs. Send the initial intimation to the Board with what you know. Draft the Data Principal notification in plain language.

Hours 24 to 48: investigate and draft the detailed report. Run the forensic analysis to establish root cause, attack vector, dwell time, and full extent of exposure. Finalise the count of affected Data Principals. Compile the detailed Board report against the Rule 7 contents above. Begin notifying Data Principals.

Hours 48 to 72: submit, remediate, review. File the detailed report as soon as it is ready, not at the 72nd hour. Implement remediation: patch vulnerabilities, tighten access controls, raise monitoring. Notify sector regulators where they apply. Run the post-incident review and update the playbook.

BFSI: The Extra Reporting Layer

A bank, NBFC, insurer, or registered broker carries reporting obligations beyond CERT-In and the Board. RBI’s cybersecurity framework requires regulated entities to report incidents to RBI-CSITE, the central bank’s incident response team, in addition to the two deadlines above.

BFSI also faces a conflict the timeline does not surface. A Data Principal may exercise the right to erasure under Section 12 while you are mid-investigation on a breach involving their data. You may not be free to delete it. Section 8(7), the Legal Obligation Override, lets you retain personal data where another law requires it, such as RBI KYC norms or PMLA record-keeping, or where the breach investigation itself depends on it. The override is conditional: document the specific legal basis, communicate the retention and its reason to the Data Principal, keep an audit trail of the decision, and delete the data once the obligation expires. The mechanics of resolving this clash are covered in the RBI and DPDP retention conflict guide and the DPDP compliance guide for NBFCs.

The Role of Data Processors

If your Data Processor experiences a breach affecting personal data you entrusted to them, the notification obligation falls on you as the Data Fiduciary. Your contracts with Data Processors must include:

• An obligation for the Processor to notify you of any breach without undue delay
• Cooperation requirements for breach investigation and assessment
• Clear roles and responsibilities for the notification process

You cannot outsource data processing and then claim ignorance when a breach occurs. The Act holds the Data Fiduciary accountable.

Assess Your Breach Readiness

The DPDP compliance checklist includes breach notification as a core compliance area. To evaluate whether your current breach response capabilities meet the Act’s requirements, take the free Compliance Vault Assessment. To put the full obligation set on operational footing, compare ConsentOS plans, from ₹2,999 per month.