DPDPA Breach Notification: Navigating Timelines and Reporting in New India
The Digital Personal Data Protection Act, 2023 (DPDPA) has ushered in a new era for data governance in India. As of June 2026, with the Act and its accompanying Rules fully operational, a critical area of focus for every Data Fiduciary is the robust management and reporting of personal data breaches. While data breaches are an unfortunate reality in the digital landscape, the DPDPA mandates a stringent framework for how organisations must respond, ensuring accountability and safeguarding Data Principal interests.
The DPDPA Framework for Breach Notification
At its core, the DPDPA places a clear obligation on Data Fiduciaries regarding personal data breaches. Section 17(1) of the Act stipulates that a Data Fiduciary must notify both the Data Protection Board of India (DPBI or “the Board”) and each affected Data Principal of any personal data breach. This notification must be made in such form and manner as may be prescribed by the DPDP Rules. A “personal data breach” is broadly defined as any unauthorised processing of personal data that compromises its confidentiality, integrity, or availability. This includes incidents ranging from cyberattacks to accidental data disclosures. The emphasis is on proactive identification, containment, and transparent communication.
Unpacking Notification Timelines: The Role of DPDP Rules
One of the most anticipated aspects of DPDPA implementation was the specification of notification timelines, as Section 17(1) itself only requires notification “in such form and manner as may be prescribed.” The DPDP Rules have now clarified this crucial aspect, setting out specific timeframes for reporting. Drawing parallels from global best practices like the GDPR’s 72-hour window for supervisory authorities, and considering India’s existing CERT-In directions, the Rules mandate notification to the Board “without undue delay” and, in any event, within a specified number of hours (e.g., 72 hours) of becoming aware of the breach. For Data Principals, the Rules introduce a threshold, typically requiring notification when the breach is likely to result in “significant harm” to the Data Principal, again within a defined timeframe. This tiered approach acknowledges that not all breaches necessitate individual notification, balancing transparency with avoiding notification fatigue for minor incidents.
Content and Channels: What to Report and How
The DPDPA and its Rules outline the essential information that must be conveyed in a breach notification. For the Data Protection Board, Section 17(1) requires details on the nature of the personal data breach, the personal data affected, the measures taken or proposed to be taken by the Data Fiduciary to remedy the breach, and the likely consequences of the breach. The DPDP Rules further elaborate on this, demanding a comprehensive report that includes the estimated number of Data Principals affected, the categories of personal data involved, the root cause analysis (if available), and contact details for further information.
For affected Data Principals, the notification must be concise, clear, and easily understandable. It should provide sufficient information for them to take protective measures, such as changing passwords or monitoring their accounts. This typically includes a description of the breach, the types of data involved, the potential risks, and specific actions they can take, along with contact information for the Data Fiduciary’s Data Protection Officer (DPO) or a designated point of contact. The Rules also specify the acceptable channels for notification, which may include email, SMS, or post, depending on the nature of the data and the Data Principal’s preferences.
Navigating Sectoral Overlap and Board Engagement
India’s regulatory landscape includes several sectoral bodies with their own incident reporting mandates. For instance, the CERT-In Directions of April 2022 require all service providers, data centres, and government organisations to report cybersecurity incidents within six hours of becoming aware of them. Similarly, the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI) have established specific timelines (often six hours) for their regulated entities to report various IT and cybersecurity incidents.
The DPDPA now adds another layer. While CERT-In and sectoral norms focus broadly on cybersecurity incidents, the DPDPA specifically targets personal data breaches. Many cybersecurity incidents will inevitably involve personal data breaches, creating overlapping reporting obligations. Data Fiduciaries must develop integrated incident response plans that satisfy all applicable regulations. The DPDP Rules provide guidance on how to harmonise these requirements, often suggesting that a single, comprehensive report can be adapted for multiple regulators, provided it meets each body’s specific content and timeline requirements. The DPBI, as the overarching data protection authority, will likely establish an online portal for breach notifications, streamlining the process for Data Fiduciaries. The Board also has the power under Section 17(2) to issue directions to Data Fiduciaries to mitigate the effects of a breach, underscoring its active role in post-breach management.
Practical takeaway
Indian businesses, General Counsels, and DPOs must prioritise the development and regular testing of robust data breach response plans. This includes establishing clear internal reporting lines, defining roles and responsibilities, creating notification templates, and ensuring technical capabilities for rapid breach detection and containment. Crucially, integrate DPDPA requirements with existing CERT-In and sectoral reporting obligations to avoid duplication and ensure timely compliance across all fronts. Regular training for employees on data protection and incident response protocols is non-negotiable to minimise human error and ensure a swift, compliant reaction to any personal data breach.