Navigating Breach Notification: India's Multi-Faceted Approach Compared to Global Standards
The landscape of data breach notification has evolved significantly, driven by an increasing global emphasis on data protection and accountability. For Indian businesses operating in a globalised economy, understanding the nuanced differences in breach notification timelines across jurisdictions is not just good practice, but a critical compliance imperative. As of July 1, 2026, with India’s Digital Personal Data Protection Act, 2023 (DPDPA), and its accompanying Rules fully operational, the country presents a unique, multi-layered framework that warrants close comparison with established regimes like the EU’s GDPR, Singapore’s PDPA, and Australia’s Privacy Act.
India’s Layered Notification Framework
India’s approach to data breach notification is characterised by a general data protection law supplemented by stringent sectoral regulations. Under the DPDPA, 2023, Section 29 empowers the Central Government to prescribe rules for breach notification. The Digital Personal Data Protection Rules, 2025 (DPDP Rules), now in effect, mandate Data Fiduciaries to notify the Data Protection Board of India (DPB) and affected Data Principals of any personal data breach. While the DPDPA itself uses the principle of “without undue delay,” the DPDP Rules specify a concrete timeline, generally aligning with international standards by requiring notification to the DPB within 72 hours of becoming aware of a breach, where the breach is likely to cause harm to Data Principals. Notification to affected Data Principals is also required “without undue delay” if the breach poses a high risk to their rights and freedoms.
However, this general framework is overlaid by stricter sectoral requirements. Entities regulated by the Reserve Bank of India (RBI), such as banks and non-banking financial companies, face a much tighter deadline. The RBI’s Master Direction on IT Governance, Risk, Controls and Operations for Regulated Entities, 2023, mandates that cyber incidents, including data breaches, must be reported to the RBI within six hours of detection. Similarly, under Section 70B of the Information Technology Act, 2000, the Indian Computer Emergency Response Team (CERT-In) Directions issued in 2022 require service providers, data centres, and corporate bodies to report cyber incidents, including data breaches, to CERT-In within six hours of becoming aware of them. This dual structure means many Indian entities must navigate not just the DPDP Rules, but also potentially more demanding sector-specific or CERT-In directives.
EU GDPR: The Global Benchmark
The European Union’s General Data Protection Regulation (GDPR) sets a widely adopted benchmark for breach notification. Article 33 of the GDPR requires data controllers to notify the relevant supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware” of a personal data breach. This notification is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. This 72-hour window is a critical global standard.
For notification to data subjects, Article 34 of the GDPR specifies that if a personal data breach is “likely to result in a high risk to the rights and freedoms of natural persons,” the controller must communicate the breach to the data subject “without undue delay.” This threshold-based approach means not every breach requires individual notification, only those posing a significant risk. Compared to India’s DPDP Rules, the 72-hour timeline for the supervisory authority is similar, but India’s sectoral regulations (RBI, CERT-In) are significantly more demanding.
Singapore and Australia: Diverse Approaches
Singapore’s Personal Data Protection Act (PDPA) also incorporates breach notification requirements. Sections 26C and 26D of the PDPA mandate organisations to notify the Personal Data Protection Commission (PDPC) and affected individuals of a data breach “as soon as practicable.” This notification is required if the breach is likely to result in significant harm to affected individuals or if it is of a significant scale (e.g., affecting 500 or more individuals). While the statute uses “as soon as practicable,” the PDPC’s advisory guidelines clarify that organisations should generally notify the PDPC within three calendar days (72 hours) of assessing that a notifiable data breach has occurred. This aligns closely with the GDPR and India’s DPDP Rules for general breaches, albeit with the “assessment” phase preceding the 3-day clock.
Australia’s Notifiable Data Breaches (NDB) scheme, under Part IIIC of the Privacy Act 1988, requires entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals “as soon as practicable” after becoming aware of an “eligible data breach.” An eligible data breach is defined as one where unauthorised access, disclosure, or loss of personal information is likely to result in serious harm to any of the individuals to whom the information relates. Similar to Singapore, the “as soon as practicable” phrasing provides some flexibility for initial assessment, but the expectation is still prompt action. Compared to India, Australia’s framework is less prescriptive on exact hours but similarly focuses on the “serious harm” threshold for individual notification.
Comparative Overview and Trade-offs
When comparing these frameworks, India stands out for its bifurcated approach. The general DPDPA framework, with its 72-hour notification to the DPB for breaches likely to cause harm, aligns well with the GDPR and Singapore’s PDPA. This common timeline represents a global consensus on balancing rapid notification with the need for initial assessment.
However, India’s strict 6-hour deadlines imposed by the RBI and CERT-In represent a significant departure, making India’s regulatory environment uniquely demanding for entities under their purview. This stricter timeline prioritises immediate awareness and response for critical infrastructure and financial sectors, but it also places immense pressure on organisations to have highly mature incident response capabilities, potentially sacrificing detailed analysis for speed. In contrast, the GDPR, Singapore’s PDPA, and Australia’s NDB scheme generally allow for a longer initial assessment period before the formal notification clock starts, or offer a more uniform 72-hour window for the primary regulator. The trade-off is between immediate alert (India’s sectoral) and allowing time for a more complete picture before reporting (GDPR, DPDPA general, Singapore, Australia).
All jurisdictions share a common thread: the requirement to notify affected individuals is generally tied to a “high risk,” “significant harm,” or “serious harm” threshold, preventing over-notification for minor incidents.
Practical Takeaway
For Indian businesses, General Counsel, and Data Protection Officers, the primary challenge lies in navigating India’s multi-layered framework. It is imperative to:
- Understand Your Specific Obligations: Identify whether your organisation falls under the purview of CERT-In, RBI, or other sectoral regulators with stricter breach notification timelines than the general DPDP Rules.
- Develop Robust Incident Response Plans: Given the 6-hour deadlines for certain entities, immediate detection, containment, and preliminary assessment capabilities are non-negotiable. Your incident response plan must clearly define roles, responsibilities, and communication protocols for rapid compliance.
- Harm Assessment Protocols: Establish clear internal guidelines for assessing the likelihood and severity of harm to Data Principals, as this determines the necessity and timing of individual notifications across all regimes.
- Global Alignment: For businesses operating internationally, ensure your incident response framework can simultaneously meet the DPDPA’s requirements, the strict 6-hour Indian sectoral rules, and the 72-hour (or “as soon as practicable”) global standards like GDPR, PDPA, and Australia’s NDB scheme. Prioritise the strictest applicable timeline.