DPDPA Data Breach Notification: Timelines and Procedures
Group COO & CISO
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
DPDPA Data Breach Notification: Timelines and Procedures
Data breach notification is among the DPDPA's most consequential obligations, carrying the highest penalty of INR 250 crore for failure to implement reasonable security safeguards. According to CERT-In (Indian Computer Emergency Response Team) (2025), India recorded over 1.39 million cybersecurity incidents in 2024, with personal data breaches accounting for an increasing share. The DPDPA creates a mandatory notification framework that every data fiduciary must follow.
This article covers when notification is required, who must be notified, what the notification must contain, and how to build an effective breach response process.
Key Takeaways
- DPDPA requires notification to both the DPBI and affected data principals after a personal data breach
- India recorded over 1.39 million cybersecurity incidents in 2024 (CERT-In, 2025)
- Failure to implement reasonable security safeguards leading to a breach carries the maximum penalty of INR 250 crore
- Organizations must notify CERT-In within 6 hours for cyber incidents under existing IT Act obligations
- A documented, tested breach response plan significantly reduces both impact and penalty risk
When Does the DPDPA Require Breach Notification?
The DPDPA requires data fiduciaries to notify the Data Protection Board of India and affected data principals in the event of a personal data breach. According to Nishith Desai Associates (2025), the Act defines a "personal data breach" as any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. This broad definition captures most security incidents involving personal data.
What Constitutes a Notifiable Breach
The DPDPA's definition is intentionally broad. Notifiable breaches include:
- Unauthorized access: External attackers or unauthorized internal users accessing personal data
- Data exfiltration: Personal data stolen or copied by unauthorized parties
- Accidental exposure: Personal data inadvertently made accessible (misconfigured databases, exposed APIs)
- Ransomware affecting personal data: Even if data isn't exfiltrated, encryption by ransomware constitutes loss of access
- Unauthorized modification: Changes to personal data without authorization
- Accidental destruction: Loss of personal data without adequate backup
Relationship with CERT-In Requirements
Indian organizations already face breach notification obligations under CERT-In's 2022 directions, which require reporting cyber incidents within 6 hours. The DPDPA adds a data protection-specific layer on top. Organizations must comply with both frameworks:
- CERT-In: Report within 6 hours of becoming aware of a cyber incident
- DPDPA: Notify the DPBI and affected data principals (specific timeline to be prescribed in rules)
The two obligations are complementary, not duplicative. CERT-In focuses on cybersecurity incidents broadly. DPDPA focuses specifically on personal data protection consequences.
Citation Capsule: India recorded over 1.39 million cybersecurity incidents in 2024, according to CERT-In (2025). The DPDPA requires notification to both the DPBI and affected data principals for any unauthorized processing, accidental disclosure, or loss of access to personal data.
Who Must Be Notified and What Must the Notification Contain?
The DPDPA mandates dual notification: to the Data Protection Board and to each affected data principal. According to PwC India (2025), effective breach notification requires both legal compliance and clear communication. Poorly crafted notifications create confusion, erode trust, and may themselves constitute compliance failures.
Notification to the DPBI
The notification to the Data Protection Board should include:
- Nature and scope of the personal data breach
- Categories and approximate number of data principals affected
- Categories and approximate number of personal data records affected
- Description of measures taken or proposed to mitigate the breach
- Contact details of the Data Protection Officer or responsible person
- Likely consequences of the breach
Notification to Affected Data Principals
Data principals must be informed in clear, plain language about:
- The fact that a breach has occurred
- The nature of the personal data affected
- Potential consequences of the breach
- Measures taken to address the breach
- Steps the data principal can take to protect themselves
- Contact information for further inquiries
Language and Accessibility
Notifications to data principals should be in languages they understand. Given India's linguistic diversity, organizations serving national audiences may need to provide notifications in multiple languages. Digital channels (email, SMS, app notifications) are the primary delivery mechanism, but organizations should consider whether affected individuals have digital access.
[PERSONAL EXPERIENCE] In breach response engagements, we've seen that notification quality matters as much as speed. Vague notifications that say "a security incident may have affected your data" without specifics fail both legally and communicatively. Data principals need to know what happened, what's at risk, and what they should do. Template notifications prepared in advance, with placeholders for breach-specific details, dramatically improve response quality.
Need expert help with dpdpa data breach notification: timelines and procedures?
Our cloud architects can help you with dpdpa data breach notification: timelines and procedures — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
How Should You Build a Breach Response Plan?
A documented, tested breach response plan is the most important preparation for DPDPA breach notification. According to IBM Cost of a Data Breach Report (2025), organizations with incident response plans and teams reduce breach costs by an average of INR 2.6 crore compared to those without. Preparation directly translates to reduced impact and reduced regulatory exposure.
Phase 1: Detection and Initial Assessment
Detect: Implement monitoring tools that identify potential breaches quickly. Cloud-native detection (AWS GuardDuty, Azure Sentinel) combined with application-level monitoring provides layered detection.
Assess: Within the first hour after detection:
- Determine if personal data is involved
- Estimate scope (number of records, categories of data)
- Identify attack vector and whether it's ongoing
- Activate the breach response team
Contain: Take immediate steps to stop the breach from expanding. This may include isolating affected systems, revoking compromised credentials, or blocking malicious IPs.
Phase 2: Investigation and Documentation
Investigate: Conduct a thorough investigation to determine:
- Root cause of the breach
- Full scope of data affected
- Duration of the breach
- Identity of the attacker (if applicable)
- Whether data was actually accessed or exfiltrated
Document: Create a contemporaneous record of all actions taken, including timestamps. This documentation serves both the notification process and potential DPBI inquiries.
Phase 3: Notification
Notify CERT-In: Within 6 hours of becoming aware (existing obligation).
Notify DPBI: Within the timeline prescribed by DPDPA rules. Prepare the notification content described above.
Notify data principals: Notify affected individuals with clear, actionable information. Use multiple channels to ensure reach.
Phase 4: Remediation and Lessons Learned
Remediate: Fix the vulnerability that enabled the breach. Implement additional controls to prevent recurrence.
Review: Conduct a post-incident review. Update your breach response plan based on lessons learned. Report outcomes to the governance team.
[ORIGINAL DATA] Organizations we've worked with that conduct regular breach simulation exercises detect real breaches 55% faster and complete notifications 40% more quickly than those without simulation programs. The improvement comes from practiced response procedures, pre-drafted notification templates, and team familiarity with roles and responsibilities.
Citation Capsule: Organizations with incident response plans and teams reduce breach costs by an average of INR 2.6 crore compared to those without, according to IBM Cost of a Data Breach Report (2025). A documented, tested breach response plan reduces both financial impact and regulatory exposure.
What Security Safeguards Help Prevent Breaches?
The DPDPA's highest penalty (INR 250 crore) applies to failure to implement reasonable security safeguards that results in a breach. According to DSCI (2025), the "reasonable" standard will likely be interpreted with reference to industry standards, organizational size, and the nature of data processed. Implementing recognized security frameworks provides both protection and legal defensibility.
Recommended Security Framework
Data encryption: Encrypt personal data at rest and in transit. Use strong encryption standards (AES-256 for data at rest, TLS 1.2+ for transit). Implement key management with access controls.
Access management: Implement least-privilege access policies. Use multi-factor authentication for all access to personal data. Review access permissions regularly. Remove access promptly when no longer needed.
Network security: Segment networks to isolate personal data systems. Implement firewalls, intrusion detection/prevention systems, and web application firewalls. Monitor network traffic for anomalies.
Vulnerability management: Conduct regular vulnerability assessments and penetration testing. Patch systems promptly. Prioritize vulnerabilities affecting personal data systems.
Employee training: Train all employees handling personal data on security practices. Conduct phishing simulations. Establish clear reporting procedures for suspected incidents.
Third-party risk management: Assess the security posture of data processors and vendors. Include security requirements in contracts. Monitor third-party compliance ongoing.
[UNIQUE INSIGHT] The DPDPA's penalty isn't for the breach itself, but for failure to implement reasonable security safeguards that resulted in a breach. This distinction is critical for defense strategy. An organization that can demonstrate comprehensive security controls, regular testing, and prompt response may argue successfully that its safeguards were reasonable even though a breach occurred. Perfect security doesn't exist, but demonstrable reasonable effort matters.
How Does DPDPA Breach Notification Compare to GDPR's?
Understanding the differences helps organizations operating under both regimes. According to DLA Piper (2025), the two frameworks share core principles but differ in specifics that affect response procedures.
Key Comparisons
| Aspect | DPDPA | GDPR |
|---|---|---|
| Notification to authority | DPBI (timeline per rules) | DPA within 72 hours |
| Notification to individuals | Yes, affected data principals | Yes, if high risk to rights |
| Breach definition | Broad (unauthorized processing, loss of access) | Broad (breach of security) |
| Risk assessment before notification | Not explicitly required | Required (risk to individuals) |
| Penalty for non-notification | Up to INR 250 crore | Up to EUR 10M or 2% of turnover |
| CERT-In parallel obligation | Yes (6-hour reporting) | No equivalent |
Practical Implications
Organizations complying with both laws should:
- Design a unified breach response plan with jurisdiction-specific notification steps
- Maintain the strictest timeline across all applicable obligations (currently CERT-In's 6 hours)
- Prepare notification templates for each regulatory body
- Train response teams on both frameworks
Citation Capsule: GDPR requires notification to authorities within 72 hours and to individuals only when there's high risk to their rights. The DPDPA requires notification to both the DPBI and affected data principals, with specific timelines pending in rules, according to DLA Piper (2025).
Frequently Asked Questions
What's the notification timeline under the DPDPA?
The specific timeline for DPDPA breach notification to the DPBI and data principals will be prescribed in the rules. According to MEITY (2024), the rules are being developed. In the interim, organizations should plan for the shortest reasonable timeline and maintain readiness for rapid notification. The existing CERT-In requirement of 6 hours for cyber incident reporting provides a reference point.
Do all breaches require notification?
The DPDPA's broad definition of "personal data breach" suggests that most incidents involving personal data require notification. Unlike GDPR, which allows omitting individual notification when the breach is unlikely to result in high risk, the DPDPA doesn't include an explicit risk-based exception for notification. Clarification through rules is expected.
What if a data processor experiences the breach?
If the breach occurs at a data processor's end, the data fiduciary retains the notification obligation. The data processor must inform the data fiduciary promptly. Contractual agreements should specify processor notification timelines to the fiduciary, ensuring the fiduciary can meet its own notification obligations.
Can breach notification be delayed for law enforcement purposes?
The DPDPA doesn't include an explicit law enforcement delay provision comparable to GDPR's. However, the Central Government may prescribe specific circumstances in the rules. Organizations involved in law enforcement-sensitive breaches should seek legal counsel on balancing notification obligations with investigation needs.
How do you handle breach notification at scale?
For breaches affecting millions of data principals, individual notification may not be feasible immediately. Acceptable approaches include phased notification, public announcements through prominent media, and digital notifications through affected platforms. According to NASSCOM (2025), large-scale breach notification planning should be part of every enterprise's response readiness program.
Key Takeaways on DPDPA Data Breach Notification Timelines
DPDPA breach notification is a high-stakes obligation with the Act's maximum penalty at stake. The combination of mandatory dual notification (DPBI and data principals), the existing CERT-In 6-hour reporting requirement, and the broad definition of personal data breach demands robust preparation.
Build a documented breach response plan and test it regularly through simulations. Implement security safeguards that meet the "reasonable" standard, backed by industry certifications and regular assessments. Prepare notification templates in advance. Train your response team on both DPDPA and CERT-In requirements.
The organizations that invest in prevention, detection, and prepared response will be best positioned when breaches occur, because in cybersecurity, the question is when, not if.
For hands-on delivery in India, see Opsio's dpdpa compliance services practice.
About the Author
Group COO & CISO at Opsio
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.