DPDP Breach Reporting

Breach Reporting in The DPDP Era

DPDPA.4 min Read

Under DPDPA, data breaches must be reported within 72 hours. Learn who reports, what qualifies as a breach, and how to stay compliant.

In the modern digital economy, data is the invisible thread connecting every transaction. For any organization handling sensitive information, the landscape of responsibility has fundamentally transformed.

Under the Digital Personal Data Protection Act (DPDPA) 2023 and the recently released 2025 Rules, the responsibility for transparency is absolute. A data breach is no longer just a technical hurdle; it is a legal event with a precise reporting hierarchy and a non-negotiable timeline.

Who Reports, to Whom, and When?

The law is specific about the chain of communication. In the event of a personal data breach:

The Data Processor (any entity processing data on behalf of another) must notify the Data Fiduciary (the entity that determines the purpose of data collection) immediately.
The Data Fiduciary must then notify the Data Protection Board (DPB) and every affected Data Principal (the individual user) within 72 hours of becoming aware of the breach.

Defining a Breach in the Indian Context

The DPDPA’s definition is notably wider than many international frameworks. It isn’t limited to malicious hacking. Under the Act, a Personal Data Breach includes:

Unauthorized Processing: Using data for any purpose that wasn't explicitly consented to.
Accidental Disclosure: Erroneously sending a document or records to the wrong recipient.
Loss of Access: Ransomware or system outages that make data unavailable, even if no data is actually stolen.
Alteration: Any unauthorized change that compromises the integrity of the information.

Unlike the GDPR, the DPDPA currently has no materiality threshold. Even incidents that may seem minor must be reported if they involve personal data.

Incident Management

A DPDPA-compliant response requires an integrated Incident Response (IR) Plan that triggers the moment a Personal Data Breach is suspected.

The Program Management Approach (Blue Teaming):

Post-discovery, your internal security and legal teams (the Blue Team) must move in parallel:

Identification & Scoping: Determine the point of entry and the blast radius. Was it an API leak, a compromised credential, or a misconfigured S3 bucket?
Containment: Isolate affected systems to prevent further exfiltration.
Eradication & Recovery: Clean the environment and restore from secure backups.
Post-Mortem: Conduct a root-cause analysis to ensure the vulnerability is patched permanently.

The Mechanics of the 72-Hour Notice

Once a breach is discovered, Data Fiduciaries have exactly 72 hours to notify both the Data Protection Board and the affected individuals. Based on Rule 7 and CERT-In IR standards, your notification must be granular.

You need to provide:

Incident Details: Time of detection vs. time of occurrence, and the physical/logical location of the affected systems.
Technical Parameters: Type of incident (e.g., Ransomware, SQLi, Phishing) and the IP addresses/URLs involved.
Data Impact:

- Categories: Was it Aadhaar/PAN data, biometric logs, or financial mandates?

- Volume: Approximate number of Data Principals affected.

Risk Assessment: Potential for identity theft, financial loss, or reputational harm to the users.
Remediation Action: What specific technical measures have been taken to secure the perimeter?

Communicating with Users: Clarity over Legalese

While the report to the Board is technical, the notification to users (Data Principals) must be in clear and plain language. The goal is to empower the individual to take protective action. A valid user notice must include:

The What and When: Clear context of the incident.
Potential Consequences: The risks the user might face, such as identity theft or financial fraud.
Actionable Advice: Steps the user should take immediately (e.g., rotating credentials or monitoring account activity).
Contact Point: Details for a designated officer or Data Protection Officer (DPO).

The High Stakes of Silence

The DPDPA is designed as a deterrent. Failure to implement reasonable security safeguards to prevent a breach can lead to penalties of up to ₹250 crore. Furthermore, failing to notify the Board or affected individuals as required can result in separate, substantial administrative fines. In this regime, the cost of silence far outweighs the cost of transparent, rapid response.

Moving Toward Compliance by Design

As a platform that handles millions of digital identities, Digio views security as a core architectural pillar. To stay ahead of the 72-hour clock, businesses should consider three operational shifts:

Automate Consent Logs: Use immutable systems to track data purpose. This makes it much faster to identify unauthorized processing.
Incident Response Playbooks: Don't draft your notification in a crisis. Have pre-vetted Notice of Data Breach Templates ready for different scenarios.
Processor Accountability: Since the Fiduciary is ultimately liable, ensure that your partners, the Data Processors, have the technical capability to provide the immediate notification required by law.

Summary: Key Takeaways for DPDPA Breach Compliance

Navigating the new notification regime requires a shift from reactive troubleshooting to a structured, time-bound protocol. Here are the essential points to remember:

The 72-Hour Deadline: Once a breach is discovered, Data Fiduciaries have exactly 72 hours to notify both the Data Protection Board and the affected individuals.
Immediate Processor Reporting: If you use a third-party service to process data, they are legally required to notify you the moment a breach occurs.
Broad Scope: A breach isn't just a hack; it includes accidental disclosures, unauthorized data use, or even a temporary loss of access to data.
Clarity is Mandatory: Communications to users must be in plain, accessible language, providing them with clear steps to protect themselves.
High Financial Stakes: Non-compliance can lead to penalties reaching up to ₹250 crore, making the cost of silence far greater than the cost of rapid transparency.
Preparation Window: The 18-month implementation timeline is the window for organizations to move away from manual tracking and adopt systems that identify and report incidents automatically.

Ultimately, the goal of these requirements is to ensure that when things go wrong, the response is swift, transparent, and focused on minimizing harm to the user.

This content is for informational and educational purposes only and does not constitute legal advice. Readers should consult qualified legal professionals for advice specific to their circumstances.