Section 8(6) of the DPDP Act 2023 requires every Data Fiduciary to notify the Data Protection Board — and affected individuals — of a personal data breach. This notification must happen "in the prescribed manner" and within a timeline to be specified by Rules. The DPDP Rules 2025 set this at 72 hours. Here's everything you need to know.
What Counts as a Personal Data Breach?
A personal data breach is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Common examples:
- A hacker gains access to your customer database
- An employee accidentally emails a spreadsheet of customer data to the wrong person
- You lose a laptop or phone containing unencrypted customer data
- A cloud storage bucket containing customer records is misconfigured as public
- A WhatsApp message with customer details is sent to the wrong contact
- An ex-employee downloads the customer list before leaving
The breach doesn't have to be a sophisticated cyberattack. Any incident that results in customer data being accessed by someone not authorised to see it qualifies.
The 72-Hour Clock: When Does It Start?
The 72-hour clock starts from the moment you become aware of the breach — not from when the breach occurred. If a breach happened three days ago but you discovered it today, the 72-hour clock started today.
This "aware" standard means you need monitoring systems that will actually detect breaches. An undetected breach that remains undetected is less of a legal risk in the immediate term — but failing to have detection systems can itself be evidence of inadequate security (the ₹250 Crore penalty provision).
Who Must Be Notified?
Two separate notification obligations:
1. The Data Protection Board
A report to the DPB portal (to be established by the government) containing:
- Description of the nature of the breach
- Categories and approximate number of Data Principals affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details of your grievance officer
2. Affected Individuals (Data Principals)
Every person whose data was compromised must be notified in "such form and manner as may be specified." The notification should contain enough information for them to take protective action (e.g., "your email and phone number were exposed — be alert for phishing attempts").
What If You're Not Sure It's a Breach?
If you discover an incident but aren't certain whether it constitutes a "breach" — notify the DPB anyway, noting that investigation is ongoing. The penalty for not notifying (₹200 Crore) vastly outweighs any awkwardness of over-notifying. You can provide a preliminary notification within 72 hours and follow up with details.
Penalties for Missing the Deadline
Failing to notify the DPB of a breach within the prescribed time: up to ₹200 Crore. This penalty is separate from the ₹250 Crore penalty for the security failure that caused the breach. A single incident where data is breached AND you fail to notify could result in ₹450 Crore in total penalties.
Building Your Breach Response Plan Now
The time to plan for a breach is before it happens. Prepare:
- Detection: What monitoring do you have in place? (Security alerts, access logs, anomaly detection)
- Escalation: Who in your team gets called when a potential breach is detected? Who makes the notification decision?
- Documentation: A breach log template that captures incident details
- DPB Notification: A draft notification form ready to complete
- Customer Notification: A template WhatsApp/SMS/email to send to affected customers
- Containment: Steps to limit the damage (disable compromised accounts, rotate credentials, revoke access)
How EasyDP Handles Breach Notification
EasyDP's compliance dashboard includes a breach notification workflow. When you log a breach incident, the system:
- Starts the 72-hour countdown timer
- Generates a draft DPB notification from your business and incident details
- Identifies which customers are affected based on your EasyDP data records
- Drafts customer notifications in their preferred languages
- Logs every action with timestamps for your audit trail
The goal: when a breach happens at 2 AM, you're not scrambling to figure out what to do. The process is already defined.