When a data breach occurs, timing is critical. This guide walks through detection, assessment, notification to the Data Protection Board, and communication with affected principals.
Data breaches are not a matter of if but when. Under DPDPA, Data Fiduciaries have a legal obligation to notify both the Data Protection Board of India and affected Data Principals in the event of a personal data breach. The Act does not specify exact timelines yet, but the expectation is prompt notification. Having a well-rehearsed breach response plan is essential.
Step 1: Detection and Containment
The first priority when a breach is detected is containment. Isolate affected systems, preserve forensic evidence, and stop ongoing data exposure. Automated monitoring tools that detect anomalous data access patterns can reduce detection time from weeks to hours. Every minute of undetected breach increases the potential harm and regulatory exposure.
Step 2: Assessment and Documentation
Once contained, assess the scope: what data was affected, how many Data Principals are impacted, what was the likely cause, and what is the risk of harm. Document everything meticulously. This assessment determines your notification obligations and will be reviewed by the Data Protection Board. Include a timeline of events, the categories of data involved, and the immediate remediation steps taken.
Step 3: Notification
Notify the Data Protection Board with your assessment, including the nature of the breach, approximate number of affected individuals, likely consequences, and measures taken to address it. Simultaneously, notify affected Data Principals in clear, plain language, explaining what happened, what data was involved, what you are doing about it, and what steps they should take to protect themselves.
Step 4: Remediation and Review
After the immediate crisis, conduct a thorough root cause analysis. Update your security measures to prevent recurrence, review and strengthen your incident response plan based on lessons learned, and maintain detailed records that demonstrate your compliance efforts. Consider engaging third-party auditors to validate your remediation measures and provide independent assurance.
