DPDPA Breach Notification

Breach notification under DPDPA refers to the mandatory obligation imposed on data fiduciaries to inform both the Data Protection Board of India and the affected data principals whenever a personal data breach occurs. The Digital Personal Data Protection Act 2023 requires that this notification be made promptly, with sufficient detail about the nature of the incident, the personal data affected, and the remedial measures being taken. This obligation ensures transparency, enables affected individuals to take protective action, and allows the regulatory authority to oversee the response and enforce accountability.

Under DPDPA Section 8(6), two parties must be notified when a personal data breach occurs. First, the Data Protection Board of India must be informed with a structured report detailing the nature, scope, and impact of the incident, along with the remedial steps being taken. Second, each affected data principal whose personal data has been compromised must be notified in clear, plain language so they can understand the security event and take protective measures such as changing passwords or monitoring accounts. Both notifications are mandatory, and failure to notify either party can result in significant penalties under the Act.

While the DPDPA does not specify an exact number of hours or days for incident notification, it requires that data fiduciaries notify the Data Protection Board of India and affected data principals without undue delay. Industry best practice, informed by global standards such as GDPR's 72-hour requirement, recommends notifying the Board within 72 hours of becoming aware of the incident and notifying data principals as soon as reasonably practicable thereafter. The rules under DPDPA are expected to prescribe specific timelines, and organisations should build systems capable of rapid detection, assessment, and notification to avoid regulatory scrutiny and penalties.

A DPDPA breach notification should include a description of the nature of the personal data breach, the categories and approximate number of data principals affected, the categories and approximate volume of personal data records compromised, a description of the likely consequences of the incident, a description of the measures taken or proposed to address the compromise and mitigate its adverse effects, and the contact details of the Data Protection Officer or other point of contact where more information can be obtained. While the Act provides the framework, the specific notification format may be further detailed in the rules issued by the Central Government.

The DPDPA prescribes severe penalties for failure to comply with breach notification obligations. Under the Schedule to the Act, a data fiduciary that fails to notify the Data Protection Board of India and affected data principals of a personal data breach can face financial penalties of up to 200 crore Indian rupees. Additionally, failure to implement reasonable security safeguards that could have prevented the incident in the first place carries penalties of up to 250 crore. These penalties are among the highest under the Act, reflecting the legislature's emphasis on transparency and accountability in incident response.

The DPDPA defines a personal data breach broadly as any unauthorised processing, accidental or unlawful disclosure, use, alteration, or destruction of personal data, or any unauthorised access to personal data that compromises its confidentiality, integrity, or availability. In principle, any such incident involving personal data triggers the notification obligation. However, the rules under DPDPA may introduce materiality thresholds or risk-based criteria to determine which incidents require notification and which may be documented internally. Until such rules are finalised, data fiduciaries should err on the side of notification for any security event involving personal data compromise.

Under Section 27 of the DPDPA, the Data Protection Board of India has the authority to receive and adjudicate complaints related to personal data breaches. When an incident notification is received, the Board may investigate the circumstances, assess whether the data fiduciary complied with its obligations under the Act including implementing reasonable security safeguards, and determine appropriate penalties. The Board operates as a digital office, conducting proceedings electronically. It can issue directions to the data fiduciary to take remedial action, impose financial penalties, and publish its orders. Affected data principals can also file complaints directly with the Board if they believe the data fiduciary has failed to notify them of a security incident.

Under the DPDPA, a personal data breach means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data. This includes external attacks such as hacking and ransomware, internal incidents such as unauthorised employee access or accidental data exposure, system failures leading to data loss, and any scenario where personal data is accessed or processed outside the scope of the consent obtained from the data principal. The definition is intentionally broad to ensure comprehensive protection.

Yes, automated incident detection and notification systems are essential for DPDPA compliance at scale. Modern incident response platforms use machine learning to detect anomalous data access patterns in real time, automatically assess the scope and severity of a security event by identifying affected data categories and data principals, generate pre-formatted notification reports aligned with regulatory requirements, dispatch multi-channel notifications to affected individuals, and maintain an immutable audit trail of every action taken during the response. Automation dramatically reduces the time between detection and notification, which is critical given the expected tight timelines under DPDPA rules and the severe penalties for delayed or inadequate notification.

Both DPDPA and GDPR impose mandatory breach notification obligations, but there are key differences. GDPR explicitly requires notification to the supervisory authority within 72 hours and to affected individuals without undue delay when there is a high risk to their rights and freedoms. DPDPA requires notification to both the Data Protection Board and affected data principals but does not yet specify exact timelines in the Act itself, deferring to rules. GDPR allows exemptions from individual notification if the data was encrypted or other measures render the data unintelligible, while DPDPA does not currently provide such exceptions. Both frameworks impose substantial penalties for non-compliance, with DPDPA penalties reaching up to 200 crore for notification failures. Organisations operating across both jurisdictions should build unified incident response processes that satisfy the stricter of the two requirements.