India’s DPDP Act introduces mandatory data breach notification for the first time in Indian law. Prior to this legislation, there was no clear legal obligation to report data breaches to regulators or affected individuals. The CERT-In reporting requirements existed but were primarily focused on cybersecurity incidents rather than personal data breaches.
Under the new framework, every Data Fiduciary must notify both the Data Protection Board of India and each affected Data Principal when a personal data breach occurs. The obligation is unambiguous: notification must happen without delay. For the detailed report to the DPBI, the deadline is seventy-two hours from becoming aware of the breach.
What Must Be Communicated
Notifications to affected Data Principals must include a description of the breach (nature, extent, timing); the consequences likely to arise from the breach; measures the Data Fiduciary has taken or is taking to mitigate risk; safety steps the individual can take to protect their interests; and contact information for a person who can respond to queries.
The communication must be concise, clear, and delivered through the individual’s user account or any registered communication channel. This is not the place for legal jargon or corporate deflection — the Act demands plain-language transparency.
The report to the DPBI has two stages. The first, immediate notification must describe the breach’s nature, extent, timing, location, and likely impact. The second, due within seventy-two hours, must provide updated details, the circumstances and root cause, mitigation measures, findings about the responsible party, remedial actions, and a report on individual notifications sent.
Building a Breach Response Capability
Meeting the seventy-two-hour deadline requires preparation. Organisations should establish a cross-functional incident response team with clear roles and escalation paths. Deploy monitoring and detection systems that provide real-time visibility into data access and anomalies. Create pre-approved notification templates that can be quickly customised for specific incidents. Conduct regular breach simulation exercises to test readiness. Maintain comprehensive logs of data access and processing for at least one year, as required by Rule 6. Incident management platforms with automated workflows can streamline the process, enabling bulk notifications to Data Principals and the DPBI through configurable templates. The goal is to turn a chaotic emergency response into a structured, practised process.