DPDP Breach Notification: 72-Hour Response Guide for Indian Businesses

May 27, 2026|6 min read

Learn DPDP breach notification rules, 72-hour reporting, affected user intimation, CERT-In overlap, and response steps for Indian businesses.

DPDP breach notification is now one of the most important compliance requirements for Indian businesses handling personal data. Under the Digital Personal Data Protection Rules, 2025, a Data Fiduciary must inform affected Data Principals and the Data Protection Board when a personal data breach occurs. The Rules also require updated and detailed information to be submitted to the Board within 72 hours of becoming aware of the breach.

For businesses, this means breach response cannot be treated as only an IT issue. It must involve privacy, legal, compliance, cybersecurity, vendor management, customer support, and leadership teams.

What is DPDP breach notification?

DPDP breach notification means informing the right stakeholders when personal data is compromised. A personal data breach may include unauthorized access, disclosure, sharing, alteration, loss, deletion, or unavailability of personal data.

A breach can happen through hacking, ransomware, employee error, vendor failure, exposed databases, misconfigured cloud storage, weak access controls, or accidental email sharing. The key question is simple: Was personal data affected? If yes, the DPDP breach notification process should begin.

Why is breach notification important under DPDP?

Breach notification matters because it protects individuals and shows regulatory accountability. When users are informed quickly, they can take steps such as changing passwords, monitoring accounts, blocking cards, or reporting suspicious activity.

For organizations, timely notification shows that the business has a structured privacy and security response. The Government’s DPDP Rules summary also highlights that failure to notify the Board or affected individuals of a personal data breach can attract penalties of up to ₹200 crore.

This makes breach notification a board-level compliance risk, not just a technical task.

Who is responsible for reporting a DPDP breach?

The main responsibility sits with the Data Fiduciary. A Data Fiduciary is the organization that decides why and how personal data is processed.

This may include banks, NBFCs, hospitals, SaaS companies, e-commerce platforms, insurance companies, fintech firms, educational institutions, employers, and any business collecting digital personal data.

Even if the breach happens through a vendor or Data Processor, the Data Fiduciary should be ready to assess the impact, notify affected users, inform the Board, and maintain evidence of its response.

What is the 72-hour DPDP breach notification rule?

The 72-hour rule means that after becoming aware of a personal data breach, the Data Fiduciary must provide updated and detailed information to the Data Protection Board within 72 hours, unless the Board allows more time through a written request.

This does not mean businesses should wait for 72 hours. The Rules also require intimation without delay. The first message should be based on known facts, while the detailed report can include additional findings, cause analysis, mitigation steps, and corrective actions.

What should be included in the Board notification?

A good notification to the Data Protection Board should be clear, factual, and evidence-based. It should include:

Nature and extent of the breach
Time and location of the incident
Type of personal data affected
Number of affected Data Principals, if known
Likely impact on individuals
Immediate containment steps
Measures taken or proposed to reduce risk
Root cause, if known
Remedial actions to prevent recurrence
Report on communication sent to affected users

The goal is to show that the organization identified the issue, assessed the impact, acted quickly, and documented its response.

What should affected Data Principals be told?

Affected users should be informed in simple, clear, and plain language. The communication should not sound like a long legal notice.

A good user notification should explain:

What happened
What personal data was affected
What risk the user may face
What steps the organization has taken
What safety steps the user should take
Whom to contact for support

The DPDP Rules require affected individuals to be informed without delay through their user account or registered communication method. The intimation should include the nature, extent, timing, possible consequences, mitigation steps, safety measures, and contact details.

DPDP and CERT-In: Do businesses need to report to both?

In many cases, yes. DPDP breach notification and CERT-In reporting serve different purposes.

DPDP focuses on personal data, Data Principal rights, and privacy compliance. CERT-In focuses on cybersecurity incidents. CERT-In’s cyber security directions require specified cyber incidents to be reported within 6 hours of noticing the incident or being brought to notice.

If a cyber incident also involves personal data, the business may need to report to CERT-In and also follow DPDP breach notification requirements.

72-hour DPDP breach response plan

0–6 hours: Detect and contain

The first step is to confirm whether personal data is involved. Security teams should contain the incident, preserve logs, disable compromised access, and record the detection time.

At this stage, the team should also check whether CERT-In reporting is triggered.

6–24 hours: Assess impact

The organization should identify what data was affected, how many users may be impacted, whether the breach is ongoing, and whether any vendor or processor was involved.

This stage should answer: What happened, who is affected, what risk exists, and what immediate action is required?

24–48 hours: Prepare notifications

The privacy, legal, compliance, and security teams should prepare the Board notification and affect user communication.

The Board notification should be detailed. The user notification should be short, clear, and action-oriented.

48–72 hours: Submit and document

Before the 72-hour window closes, the organization should complete the detailed Board submission and maintain records of every action taken.

Documentation should include incident timeline, approvals, technical findings, notification copies, user communication proof, vendor records, and remediation actions.

Common mistakes businesses should avoid

Many companies fail breach notification because they are not operationally ready. Common mistakes include:

Waiting for complete forensic certainty before escalation
Not defining who owns breach notification
Treating privacy and cybersecurity reporting separately
Not preserving logs and evidence
Not having vendor breach clauses
Sending vague user communication
Missing CERT-In reporting requirements
Not documenting internal decisions

A breach notification process should be tested before an actual breach happens.

How can businesses prepare for DPDP breach notification?

Businesses should prepare a practical breach response framework that includes:

Personal data inventory
Breach classification matrix
Internal escalation workflow
Board notification template
Data Principal notification template
CERT-In reporting checklist
Vendor breach reporting clause
DPO or privacy contact details
Evidence preservation process
Post-breach review checklist

This preparation helps teams respond faster, reduce confusion, and prove accountability.

Conclusion

DPDP breach notification is not just about reporting a data breach. It is about protecting individuals, responding quickly, and proving that your organization has control over personal data risks.

Indian businesses should build a clear breach response workflow before an incident happens. The first 72 hours are critical. Organizations that can detect, assess, notify, document, and remediate quickly will be better prepared for DPDP compliance and customer trust.