One of the most significant operational shifts introduced by India’s Digital Personal Data Protection Act, 2023 (DPDPA) is the mandatory notification requirement for personal data breaches. Unlike some global regulations that incorporate a risk-based threshold for reporting, the DPDPA currently demands the reporting of every personal data breach, regardless of its potential harm or scale, to both the Data Protection Board (DPB) and affected individuals (Data Principals).
With penalties for failing to notify reaching up to ₹200 Crore, understanding and preparing for this stringent obligation is paramount for all Data Fiduciaries. This article breaks down the DPDPA’s breach notification requirements and outlines practical steps for businesses.
What Constitutes a Personal Data Breach under DPDPA?
The definition of a “personal data breach” under the DPDPA is broad. The Act defines it as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
This comprehensive definition means that even seemingly minor incidents could potentially trigger notification requirements. For instance, an internal email containing employee data accidentally sent to the wrong recipient group could qualify if it compromises the confidentiality of that personal data. The absence of a harm threshold means the fact of the breach, as defined, is the trigger, not necessarily its impact.
Who Must Be Notified?
The duty to notify falls squarely on the Data Fiduciary. In the event of a personal data breach, the Data Fiduciary must notify:
- The Data Protection Board (DPB) of India
- Each affected Data Principal
This dual notification requirement underscores the DPDPA’s emphasis on both regulatory oversight and individual empowerment.
What Information Needs to Be Included?
While the DPDPA mandates notification “in such form and manner as may be prescribed,” the Draft Digital Personal Data Protection Rules, 2025 provide initial specifics on the content and timelines. It is important to remember these are draft rules and may change.
For Affected Data Principals (Promptly, “without delay”):
The notice to Data Principals should include, at a minimum:
- The nature, extent, timing, and location of the breach
- The likely consequences of the breach for them
- The measures taken or proposed by the Data Fiduciary to mitigate the risk
- The safety measures Data Principals can take to protect themselves
- The business contact information of a person within the Data Fiduciary’s organisation who can answer queries
- The manner of intimation: This should be done via their user account or other registered communication mode with the Data Fiduciary
For the Data Protection Board (DPB):
The notification to the Board is a two-stage process:
Initial Intimation (“without delay”): This should include a description of the breach, covering its nature, extent, timing, location, and the likely impact.
Detailed Report (within 72 hours of becoming aware, or longer if allowed by DPB): This report must contain:
- Updated and detailed information regarding the initial intimation
- The broad facts, circumstances, and reasons leading to the breach
- Measures implemented or proposed to mitigate risk
- Findings on the cause of the breach (if known)
- Remedial actions taken to prevent recurrence
- A report regarding the intimations given to affected Data Principals
The “No Threshold” Challenge: A Paradigm Shift
This is perhaps the most critical aspect for businesses to grasp. Many international frameworks, like the GDPR, allow for non-notification if a breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” The DPDPA, as enacted, offers no such threshold.
This “no threshold” approach implies a potentially high volume of notifications for incidents that organisations might previously have handled internally without external reporting. It necessitates robust internal processes to:
- Rapidly detect potential security incidents
- Swiftly assess if any incident meets the broad DPDPA definition of a personal data breach (i.e., compromises confidentiality, integrity, or availability)
- Trigger the notification workflow immediately if a breach is confirmed
Businesses must shift from a primarily risk-assessment model for reporting (like under GDPR) to a definition-based trigger for reporting under DPDPA.
Actionable Steps for Businesses to Prepare
Proactive preparation is essential to meet these stringent requirements:
1. Strengthen Incident Detection Capabilities
Implement or enhance monitoring tools (like SIEM systems, intrusion detection systems, access logs) to rapidly identify potential security incidents or unauthorised access that could constitute a breach.
2. Define Clear Internal Processes
- Clearly document what qualifies as a personal data breach under the DPDPA definition within your organisation’s context
- Establish an incident response team with clearly assigned roles and responsibilities for breach assessment, containment, documentation, and initiating notifications
- Develop a clear internal reporting and escalation matrix
3. Prepare Notification Templates
Draft standardised, clear, and plain language templates for both DPB reporting and Data Principal notifications now. Ensure these templates are designed to include all information required by the Act and the Draft Rules. This will save critical time when an incident occurs.
4. Verify Data Principal Contact Information
Ensure you have accurate and reliable methods to contact affected Data Principals promptly. This would typically be via their user account or registered communication mode. Regularly validate and update this information.
5. Document Everything Meticulously
Maintain detailed records of every security incident, the assessment conducted, the decision-making process regarding notification (including why an incident was or was not deemed a reportable breach), and copies of all notifications sent (including dates, times, and to whom). This documentation is crucial for demonstrating compliance to the DPB.
6. Review Data Processor Contracts
Ensure your contracts with Data Processors (vendors) clearly obligate them to report any security incidents or personal data breaches affecting your data to you immediately. This allows you sufficient time to meet your own notification duties under the DPDPA. Your contracts should also mandate their cooperation in your investigation and mitigation efforts.
Conclusion: Prepare for a New Era of Breach Reporting
The DPDPA’s mandatory breach notification requirement, particularly its current lack of a risk or harm threshold, imposes a significant compliance burden on Data Fiduciaries. Businesses must urgently shift their mindset and processes from a selective, risk-based reporting approach to one where nearly every incident that meets the Act’s definition of a breach will require notification.
Developing robust detection, assessment, and notification processes before the Act comes into full force is not just advisable – it’s essential to mitigate the substantial financial penalties (up to ₹200 Crore for this specific obligation) and the reputational risks associated with non-compliance. Early and thorough preparation will be key to navigating this new era of data breach reporting in India.
Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.
Need Help with DPDPA Compliance?
Contact our team of experts for personalized guidance and implementation support.
