72 Hours: The Complete DPDPA Breach Response Playbook
Step-by-Step Legal and Operational Guide to Managing a Personal Data Breach Under India's New Law
A tactical, minute-by-minute guide to managing a data breach under DPDPA 2023. From detection through Data Protection Board notification, this playbook walks you through every critical decision point in the 72-hour window.
Time Critical
72-hour notification window is strict and non-negotiable.
High Penalties
Delays trigger automatic Tier 2 penalties and ₹250Cr exposure.
Comprehensive
Covers detection through closure with detailed checklists.
The Complete Playbook
Section 5(3) DPDPA mandates that once a data breach is discovered, the entity must notify the Data Protection Board (DPB) within 72 hours. Why 72 hours matters: Delays trigger automatic Tier 2 penalties (₹25Cr+), Each day of delay compounds penalty exposure, 10-day delays push entities into ₹250Cr territory, DPB views delays as evidence of cover-up, Data principals lose confidence if notifications arrive late, Media narrative hardens against the entity. The 72-hour window is NOT for investigation completion—it's for initial notification with the facts as known. Investigation continues after notification. Key principle: Notify now, investigate thoroughly, update the DPB as investigation unfolds.
Critical Takeaways
The 72-hour clock starts when the breach is discovered. Every hour of delay after 72 hours escalates penalty exposure dramatically
Notification does not require investigation completion—notify DPB with facts as known, then update DPB as investigation unfolds within 7-14 days
Critical first steps: Appoint Incident Commander, assemble Incident Response Team, preserve evidence, engage external counsel for privilege, begin forensic investigation
Designate single point of contact (typically DPO) for all DPB communication to prevent fragmented or conflicting information
Post-notification is equally critical: complete forensic investigation, notify data principals, implement remediation, update DPB, conduct lessons learned
Statutory Foundation
Section 5(3): Breach Notification to Data Protection Board
Rule 9: Breach Notification Procedure
Section 26: Penalties for Non-Compliance
Section 6: DPO Role in Breach Response
Section 5(5): Obligations After Breach Detection
Chapter IV: Special Protections for Children's Data Breaches
Ready for Breach Response?
Prepare your incident response protocols today. Don\'t wait until breach strikes. Contact our DPO team for comprehensive breach response planning.