For active breach incidents, write directly with subject line: Breach Response. We respond as a matter of priority.
What AMLEGALS does when a personal data breach occurs
When an organisation becomes aware of a personal data breach, the DPDPA 2023 requires notification to the Data Protection Board without undue delay — in the format and with the information prescribed by the DPDP Rules 2025. The first obligation is to determine whether the incident constitutes a notifiable breach. The second is to prepare and file the notification correctly. The third is to manage what follows: data principal notification where required, regulatory correspondence, and if the DPB initiates proceedings, regulatory defence.
For organisations also subject to GDPR, the 72-hour notification clock to the EU supervisory authority runs simultaneously and requires different documentation directed to a different regulatory body. For BFSI entities, the RBI cyber incident reporting framework, IRDAI notification requirements and SEBI obligations each carry their own timelines and formats. These obligations do not wait for each other. They run in parallel from the moment the breach is confirmed.
AMLEGALS advises organisations through the complete breach notification process — legal assessment of notifiability, preparation of DPB and parallel regulatory notifications, advice on data principal notification obligations, coordination of forensic investigation from a legal standpoint, and management of all regulatory correspondence through to resolution of any proceedings.
For foreign companies with Indian operations, AMLEGALS handles the India regulatory dimension while coordinating with home-country counsel on GDPR or other applicable obligations, ensuring that the two sets of regulatory communications are consistent with each other.
The scope of our breach response advisory
Legal Assessment of Notifiability
Determining whether the incident constitutes a notifiable breach under DPDPA, GDPR or any applicable sector regulation — and advising on the preservation of legal privilege over communications generated in the course of the response.
DPB Notification
Preparing and filing the Data Protection Board breach notification in the format prescribed by DPDP Rules 2025, within the applicable timeline, and managing subsequent DPB correspondence through to closure of the matter.
Parallel Regulatory Notifications
Where the breach triggers notification obligations to multiple regulators — GDPR supervisory authority, RBI, IRDAI, SEBI — AMLEGALS coordinates all notifications simultaneously to ensure consistency of substance and timing across every filing.
Data Principal Notification
Advising on when notification to affected data principals is required under the DPDPA and any applicable parallel obligation, drafting the notification, and reviewing it for legal accuracy before it is sent.
Forensic Investigation — Legal Coordination
Advising on the scope of the forensic investigation mandate, reviewing findings for legal implications, and ensuring that investigation outputs are prepared in a form that can be used in regulatory proceedings if required.
Regulatory Proceedings
If the DPB initiates an inquiry or enforcement action following notification, AMLEGALS manages the organisation's legal response — from the initial DPB response through any formal proceedings, including appellate proceedings before the Appellate Tribunal.
What must happen, and when, after a breach is confirmed
The DPDPA requires notification to the Data Protection Board without undue delay after the data fiduciary becomes aware of a breach. The DPDP Rules 2025 specify the information that must be included. For organisations subject to GDPR, the obligation to notify the relevant supervisory authority runs within 72 hours of becoming aware. These timelines cannot be extended. The sequence below reflects what an organised, well-advised response looks like.
Banks, NBFCs, insurers and market intermediaries face notification obligations to the RBI, IRDAI and SEBI that operate independently of the DPDPA, with their own timelines and formats. A single breach can trigger four or more simultaneous regulatory reporting obligations. AMLEGALS coordinates all of them from a single point of instruction, ensuring no notification is missed and no filing is inconsistent with another.
Preparing for a breach before it happens
The organisations that manage breach notification well are those that have documented procedures in place, tested them in advance and know who does what when an incident is confirmed. Those that have not done this work before the breach spend the first hours of the notification window on organisation rather than on the notification itself. The DPDPA does not make allowance for that.
Breach Response Protocol
A documented breach response procedure covering roles and responsibilities, the escalation chain, the point at which external legal counsel is engaged, the notification decision framework, the information gathering process for DPB notification, and the procedure for parallel regulatory notifications where applicable. The procedure is designed for the organisation's specific regulatory profile — DPDPA only, DPDPA plus GDPR, BFSI multi-regulator, or multinational — and confirmed with the relevant teams before it is needed.
Tabletop Exercise
An annual simulation run with the legal, IT, compliance, communications and senior management teams — working through a realistic breach scenario against the documented procedure. AMLEGALS designs and facilitates the exercise, assesses the team's response against what the DPDPA and applicable regulations would require, and produces a written findings report identifying gaps in the procedure or the team's execution of it.
Breach Response Retainer
A standing retainer under which AMLEGALS is engaged in advance for breach response work. The retainer ensures that when an incident occurs, instruction can be given and work can begin immediately, without the time required to agree terms and scope at the point of the incident. The retainer includes agreed response times, scope and fee arrangements, and a standing briefing on the organisation's data environment that allows AMLEGALS to advise promptly without preliminary orientation.
Security Controls Review
An annual legal review of the organisation's technical and organisational security measures against the DPDPA's requirement to implement reasonable security safeguards. The review identifies gaps, produces written recommendations, and generates documentation useful for Data Auditor engagement and for demonstrating due diligence if the organisation's security measures are ever examined in regulatory proceedings.
Contact our team
For active breach incidents, write with subject line: Breach Response. We respond as a matter of priority. For general breach preparedness enquiries, use the same address.
