AMLEGALS
Incident Response — Section 8(6) + Rule 7

Data Breach Response Under DPDPA

When a breach hits, the clock starts immediately. Section 8(6) mandates Board notification. CERT-In requires reporting within 6 hours. Your response protocol must be pre-built, pre-tested, and legally reviewed — not improvised under pressure.

Section 8(6)Rule 7CERT-In 6hr₹200 Cr Exposure6-Phase Protocol

₹200 Cr

Penalty for failure to implement reasonable security safeguards (Schedule)

₹200 Cr

Penalty for failure to notify the Board of a breach (Schedule)

6 Hours

CERT-In incident reporting deadline (runs parallel to DPDPA notification)

Incident Response Protocol

6-Phase Breach Response Timeline

From detection to post-incident review. Each phase has statutory triggers, parallel obligations, and evidence requirements.

Hour 0-1

Detection & Initial Assessment

  • Breach detected through monitoring, report, or third-party notification
  • Activate incident response team
  • Initial severity classification — scope, data types, data principals at risk
  • Begin forensic evidence preservation — do NOT remediate before preserving
Hour 1-6

Containment & CERT-In Reporting

  • Contain the breach to prevent further exposure
  • Report to CERT-In within 6 hours (mandatory under CERT-In Directions 2022)
  • Engage forensic investigators if external breach
  • Assess whether children's data or cross-border data is implicated
Hour 6-24

Scope Assessment & Legal Review

  • Complete scope assessment — data categories, volume, geographic reach
  • Legal review of notification obligations under Section 8(6) and Rule 7
  • Prepare Board notification in prescribed form
  • Draft Data Principal communication
Day 1-3

Board & Data Principal Notification

  • Submit formal notification to Data Protection Board per Rule 7
  • Notify affected Data Principals with clear, actionable information
  • If processor breach: Data Processor must notify Data Fiduciary without delay
  • Continue forensic investigation and evidence gathering
Day 3-14

Remediation & Hardening

  • Implement remediation measures to close vulnerability
  • Update security controls and access mechanisms
  • Review and update vendor/processor agreements if third-party breach
  • Conduct additional Data Principal communications if scope expands
Day 14-30

Post-Incident Review & Board Response

  • Complete comprehensive incident report
  • Submit supplementary information to Board if requested
  • Conduct root cause analysis
  • Update breach response protocol based on lessons learned
  • Prepare for potential Board inquiry under Section 27

Board Notification Requirements (Rule 7)

What to Include

  • Nature and description of the personal data breach
  • Categories and approximate number of Data Principals affected
  • Categories of personal data involved
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Measures taken to mitigate possible adverse effects
  • Contact details of the DPO or designated contact person

Critical Compliance Points

  • Notification must be in the form and manner prescribed by Rule 7
  • Processor breaches: processor must notify the Data Fiduciary without delay; Fiduciary then notifies Board
  • Data Principal notification must be clear, accessible, and actionable
  • Notification obligation is on the Data Fiduciary even if processor caused the breach
  • Parallel CERT-In reporting within 6 hours under Directions of April 2022
  • Sectoral regulators (RBI, IRDAI, SEBI) may have additional reporting requirements
  • Evidence preservation is critical — Board may conduct inquiry under Section 27

Why Pre-Built Protocols Win

Organisations that build breach response protocols before a breach occurs respond faster, preserve evidence better, and demonstrate compliance to the Board. Improvised responses under pressure lead to missed deadlines, destroyed evidence, and indefensible Board submissions.

faster response when protocols are pre-tested through tabletop simulations

Evidence

Forensic preservation before remediation is the single most critical first-hour decision

Legal Privilege

Breach response conducted under attorney-client privilege protects your organisation in Board proceedings

Related Breach & Compliance Resources

GCC Breach Response

Enterprise breach notification playbook

DPDPA Compliance Checklist

Phase 5: Breach Response Protocol

Penalties Framework

Schedule penalty analysis

DPDPA Consulting

Breach protocol design services

Vendor Governance

Processor breach escalation

DPDPA for BFSI

Multi-regulator breach reporting

Enterprise Governance

Board-level breach oversight

GDPR Enforcement Lessons

Breach penalty precedents

Build Your Breach Response Before You Need It

Tabletop simulations, notification templates, evidence preservation protocols, and Board representation — built by lawyers who understand both the statute and the courtroom.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Your information is handled in accordance with our privacy obligations. No spam, ever.

Insights & Answers

What practitioners and boards are asking

What are the data breach notification requirements under DPDPA?

Under DPDPA Section 8(6), every Data Fiduciary must notify the Data Protection Board of India of a personal data breach in the form and manner prescribed by Rule 7 of the DPDP Rules, 2025. The notification must include breach description, data categories, affected data principals, likely consequences, and remediation measures. CERT In separately requires incident reporting within 6 hours. Failure to notify carries penalties up to ₹200 crore under the Schedule. AMLEGALS designs pre tested breach response protocols and provides Board representation.