Breaches happen. The question is not whether you will face a breach, but whether you will respond correctly when it occurs. DPDPA gives you 72 hours to notify the Data Protection Board and affected Data Principals. That window is unforgiving. Without a documented plan, you will not meet it.
The 72-Hour Mandate
Section 8(6) and Rule 7 require notification of personal data breaches to the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware. This is not 72 business hours. Not 72 hours from containment. 72 hours from awareness. The clock starts the moment anyone in your organization knows a breach has occurred.
What Constitutes a Breach
A personal data breach is any unauthorized access, disclosure, acquisition, or loss of personal data. This includes accidental exposure, not just malicious attacks. An employee emailing a customer list to the wrong recipient is a breach. A server misconfiguration exposing a database is a breach. Your plan must address the full spectrum.
- Unauthorized access to personal data
- Unauthorized disclosure or sharing
- Accidental loss or destruction
- Data modification without authorization
- Ransomware encryption of personal data
Detection and Escalation
The plan must define how breaches are detected and escalated. Who receives initial reports. What thresholds trigger escalation. How the response team is activated. Without clear escalation paths, critical hours are lost in confusion about who should be informed and who has authority to act.
Notification Content
Rule 7 specifies what the notification must contain: nature of the breach, approximate number of Data Principals affected, possible consequences, and measures taken or proposed. The notification to Data Principals must also include actionable steps they can take to protect themselves.
Post-Breach Documentation
Every breach must be documented regardless of whether it meets notification thresholds. This documentation serves as evidence of your compliance posture and informs improvements to prevent recurrence. The plan should specify what records are created and how long they are retained.
Essential Clauses
Breach Definition
Section 8(6)Clear criteria for what constitutes a notifiable breach
Detection Mechanisms
Rule 7Technical and procedural controls for breach identification
Escalation Matrix
Rule 7Who is notified at what severity levels
Response Team Composition
Rule 7Roles and responsibilities during breach response
Notification Templates
Rule 7Pre-drafted communications for Board and Data Principals
Timeline Tracking
Section 8(6)Mechanisms to ensure 72-hour deadline compliance
Root Cause Analysis
Rule 7Post-incident investigation requirements
Remediation Tracking
Rule 7How corrective actions are implemented and verified
Implementation Steps
Assemble cross-functional breach response team
Define breach severity levels and escalation thresholds
Draft notification templates for Board and Data Principals
Establish communication channels for urgent escalation
Implement technical detection capabilities
Create documentation templates for breach records
Conduct tabletop exercises to test the plan
Review and update the plan annually or after each incident
Frequently Asked Questions
Need This Document Drafted?
Understanding the requirement is the first step. Having it implemented correctly is what protects your organization. Our team drafts DPDPA-compliant documents tailored to your specific operations.
Get in Touch