Data Breach Notification Under DPDPA

Data breaches in India trigger parallel notification obligations under DPDPA and CERT-In Directions. The 2023 ICMR breach affecting 82 crore individuals demonstrated catastrophic consequences of inadequate breach response. This article examines the dual reporting regime, assessment frameworks, and penalty considerations.

CERT-In Directions 2022 mandate 6-hour reporting for cyber incidents affecting computer resources. DPDPA Section 8(6) requires notification to the Data Protection Board and affected data principals of personal data breaches. These are not alternative obligations—a ransomware attack compromising personal data triggers both. Failure to notify either authority constitutes separate violations.

Not every security incident constitutes a personal data breach. Assessment criteria must distinguish confidentiality, integrity, and availability incidents. A breach occurs when personal data is accessed, disclosed, altered, or destroyed without authorisation, or where access is lost. Organisations must implement real-time detection capabilities and pre-approved assessment protocols.

Draft Rules mandate detailed reports including: facts of the breach, mitigation measures implemented, findings regarding responsible parties, and communication details provided to data principals. CERT-In requires nature of incident, number of affected systems, and remediation steps. Pre-approved templates covering both regulatory and individual communications are essential.

Section 33 empowers the DPB to impose fines up to Rs. 250 crores for non-compliance, delayed reporting, or negligent handling. The Board considers harm mitigation efforts, cooperation with authorities, and data sensitivity when determining penalties. Poor documentation transforms manageable incidents into enforcement priorities.