The Breach Response Imperative
Section 8(6) establishes a dual notification obligation: intimation to the Data Protection Board of India and to each affected Data Principal. Rule 7 prescribes the manner and content of this intimation. The phrase "without undue delay" sets an ambiguous but urgent standard that organisations must operationalise through pre-established protocols.
The breach notification regime intersects with CERT-In Directions 2022, which mandates 6-hour reporting for cyber incidents. Organisations must maintain parallel notification pathways: one to CERT-In for cyber security incidents and another to DPBI for personal data breaches. The classification of an incident as both cyber incident and personal data breach triggers concurrent obligations.
Delayed notification constitutes an independent violation carrying separate penalties under The Schedule. Organisations cannot await complete forensic analysis before notification. The statutory expectation is prompt intimation with subsequent updates as investigation progresses.
Key Provisions
Dual Notification Obligation
Data Fiduciaries must notify both the Data Protection Board and each affected Data Principal. The dual obligation ensures regulatory oversight and individual awareness concurrently.
Notification Content
Intimation must include: nature and extent of breach, personal data categories affected, likely consequences, remedial measures undertaken, and contact information for further queries.
Timing Standard
Notification must be "without undue delay." This standard requires organisations to notify promptly upon becoming aware of a breach, not upon completing investigation.
Processor Notification
Data Processors must notify Data Fiduciaries of breaches occurring in their processing environment, enabling the Fiduciary to fulfil notification obligations.
Incident Response Architecture
Pre-drafted notification templates reduce response time. Templates must be customisable for breach-specific details while maintaining statutory content requirements.
Escalation matrices must define authority for breach classification and notification decisions. Delays in internal escalation translate to notification delays.
Data Principal notification at scale requires infrastructure for mass communication with personalisation capability.
Forensic investigation and notification must proceed in parallel. Organisations cannot defer notification pending investigation completion.
Post-breach remediation documentation supports regulatory engagement and demonstrates good faith compliance efforts.
Implementation Challenges
Breach Detection Latency
Practice Note: Many breaches remain undetected for extended periods. Organisations must invest in detection capabilities to minimise the gap between occurrence and awareness, which defines the notification timeline start.
Affected Principal Identification
Practice Note: Determining which Data Principals are affected requires data mapping and forensic analysis. The tension between thoroughness and speed must be managed through staged notification approaches.
Multi-Regulator Coordination
Practice Note: Breaches may trigger CERT-In, DPBI, and sector regulator notifications. Coordination mechanisms must ensure consistent messaging while meeting different reporting requirements.
VIBE Framework Application
Verification
Conduct tabletop exercises simulating breach scenarios. Audit notification templates against Rule 7 content requirements.
Implementation
Establish 24x7 incident response teams with defined escalation paths. Deploy mass notification systems with Data Principal contact databases.
Benchmarking
Measure time from detection to notification, affected principal coverage rate, and regulatory response outcomes.
Enforcement
Implement automated breach classification triggers. Establish mandatory notification review checkpoints before external communication.