When does the notification clock start?

The notification period begins when the organisation becomes aware of the breach. Awareness means actual knowledge, not when the organisation should have known with reasonable diligence. However, deliberately avoiding knowledge does not suspend the clock.

What if full details are not available within the notification period?

Provide initial notification with available information and supplement as investigation progresses. The Board expects timely initial notification even if incomplete, followed by comprehensive supplementation.

Must all breaches be notified to Data Principals?

Notification to Data Principals is required where the breach is likely to cause them harm. Minor breaches with minimal risk may not require individual notification, though Board notification may still be required.

How to Respond to Data Breaches Within 72 Hours

Executive Summary

A personal data breach triggers notification obligations under Section 8(6) of the DPDPA. The practical reality of breach response demands preparation long before any incident occurs. This guide addresses the technical, procedural, and communication aspects of breach response that enable timely and effective notification.

Key Takeaways

1
Pre-establish incident response teams, procedures, and communication templates
2
Implement detection capabilities that identify breaches promptly
3
Document all response actions contemporaneously for regulatory demonstration
4
Notify the Data Protection Board within prescribed timelines with required particulars
5
Consider Data Principal notification where the breach poses significant risk

1Understanding Breach Notification Obligations

Section 8(6) requires Data Fiduciaries to inform the Data Protection Board and affected Data Principals of any personal data breach. The Rules prescribe the form and manner of notification. The clock starts when the organisation becomes aware of the breach, making detection capabilities as important as response procedures.

2Establishing the Incident Response Team

Effective breach response requires coordinated action across multiple functions. Establish the team and define roles before any incident occurs.

Identify Team Members

Include representatives from IT security, legal, communications, customer service, and senior management. Define primary and backup contacts for each function.

Define Roles and Responsibilities

Specify who leads the response, who handles technical containment, who manages legal assessment, who coordinates communications, and who liaises with regulators.

Establish Escalation Paths

Define criteria for escalating incidents to senior leadership and the board. Not all incidents require board involvement, but significant breaches demand executive attention.

Conduct Regular Training

Run tabletop exercises simulating breach scenarios. Practice improves response speed and quality when real incidents occur.

3Detecting Breaches

You cannot respond to what you do not know about. Detection capabilities directly impact notification timeliness.

Technical Monitoring

Deploy intrusion detection systems, security information and event management platforms, and data loss prevention tools. Configure alerting for suspicious activities.

Log Analysis

Maintain comprehensive logs and conduct regular analysis for anomalies that might indicate unauthorised access.

Employee Reporting

Train employees to recognise and report potential incidents. Suspicious emails, unexpected system behaviour, and customer reports of fraud may indicate breaches.

Third Party Notifications

Establish procedures for receiving and acting on breach notifications from processors and partners. Contractual provisions should require prompt notification.

4Initial Response and Containment

Once a potential breach is identified, immediate actions focus on limiting damage while preserving evidence.

Activate the Incident Response Team

Notify team members and establish a command structure. Begin logging all actions with timestamps.

Assess the Situation

Determine what happened, what systems are affected, what data may be compromised, and whether the incident is ongoing.

Contain the Breach

Take immediate steps to stop ongoing unauthorised access. This may include isolating affected systems, revoking compromised credentials, or blocking malicious IP addresses.

Preserve Evidence

Capture forensic images of affected systems before remediation. Evidence preservation is essential for investigation and may be required for regulatory proceedings.

Important Warnings

•Hasty containment actions can destroy evidence. Coordinate containment with forensic requirements.
•Do not assume the breach is contained without verification. Attackers often maintain persistent access.

5Assessing Notification Requirements

Not every security incident triggers notification obligations. Assess whether the incident constitutes a personal data breach and what notification is required.

Identify Affected Data

Determine what personal data was or may have been accessed, acquired, disclosed, or destroyed. Consider both confirmed and potential exposure.

Assess Impact

Evaluate the likely consequences for affected Data Principals. Consider the nature of the data, the number of individuals affected, and the circumstances of the breach.

Document the Assessment

Record the analysis supporting notification decisions. If notification is not required, document the justification.

6Notifying the Data Protection Board

Notification to the Board must be made in prescribed form within required timelines.

Prepare the Notification

Include the nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed to address the breach.

Submit Within Timelines

Submit the notification within the prescribed period. If full details are not yet available, provide initial notification with commitment to supplement.

Maintain Communication

Respond promptly to any Board inquiries. Be prepared to provide additional information as the investigation progresses.

7Notifying Affected Data Principals

Where the breach is likely to result in significant harm to Data Principals, direct notification enables them to take protective measures.

Determine Notification Scope

Identify which Data Principals must be notified based on breach impact assessment.

Prepare Clear Communication

Explain what happened, what data was affected, what the organisation is doing, and what steps the individual should take. Avoid technical jargon and legal disclaimers that obscure the message.

Select Appropriate Channels

Use reliable contact methods. For large scale breaches, multiple channels may be necessary including email, postal mail, and public announcement.

Provide Support Resources

Offer assistance such as credit monitoring, identity protection services, or dedicated support channels where appropriate to the breach type.

8Post Incident Activities

After immediate response, conduct thorough review to improve future preparedness.

Root Cause Analysis

Determine how the breach occurred and why existing controls failed to prevent or detect it.

Remediation Implementation

Address identified vulnerabilities and control gaps. Verify remediation effectiveness.

Process Improvement

Update incident response procedures based on lessons learned. Revise training materials and conduct refresher exercises.

Documentation Retention

Maintain comprehensive records of the incident and response for regulatory compliance and potential litigation defence.

Frequently Asked Questions

Related Guides

Security

Next GuideHow to Create a Privacy Notice Under DPDPA