72 Hours: The Complete DPDPA Breach Response Playbook

Part 1 of 7

The 72-Hour Breach Response Window

Section 8(6) of the DPDPA mandates that upon discovery of a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal in the manner and within the timeframe prescribed by the DPDP Rules 2025. Why timely notification matters: Delays attract penalties up to ₹200 Crore under The Schedule; the Board views delays as evidence of systemic non-compliance; Data Principals lose confidence if notifications arrive late; and the media narrative hardens against the entity. The notification window is NOT for investigation completion — it is for initial notification with the facts as known. Investigation continues after notification. Key principle: Notify now, investigate thoroughly, and update the Board as investigation unfolds.

Part 2 of 7

Hour 0-1: Breach Discovery & Incident Commander Activation

When a breach is suspected or confirmed: Immediate Actions (First 10 Minutes) - Activate Incident Commander (typically CISO, Head of Security, or DPO), Convene Incident Response Team (DPO, CISO, Legal Counsel, Communications Lead, IT Operations), Preserve Evidence (do NOT delete logs, servers, or systems), Document chain of custody. Actions by Minute 30 - Gather initial facts (when discovered, how many principals affected, what data exposed, how breach caused), Assess preliminary impact (scope, sensitivity level, children's data involvement), Implement immediate containment if breach is ongoing. Actions by Hour 1 - Notify Board/C-Suite, Secure Legal Privilege by engaging external counsel, Begin Forensic Investigation.

Part 3 of 7

Hour 1-24: Investigation & Scope Determination

During this window, your goal is to determine the true scope and nature of the breach. Investigation Questions to Answer: What data was breached (specific fields, systems, sensitivity level), How many data principals are affected (exact count or estimate), How was the breach caused (external intrusion, internal leak, accidental exposure, third-party compromise), When did breach occur and when was it discovered, Is the breach ongoing (has exposure stopped), Has data been exfiltrated or ransom demanded, What is the harm to data principals (identity theft risk, financial risk, privacy harm). Parallel Track: Begin Drafting DPB Notification - Do NOT wait for investigation completion. Begin drafting the DPB notification with facts as known by Hour 12.

Part 4 of 7

Hour 24-48: Data Principal Notification Preparation

Once you have a reasonable understanding of the breach scope, prepare to notify data principals. Data Principal Notification Requirements (Section 8(6) read with DPDP Rules): Description of the breach, Likely consequences, Measures taken, Recommended measures, Contact information, Identity of the DPO. Data Principal Notification Timing: DPDPA does NOT specify a timeline, but delays longer than 7-10 days trigger DPB criticism and penalties. Best practice: Notify data principals within 5-7 days of DPB notification. Notification Content Template: Include plain language explanation, investigation status, likely impact (identity theft risk, financial risk, privacy impact), recommended actions (change password, monitor accounts, credit freeze), contact details for questions, reference number for tracking.

Part 5 of 7

Hour 48-72: DPB Notification Submission

By Hour 48, you must be ready to submit the DPB notification. You have 24 hours remaining to complete it. DPB Notification Requirements (Rule 9 DPDP Rules 2025): Notifying entity details (legal name, registration, DPO contact, Incident Commander contact), Breach description (date discovered, how discovered, root cause, data exposed), Data principals affected (exact count or estimate, breakdown by data type, children count), Data exposed (names, emails, phone, financial, health, biometric, government IDs, other sensitive data), Likelihood of harm (low, medium, high), Probable consequences (identity theft, financial fraud, privacy harm), Immediate actions taken (systems secured, credentials revoked, investigation initiated), Investigation status (timeline, preliminary findings, expected completion), Data principal notification plan (when, how, what information), Contact information (DPO, Incident Commander, Legal counsel). DPB Notification Timing: Hour 72 Maximum is STRICT. Every hour of delay triggers penalty escalation. Plan for submission by Hour 70 to allow final review.

Part 6 of 7

Hour 72+: Post-Notification Investigation & Updates

After the DPB notification is submitted, your work continues. Days 4-7 (Immediately Post-Notification): Notify data principals by Day 5-7, Continue forensic investigation, Brief board on notification submission. Days 7-14 (Investigation Update): Update DPB with investigation findings, Provide root cause analysis, Detail any new affected data principals, Outline remediation steps. Days 14-30 (Closure & Learning): Complete root cause analysis, Present findings to board, Debrief incident response team. Days 30-90 (Breach Closure): Complete remediation implementation, Submit final status to DPB, Archive all documentation (maintain for 3+ years). Key Documentation to Maintain: Investigation report (privileged), Forensic analysis, Root cause analysis, Remediation timeline, DPB correspondence, Data principal notification records, Board meeting minutes, Internal incident logs.

Part 7 of 7

Breach Response Playbook: Checklist for Executives

HOUR 0 (Upon Discovery): Activate Incident Commander, Convene Incident Response Team, Preserve evidence, Brief CXO/Board (preliminary scope), Notify insurance provider, Engage external counsel, Begin forensic investigation. HOUR 6: Update incident response team, Assess preliminary scope, Determine if breach is ongoing, Brief board again. HOUR 12: Gather key facts for DPB notification, Begin drafting DPB notification, Assess need for external cybersecurity firm, Prepare data principal notification template. HOUR 24: Update incident response team, Review draft DPB notification, Assess data principal notification approach, Brief board on notification plan. HOUR 36: Finalize DPB notification, Legal review, Prepare to submit, Brief communications team. HOUR 48: Review final DPB notification, Confirm DPB contact information, Prepare backup submission method, Assemble all required attachments. HOUR 60: Final quality assurance, Confirm submission timestamp, Prepare for DPB follow-up questions, Brief 24/7 contact person. HOUR 70: Submit DPB notification, Begin data principal notifications, Prepare public statement, Brief employee-facing teams. HOUR 72 (After Submission): Monitor for DPB acknowledgment, Continue forensic investigation, Prepare follow-up communication, Implement interim remediation. DAYS 4-7: Complete data principal notifications, Finalize forensic investigation, Update DPB, Brief board. DAYS 7-30: Implement remediation, Conduct lessons learned, Update DPO Playbook, Brief board. DAYS 30-90: Complete remediation, Submit final status to DPB, Close incident, Archive documentation.