Data Breach Notification Timeline

Section 8(6) of DPDPA requires Data Fiduciaries to notify both the Data Protection Board and affected Data Principals within 72 hours of becoming aware of a personal data breach. Notice that the clock starts when you become aware of the breach, not when the breach actually occurred. This distinction matters a lot operationally.

Separately, the CERT In Directions under the IT Act require reporting cyber security incidents within just 6 hours. These two obligations work together, not as alternatives. Organisations need parallel notification systems for both.

Since the 6 hour CERT In requirement is stricter, it effectively becomes your operational benchmark. However, the information you need to provide differs quite a bit between the two frameworks, so you cannot simply copy one report for the other.

Effective breach response under this dual framework needs pre established incident response protocols. You need clear escalation pathways and designated people responsible for notifications.

The 72 hour window creates pressure for rapid assessment of breach scope, identification of affected Data Principals, and impact evaluation. These activities typically need forensic investigation that takes longer than 72 hours. So organisations need tiered notification approaches where you send initial notifications acknowledging the breach and preliminary scope, followed by supplementary notifications as your investigation reveals more details.

The Rules specify what your notification must include: breach nature, likely consequences, and remedial measures taken. Failing to notify within the prescribed timelines attracts penalties up to Rs 200 Crore. This makes breach response capability essential for compliance, not just a nice to have operational feature.