21 June 2026·9 min read·compliance

DPDP Act Data Breach Notification: India 72-Hour Guide

DPDP Act 2023 requires breach notification to India's Data Protection Board and affected users. Here's what to do and fully document in the first 72 hours.

Bachao.AI Research Team

Cybersecurity Research

See if your business is DPDP Act compliant

Free scan · No credit card required

Check DPDP Compliance

Compliance risk for Indian SMBs

Non-compliance with the DPDP Act 2023 carries penalties up to ₹250 crore. This post explains what's at stake and what action to take.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

Under the Digital Personal Data Protection Act 2023, Indian companies that experience a personal data breach must notify the Data Protection Board of India and each affected Data Principal without delay. The Act does not prescribe a fixed 72-hour window for the Board notification — the Rules (once notified) will specify the timeline — but CERT-In's separate directive already mandates reporting cybersecurity incidents within six hours. In practice, your first 72 hours after breach detection are the most consequential: the decisions you make (and document) during this window determine legal exposure, regulatory penalty, and reputational outcome.

This guide walks compliance leads, CTOs, and founders through the obligations, the assessment logic, the documentation requirements, and the overlap with CERT-In's faster-moving reporting mandate.

72%Organizations that contained breaches faster when they had an IR plan (IBM Cost of a Data Breach 2024)

74 daysAverage time to identify + contain a breach globally (IBM Cost of a Data Breach 2024)

6 hoursCERT-In mandatory reporting window for cybersecurity incidents (CERT-In Directions 2022)

What Counts as a Personal Data Breach Under DPDP Act 2023

The DPDP Act 2023 defines a personal data breach as any unauthorized processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. Critically, the Act's scope is personal data processed in digital form — or data collected offline but subsequently digitised.

Not every IT incident qualifies. A server going down, a misconfigured dashboard that exposed no actual data, or an internal access to data within approved purpose — none of these automatically triggers the breach-notification obligation. What matters is whether personal data was exposed or could have been accessed by an unauthorized party.

Key indicators that you have a notifiable breach:

Credentials or identity records of customers, employees, or users were accessed without authorization
Ransomware encrypted or exfiltrated records containing personal data
An employee shared a customer database with an external party without approval
A third-party vendor suffered a breach that included your data you shared with them
An API or web application exposed personal data fields to unauthenticated requests

⚠️

WARNING

Uncertainty is not a reason to delay — it is a reason to start documenting. If you cannot rule out unauthorized access to personal data within the first few hours, treat it as a potential breach and begin your notification preparation in parallel with investigation.

The Two Notification Obligations: DPDP Board vs. CERT-In

Indian companies face two distinct reporting obligations that can run simultaneously after a breach. Understanding which is which prevents dangerous confusion.

Obligation	Recipient	Timeline	Authority
CERT-In Cybersecurity Incident Report	Indian Computer Emergency Response Team	6 hours from detection	IT Act, 2000 (CERT-In Directions April 2022)
DPDP Act Breach Notification	Data Protection Board of India	As prescribed by Rules (under development)	Digital Personal Data Protection Act, 2023
Affected Data Principals Notification	Each individual whose data was breached	Without undue delay (alongside or after Board notification)	DPDP Act, 2023 Section 8(6)

The CERT-In 6-hour window applies to a defined list of incident types — ransomware, data breaches, unauthorized access, website defacements — and is already in force. The DPDP Act notification timeline to the Data Protection Board will be specified in subordinate Rules that the Ministry of Electronics and Information Technology (MeitY) is developing. Companies should structure their internal processes to meet the faster CERT-In window as the floor, while preparing Data Principal notifications in parallel.

Source references: CERT-In Directions April 2022 | MeitY DPDP Act resources

🚨

DANGER

Missing the CERT-In 6-hour deadline is a live enforcement risk today — penalties under the IT Act apply. Do not wait for DPDP Rules to be finalized before building your incident reporting workflow.

Breach Detection to Notification: Decision Flow

graph TD
    A[Breach Detected or Suspected] --> B{Personal data involved?}
    B -->|No| C[IT Incident Only — internal IR process]
    B -->|Yes| D{Unauthorized access confirmed or cannot be ruled out?}
    D -->|Cannot rule out| E[Treat as notifiable — begin documentation]
    D -->|Confirmed breach| E
    D -->|Ruled out| F[Document findings and close]
    E --> G{CERT-In reportable incident type?}
    G -->|Yes| H[File CERT-In report within 6 hours]
    G -->|No or unclear| I[Escalate to legal counsel]
    H --> J[Assess scope — number of Data Principals affected]
    I --> J
    J --> K[Prepare Data Protection Board notification]
    K --> L[Notify affected Data Principals without undue delay]
    L --> M[Preserve all evidence and IR logs]
    M --> N[Remediate and post-incident review]

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style L fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style M fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

What to Document From Hour Zero

Regulators and courts look at two things after a breach: what happened, and what you did about it. Your documentation during the first 72 hours is your evidence trail. Poor documentation has cost companies far more in regulatory scrutiny than the breach itself.

Immediate documentation (within first 6 hours)

Detection timestamp — exact date and time when the breach was first identified, and by whom
Initial indicators — alert, log anomaly, external report, or other trigger
Systems involved — which servers, databases, applications, or third-party services
Likely data categories — names, contact details, financial data, health data, government IDs
Estimated number of Data Principals — even a rough range is better than nothing
Containment actions taken — credentials rotated, system isolated, access revoked

Ongoing documentation (hours 6–72)

Forensic investigation log — timestamped entries of every finding, hypothesis tested, and conclusion
Chain of custody for disk images, log files, and memory captures
Communications log — every internal and external communication related to the breach, with timestamps
Notification drafts — preserve each draft of the Board notification and Data Principal notices, with revision history
Remediation decisions — what was patched, reconfigured, or shut down, and when

💡

TIP

Store your breach documentation in write-once storage or a tamper-evident log. A Google Doc that anyone can edit — or a Slack thread that can be deleted — is not adequate evidence for a regulatory inquiry. Use your SIEM, a dedicated incident management system, or an immutable S3 bucket.

Notifying Affected Data Principals

The DPDP Act places an explicit obligation on Data Fiduciaries (companies that collect and process personal data) to inform each affected Data Principal about the breach. The notification must cover:

The nature of the personal data involved
The steps the Data Principal can take to protect themselves
The safeguards the company has applied or is applying
Contact information for the company's point of contact for breach-related queries

The Act does not prescribe a single mandated notification channel — but the practical standard is direct communication: email to the registered address, SMS to registered mobile, in-app notification if the product has one. Generic website announcements do not satisfy the individual-notification requirement.

ℹ️

INFO

If the breach involves a large number of Data Principals and direct notification would be disproportionately expensive or technically infeasible, the Draft DPDP Rules under development may permit alternative modes of notification. Watch MeitY's official updates at meity.gov.in for finalized Rules.

Breach Response Timeline: Where Most Incidents Fall Apart

xychart-beta
    title "Typical Breach Response: Hours Elapsed vs Actions Completed"
    x-axis ["Hour 1", "Hour 6", "Hour 24", "Hour 48", "Hour 72"]
    y-axis "Cumulative Actions Completed" 0 --> 10
    bar [1, 3, 5, 7, 9]
    line [2, 5, 7, 9, 10]

The gap between the bar (actual) and line (target) represents the compliance deficit most Indian SMBs face: detection and containment happen, but documentation, formal notification drafting, and Data Principal communication lag behind by 24–48 hours. Closing that gap requires a pre-written incident response runbook, not improvisation.

The 72-Hour Incident Response Checklist

Hour 0–6: Detect and Contain

Action	Owner	Done?
Confirm whether personal data was accessed	Security / IT
Isolate affected systems to prevent further exfiltration	IT / DevOps
Preserve logs — do not rotate, delete, or overwrite	IT
Notify CISO / DPO / legal counsel	Management
File CERT-In incident report if incident type qualifies	DPO / Legal
Begin breach documentation log with detection timestamp	DPO

Hour 6–24: Assess and Escalate

Action	Owner	Done?
Complete initial forensic scope — systems, data categories, count of Data Principals	Security
Confirm or rule out third-party Data Processor involvement	Legal / Vendor Mgmt
Engage external IR firm if internal capacity is insufficient	CISO
Draft Data Protection Board notification	DPO / Legal
Draft Data Principal notification content	DPO / Comms
Assess whether regulatory bodies beyond DPB must be notified (RBI, SEBI, IRDAI if sector-regulated)	Legal

Hour 24–72: Notify and Remediate

Action	Owner	Done?
Submit notification to Data Protection Board	DPO / Legal
Send individual notifications to affected Data Principals	Comms / Engineering
Apply emergency security patches and access controls	Engineering
Conduct post-incident review kick-off	CISO
Archive complete breach documentation in tamper-evident storage	IT / Legal

Sector Overlay: Additional Reporting for Regulated Industries

If your company operates in a regulated sector, you face parallel notification requirements beyond the DPDP Act and CERT-In.

Banking and NBFCs — RBI's cybersecurity framework requires prompt notification of major cyber incidents to the Reserve Bank. Contact: rbi.org.in
Stock brokers, depositories, AMCs — SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) mandates incident reporting. Contact: sebi.gov.in
Insurance — IRDAI guidelines require incident reporting and include breach notification obligations

Running parallel notification workflows for each applicable regulator is non-negotiable. A breach at a fintech touching payment data can trigger CERT-In, DPDP Board, and RBI notifications simultaneously.

Where Bachao.AI Fits

Breach notification obligations are reactive. The stronger posture is preventing the breach in the first place — and catching vulnerabilities before attackers do. Bachao.AI, built by Dhisattva AI Pvt Ltd, automates vulnerability assessment across your web applications and APIs, producing findings that map directly to the kind of controls that prevent unauthorized access to personal data.

A free VAPT scan takes minutes to initiate and surfaces the misconfigurations — exposed APIs, authentication weaknesses, unencrypted sensitive fields — that convert a near-miss into a notifiable breach. For companies with specific DPDP compliance requirements, see the DPDP compliance page.

🎯Key Takeaway

The first 72 hours after a breach define your legal and regulatory outcome. Start documenting from the moment of detection, file your CERT-In report within six hours if the incident qualifies, prepare Board and Data Principal notifications in parallel, and store everything in tamper-evident logs. The companies that survive breaches well are the ones that ran this drill before they needed it.

Frequently Asked Questions

Does the DPDP Act 2023 specify a 72-hour breach notification deadline?

No. The Act requires notification to the Data Protection Board and affected Data Principals "as soon as possible" or as prescribed by Rules. The Rules are still under development by MeitY. The 72-hour framing in this guide reflects the CERT-In 6-hour window plus the critical first response period — not a statutory DPDP deadline.

What is the difference between notifying CERT-In and notifying the Data Protection Board?

CERT-In notification is a cybersecurity incident report filed under the IT Act 2000 and the CERT-In Directions 2022 — it is already mandatory and enforceable today. The Data Protection Board notification is a new obligation under the DPDP Act 2023 — its exact process and timeline will be defined in subordinate Rules. Both may apply simultaneously if a cybersecurity incident involves personal data.

Does a breach by a third-party vendor trigger my notification obligation?

Yes, in most cases. Under the DPDP Act 2023, if you shared personal data with a Data Processor (vendor, SaaS provider, cloud service) and that processor suffers a breach, you as the Data Fiduciary retain the obligation to notify affected Data Principals and the Board. Your vendor contracts should require vendors to notify you immediately upon discovering a breach.

What personal data categories require the most urgent response?

The DPDP Act framework designates certain data as Special Category Personal Data — including financial information, health data, official identifiers, and biometric data — through its rules and notifications. A breach involving these categories warrants immediate legal counsel, faster notification timelines, and detailed evidence preservation, as regulators are likely to scrutinize such incidents more closely.

We are a small startup with fewer than 50 employees. Does DPDP still apply?

The DPDP Act applies to any entity that processes personal data of Indian individuals in digital form, regardless of size. Certain obligations may be scaled differently for smaller entities once the Rules are notified, but the breach-notification obligation applies broadly. Consult the updated Rules at meity.gov.in for category-specific exemptions.

What should a Data Principal notification actually say?

It should describe what happened in plain language, which categories of their personal data were affected, what risks this creates for them, what steps they can take to protect themselves, what remediation you have applied, and how they can contact you with questions. Avoid legal jargon — the Act's intent is that Data Principals can actually understand and act on the notification.