What is the DPDP breach notification timeline?

Under the draft DPDP Rules, a data fiduciary must notify the Data Protection Board of a personal data breach 'without undue delay', interpreted as within 72 hours of becoming aware. For breaches likely to result in significant harm, data principals must also be notified directly. CERT-In's parallel 6-hour reporting obligation (for cybersecurity incidents) runs in addition — a single breach typically triggers both notification clocks.

What counts as a personal data breach under DPDP?

A personal data breach is any 'unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data' that compromises confidentiality, integrity, or availability. Common examples: ransomware encryption of personal data, exposed S3 bucket with PII, account takeover, insider data export, lost/stolen laptop with customer data, third-party processor compromise affecting your data.

What must the breach notification contain?

The notification to the Data Protection Board must include: (1) nature of the breach including categories and approximate number of data principals affected, (2) categories and approximate number of personal data records affected, (3) likely consequences, (4) measures taken or proposed to address the breach, (5) measures to mitigate possible adverse effects on data principals. The Board may demand additional information.

What are the penalties for late breach notification?

Failure to notify under DPDP can attract a penalty up to ₹200 crore per the Act's penalty schedule. The Data Protection Board considers notification timeliness as a major factor in penalty calibration — a breach that was notified promptly may attract a lower penalty than the same breach concealed or delayed. Concealment specifically is treated as an aggravating factor.

Does Bachao.AI help with breach response?

Bachao.AI's VAPT prevents most breach scenarios in the first place; for active incident response, our incident response service (see /incident-response) provides forensic investigation, breach scoping (what data was affected), CERT-In + DPDP notification drafting, and remediation. The deliverable is a forensic report admissible in Data Protection Board proceedings.

DPDP Breach Notification — 72-Hour Compliance Checklist

Two clocks, one breach

DPDP gives you 72 hours to notify the Data Protection Board. CERT-In gives you 6 hours for the cybersecurity incident report. Both run in parallel.

Late notification is treated as an aggravating factor — a breach notified promptly attracts a lower penalty than the same breach concealed.

72 hrsBoard notification

6 hrsCERT-In clock

₹200 Crmax penalty

Freefirst review

Book incident response Free DPDP gap analysis

72-hour Board notification6-hour CERT-In notificationForensic report

Hour-by-hour breach response runbook

Standard incident response sequence aligned to DPDP + CERT-In clocks:

Hour 0 — Awareness: someone (alert, customer complaint, security team) flags a potential breach. Open the incident, page on-call security, start the response timer.
Hour 0-1 — Triage: confirm breach is real (not a false alarm). Establish initial scope estimate: what data, how many records, what time window.
Hour 1-3 — Containment: stop the bleeding. Revoke compromised credentials, rotate keys, isolate affected systems, block attacker IPs at the WAF.
Hour 3-6 — CERT-In notification (Form C): file the cybersecurity incident report. CERT-In's 6-hour clock expires here.
Hour 6-24 — Forensic scoping: full forensic investigation. Confirm scope, attack chain, data exfiltration evidence. Engage forensic firm if no in-house capacity.
Hour 24-72 — Board notification draft: prepare the 5-field DPDP notification. Legal review. Stakeholder sign-off.
Hour 48-72 — Board notification filing: submit to Data Protection Board via prescribed channel. 72-hour clock expires here.
Hour 72+ — Data principal notification: direct notification to affected data principals where significant harm is likely.
Day 7-30 — Remediation + post-incident review: root cause analysis, control improvements, retest, executive lessons-learned.

The 5-field Board notification template

The Board notification must contain five fields. Pre-populate them in your incident response runbook to save 24-48 hours during the actual response:

Field 1 — Nature of breach: brief description of what happened (ransomware, unauthorised access, data exposure, insider exfil, third-party compromise, etc.)
Field 2 — Scope: categories of personal data affected (name, email, phone, payment, ID, biometric, sensitive) AND approximate number of data principals affected
Field 3 — Likely consequences: harm assessment (financial, reputational, identity theft, secondary attack on principals, etc.)
Field 4 — Measures taken: containment, eradication, recovery actions already completed
Field 5 — Mitigation for principals: notifications, credit monitoring, password resets, fraud-watch advisories, etc.

Common breach-notification mistakes

From our incident response work — frequent failure modes:

Waiting until forensic scope is 'fully confirmed' before notifying — the Board accepts preliminary scope and updates
Notifying CERT-In but forgetting the parallel DPDP Board notification (different recipient, different timeline)
Underreporting scope to minimise penalty — the Board treats underreporting as concealment, aggravating
No documented breach severity matrix — every breach feels like a P1, no clear escalation criteria
Counsel and security team operating in silos — notification draft delayed by legal review backlog
No tested communication template for data principal direct notification (Section 8 likely-harm cases)

How to prepare in advance

The 72-hour clock starts at awareness, not at response readiness. Pre-built runbooks save the most time. Recommended prep: (1) Documented incident response plan with the hour-by-hour runbook above. (2) Pre-populated 5-field notification template with placeholders. (3) Forensic firm relationship established (not negotiated during the breach). (4) Communication templates for data principal notification across email, SMS, push, in-product. (5) Annual tabletop exercise to stress-test the runbook with a simulated breach.

Bachao.AI's breach response support

We provide pre-incident preparation (runbook authoring, tabletop exercise facilitation, notification template drafting) and in-incident forensic response (scoping, evidence preservation, CERT-In + DPDP notification drafting, remediation guidance). The deliverable is a forensic report admissible in Data Protection Board proceedings. See /incident-response for the full service description.

Build your DPDP breach runbook before you need it

Free first DPDP review covers your readiness for the 72-hour notification clock + 5-field template.

Book a free review Incident response

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

AI VAPT Scanner

Automated penetration testing for web apps and APIs. Results in under 2 hours.

Learn more →

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

Hour-by-hour breach response runbook

Standard incident response sequence aligned to DPDP + CERT-In clocks:

Hour 0 — Awareness: someone (alert, customer complaint, security team) flags a potential breach. Open the incident, page on-call security, start the response timer.

Hour 0-1 — Triage: confirm breach is real (not a false alarm). Establish initial scope estimate: what data, how many records, what time window.

Hour 1-3 — Containment: stop the bleeding. Revoke compromised credentials, rotate keys, isolate affected systems, block attacker IPs at the WAF.

Hour 3-6 — CERT-In notification (Form C): file the cybersecurity incident report. CERT-In's 6-hour clock expires here.

Hour 6-24 — Forensic scoping: full forensic investigation. Confirm scope, attack chain, data exfiltration evidence. Engage forensic firm if no in-house capacity.

Hour 24-72 — Board notification draft: prepare the 5-field DPDP notification. Legal review. Stakeholder sign-off.

Hour 48-72 — Board notification filing: submit to Data Protection Board via prescribed channel. 72-hour clock expires here.

Hour 72+ — Data principal notification: direct notification to affected data principals where significant harm is likely.

Day 7-30 — Remediation + post-incident review: root cause analysis, control improvements, retest, executive lessons-learned.

The 5-field Board notification template

The Board notification must contain five fields. Pre-populate them in your incident response runbook to save 24-48 hours during the actual response:

Field 1 — Nature of breach: brief description of what happened (ransomware, unauthorised access, data exposure, insider exfil, third-party compromise, etc.)

Field 2 — Scope: categories of personal data affected (name, email, phone, payment, ID, biometric, sensitive) AND approximate number of data principals affected

Field 3 — Likely consequences: harm assessment (financial, reputational, identity theft, secondary attack on principals, etc.)

Field 4 — Measures taken: containment, eradication, recovery actions already completed

Field 5 — Mitigation for principals: notifications, credit monitoring, password resets, fraud-watch advisories, etc.

Common breach-notification mistakes

From our incident response work — frequent failure modes:

Waiting until forensic scope is 'fully confirmed' before notifying — the Board accepts preliminary scope and updates

Notifying CERT-In but forgetting the parallel DPDP Board notification (different recipient, different timeline)

Underreporting scope to minimise penalty — the Board treats underreporting as concealment, aggravating

No documented breach severity matrix — every breach feels like a P1, no clear escalation criteria

Counsel and security team operating in silos — notification draft delayed by legal review backlog

No tested communication template for data principal direct notification (Section 8 likely-harm cases)

How to prepare in advance

Bachao.AI's breach response support

DPDP Breach Notification Checklist — 72-Hour Playbook

Hour-by-hour breach response runbook

The 5-field Board notification template

Common breach-notification mistakes

How to prepare in advance

Bachao.AI's breach response support

Build your DPDP breach runbook before you need it

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit

DPDP Breach Notification Checklist — 72-Hour Playbook

Hour-by-hour breach response runbook

The 5-field Board notification template

Common breach-notification mistakes

How to prepare in advance

Bachao.AI's breach response support

Build your DPDP breach runbook before you need it

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit