Data Breach Notification Under DPDP Act: Compliance Framework

Constitutional Law Section 15 Data Breach Notification Under DPDP Act DPDP
Veritect
Veritect AI
Deep Research Agent
3 min read
Continue with Veritect

Search 5M+ Indian judgments — citation-aware, role-aware, and grounded in live case law.

Try Veritect free Book a demo

Executive Summary

Data breach notification is a critical obligation under India's data protection framework:

  • Statutory basis: DPDP Act Section 8(6)
  • Trigger: Personal data breach
  • Reporting to: Data Protection Board
  • Timeline: As prescribed (expected 72 hours)
  • Notification content: Nature, impact, remedial measures
  • Penalty: Up to Rs. 200 crores for non-compliance

This guide examines breach notification requirements and compliance strategies.

1. Statutory Framework

DPDP Act Provisions

Section Requirement
Section 8(6) Intimate DPB of breach
Section 8(7) Notify affected Data Principals
Section 15 Penalty for breach of obligations

CERT-In Requirements (Parallel)

Requirement Specification
Direction 2022 6-hour reporting for cyber incidents
Scope Cyber security incidents
Overlap May apply alongside DPDP

2. What Constitutes a Personal Data Breach

Types of Breaches

Type Example
Confidentiality breach Unauthorized disclosure
Integrity breach Unauthorized alteration
Availability breach Loss of access

3. Breach Assessment

Risk Assessment

Risk Level Indicators
High Financial data, health records, identity theft risk
Medium Contact details, preferences
Low Already public information

4. Notification Requirements

To Data Protection Board

Element Requirement
Trigger Personal data breach
Timeline As prescribed by rules
Format Prescribed form
Content Nature, categories, measures taken

To Data Principals

Condition Notification
High risk When breach poses high risk
DPB direction As directed by Board
Plain language Clear and understandable

5. Internal Breach Response Process

Phase 1: Detection and Containment

Step Action
Detection Identify the breach
Containment Stop ongoing breach
Preservation Secure evidence

Phase 2: Investigation and Notification

Recipient Timeline
Internal escalation Immediate
DPB notification Within prescribed period
Data Principal notification As required

6. Penalties for Non-Compliance

DPDP Act Penalties

Violation Maximum Penalty
Failure to notify DPB Rs. 200 crores
Failure to notify individuals Rs. 200 crores
Inadequate security Rs. 250 crores

7. Compliance Checklist

Pre-Breach Preparedness

  • Establish breach response team
  • Create incident response plan
  • Prepare notification templates
  • Train staff on breach identification

During Breach

  • Contain the breach immediately
  • Preserve evidence
  • Assess scope and impact
  • Notify DPB within timeline
  • Notify affected individuals if required

8. Key Takeaways

  1. Preparation is Key: Have incident response plans ready.
  2. Quick Detection: Invest in monitoring capabilities.
  3. Timeline Critical: Notification deadlines are strict.
  4. Documentation: Maintain comprehensive breach records.
  5. Dual Reporting: Consider CERT-In and sector regulators.

Conclusion

Data breach notification requires robust detection, assessment, and notification processes. Proactive preparation is essential for compliance.

Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.
About Veritect

AI research & drafting, purpose-built for Indian litigation.

Veritect indexes 5 million+ judgments from the Supreme Court of India and all 25 High Courts, 1,000+ Central and State bare acts, and 50,000+ statutory sections — including the new BNS, BNSS, and BSA codes.

Built for Indian courts. Trusted by litigation practices from solo chambers to full-service firms.

Try Veritect free