Consent & Obligations
Data Breach Notification Under the DPDP Act and Rules 2025
Rule 7 of the DPDP Rules 2025 requires every Data Fiduciary to notify affected individuals and the Data Protection Board when a personal data breach occurs, without delay, and to file a detailed report to the Board within 72 hours. This duty sits alongside the separate CERT-In 6-hour incident reporting requirement.
What Must You Do After a Data Breach?
Rule 7 of the DPDP Rules 2025
After a personal data breach, you must notify affected Data Principals without delay and report to the Data Protection Board in two stages — an initial notification without delay, followed by a detailed report within 72 hours.
Rule 7 sets out the breach notification process in two tracks: one for the Data Principal and one for the Data Protection Board.
Notification to the Data Principal must happen without delay. It must be sent through the Data Principal's user account or via a registered communication channel. The notification must include: a description of the breach, the consequences that may result from it, the measures the Data Fiduciary has taken in response, the safety measures the Data Principal can take on their end, and the contact information of the person the Data Principal can reach for more information.
Notification to the Board follows a two-stage process. The first stage — without delay — must include a description of the breach, the nature and extent of the data affected, the timing of the breach, and the likely impact. The second stage — within 72 hours — requires a more detailed submission: updated and comprehensive information about the breach, the facts, circumstances, and reasons behind it, the mitigation measures taken, findings about who or what caused the breach, the remedial measures put in place, and a report on how affected Data Principals have been notified.
The 72-hour window is significant. It starts from the time the Data Fiduciary becomes aware of the breach — not from when the breach occurred. Given that a detailed investigation, root cause analysis, and Data Principal notification report must all be ready within this window, organisations need a pre-established breach response plan to meet this deadline.
Key Points
- Notify affected Data Principals without delay — via their user account or registered communication channel.
- Data Principal notification must cover: breach description, consequences, measures taken, safety steps for the individual, and contact details.
- First report to the Board (without delay): description, nature, extent, timing, and likely impact of the breach.
- Second report to the Board (within 72 hours): detailed facts, circumstances, root cause findings, mitigation and remedial measures, and a report on Data Principal notifications.
- The 72-hour clock starts from when the Data Fiduciary becomes aware of the breach.
- A pre-established incident response plan is essential to meet these timelines.
Not sure if you meet these requirements?
Take the free DPDP Readiness Assessment to get an instant compliance score and a detailed gap analysis report.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. It is a plain-English interpretation of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. The official gazette text is the only authoritative source. Consult qualified legal counsel before making compliance decisions.