The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s first dedicated legislation governing how organizations must collect, process, and protect personal data. With the release of the draft DPDP Rules, breach response and notification obligations are now at the center of compliance planning for companies across sectors—technology, healthcare, banking, e-commerce, telecom, and beyond.

What is new is the clarity and stringency of DPDP breach notification in India. Unlike earlier, where sectoral regulators such as RBI, SEBI, or CERT-In prescribed their own fragmented reporting requirements, the DPDP framework seeks to establish a unified process. It obligates organizations (termed Data Fiduciaries) to promptly identify, report, and mitigate data breaches.

For Indian businesses, this is more than just a compliance box-ticking exercise. A delayed or inadequate response can trigger regulatory penalties under the DPDP Act, expose the company to civil claims, and—perhaps most damaging—undermine consumer confidence in a market where data trust is becoming a competitive advantage.

Understanding Breach Response under Draft DPDP Rules

The draft DPDP Rules define breach response as a structured, time-sensitive process that begins the moment an organization detects unauthorized access, disclosure, or loss of personal data. The goal is not only to contain the incident but also to ensure accountability through notification to regulators and affected individuals.

A few key elements stand out in the draft framework:

  1. Triggering Event – A breach is considered actionable when it risks causing harm to individuals whose personal data is involved. Harm is interpreted broadly, covering identity theft, financial fraud, reputational loss, or even unauthorized profiling.
  2. Obligation of the Data Fiduciary – The entity controlling personal data (the Data Fiduciary) bears the primary responsibility for breach response. This includes immediate containment, internal escalation, and preparing the notification.
  3. Role of the Data Protection Board of India (DPB) – The draft rules mandate that DPDP breach notification in India must be sent to the DPB within a prescribed timeframe. This creates a central reporting channel, different from the current patchwork of sector-specific rules.
  4. Notification to Individuals – Where the breach materially affects users, the draft rules require organizations to inform them directly. This ensures transparency and gives individuals the chance to protect themselves (for instance, by changing passwords, freezing accounts, or monitoring credit activity).
  5. Timelines – Though the final time limits are yet to be confirmed, the draft framework borrows from global best practices (such as GDPR’s 72-hour window). The expectation is that Indian rules will similarly require rapid reporting—delays could be penalized unless justified.

In essence, the draft DPDP Rules aim to shift India from a reactive, discretionary approach to a codified, mandatory breach response regime. For companies, this means building internal readiness now rather than waiting for the rules to be finalized.

DPDP Breach Notification in India: Scope and Requirements

The heart of the draft rules lies in the DPDP breach notification in Indian framework. Unlike earlier guidelines that often left the format and recipients vague, the DPDP regime sets out a structured pathway for reporting.

1. Who Must Notify?

Every Data Fiduciary—from startups handling customer sign-ups to large banks processing financial records—is covered. There is no blanket exemption based on size or sector. Even Significant Data Fiduciaries, who already carry heightened compliance duties under the Act, must follow the same breach notification rules.

2. Whom to Notify?

Notifications must be sent to two audiences:

  • The Data Protection Board of India (DPB) – This becomes the central authority receiving and monitoring breach reports.
  • Affected Individuals – Where the breach creates a “likely risk of harm,” individuals must be directly informed. This could be through email, SMS, app notifications, or public notice if direct communication is not feasible.

3. What Must Be Included?

The draft rules emphasize clarity and sufficiency of information. At a minimum, breach notifications should contain:

  • Nature of the personal data compromised.
  • The scale of impact (number of records or individuals affected).
  • Likely consequences (e.g., financial loss, identity misuse).
  • Remedial measures already taken.
  • Steps individuals can take to protect themselves.

4. Timelines and Manner of Notification

While the exact reporting window remains open for finalization, the draft suggests immediate reporting without undue delay. Borrowing from international standards, India may adopt a 72-hour benchmark, balancing urgency with practical investigation needs. Notifications must be submitted in the prescribed electronic format to the DPB and must be accessible to individuals in plain, understandable language.

5. Enforcement and Penalties

Failure to comply with breach notification duties can attract significant penalties under the DPDP Act, which authorizes fines running into hundreds of crores depending on the gravity of the breach and the fiduciary’s conduct. The deterrence is clear: non-disclosure or delayed disclosure is itself a punishable lapse, regardless of how the breach occurred.

In short, the draft rules are designed to standardize DPDP breach notification in India, ensuring that regulators and citizens are no longer left in the dark when personal data is compromised.

Conclusion

The draft rules under the DPDP Act mark a decisive step toward a mature data protection ecosystem in India. By codifying obligations around breach response and setting out a framework for DPDP breach notification in India, the law signals that data security is no longer a soft compliance issue—it is a statutory duty with real consequences.

For businesses, the message is clear: a breach cannot be buried, delayed, or managed quietly. Regulators must be informed, individuals must be warned, and organizations must be ready to explain the measures they have taken. While the compliance costs and operational challenges are undeniable, the alternative—penalties, litigation, and loss of trust—is far more damaging.

Companies that invest early in breach readiness, training, and transparent communication will not only meet their legal duties but also differentiate themselves in a market where trust is scarce. In this sense, the DPDP framework is more than a compliance hurdle—it is an opportunity to build credibility and resilience in India’s digital economy.