

Under the DPDP Act, a data breach is any unauthorized access, leak, or loss of personal data, even if it happened by mistake. An employee emailing a customer list to the wrong address, a lost laptop, a misconfigured database: all of these are breaches.
Here is what makes India's rule stricter than most: there is no risk threshold. Unlike GDPR, which lets you skip reporting low-risk incidents, the DPDP Act makes every breach reportable. No "minor breach" category, no judgement call.
Failing to report is one of the most expensive mistakes under the Act, with a penalty of up to ₹200 crore (see the full DPDP penalty schedule).
No cost. No obligation. Get your compliance gap report.
When a breach happens, the clock starts immediately, on two fronts at once.
Every affected individual must be told about the breach without delay: what happened, what data was involved, and what they should do to protect themselves. Waiting to "assess the situation" for weeks is not an option.
A detailed report must reach the Data Protection Board of India within 72 hours: the nature of the breach, its scope, the data affected, and the steps you are taking to contain and fix it.
72 hours sounds like a lot until a real incident hits. In practice, that window gets consumed by discovering the breach, understanding what was exposed, and coordinating a response. Businesses without a prepared plan almost always miss it, and that is a ₹200 crore problem on top of the breach itself.
Meeting the 72-hour rule is only possible if these pieces exist before the breach happens.
Our Breach Response Setup service builds exactly this: detection, runbook, templates, and reporting protocols, so a bad day never becomes a ₹200 crore day.
Get My Breach Readiness Checked, FreeThe penalty framework has been active since November 2025. Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Building breach readiness is part of the 2-6 months a compliance setup takes.
Breach reporting is one obligation among many. Our main guide covers consent, penalties, rights, deadlines, and the full compliance checklist.
Learn Everything About DPDP ComplianceAny unauthorized access, leak, or loss of personal data, even if it happened by mistake. There is no risk threshold or "minor breach" category: every breach is reportable to affected users and to the Data Protection Board.
Affected users must be notified without delay, and a detailed report must reach the Data Protection Board of India within 72 hours of the breach.
Up to ₹200 crore per violation for failing to report. If the breach also exposed weak security safeguards, a separate penalty of up to ₹250 crore can apply for that violation, which is how penalty exposure stacks.
Detection and monitoring, a documented 72-hour runbook with assigned roles, ready-to-use user notification templates, a Board reporting process, and tamper-resistant logs kept at least 1 year as evidence of your response.
If the honest answer is "probably not", start with a free audit. We will show you exactly what your breach readiness is missing.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.