Data Breach Reporting Under DPDP

Every breach counts, and you have 72 hours to report it to the Board
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Data Breach Reporting: What Counts and What You Must Do

Under the DPDP Act, a data breach is any unauthorized access, leak, or loss of personal data, even if it happened by mistake. An employee emailing a customer list to the wrong address, a lost laptop, a misconfigured database: all of these are breaches.

Here is what makes India's rule stricter than most: there is no risk threshold. Unlike GDPR, which lets you skip reporting low-risk incidents, the DPDP Act makes every breach reportable. No "minor breach" category, no judgement call.

Failing to report is one of the most expensive mistakes under the Act, with a penalty of up to ₹200 crore (see the full DPDP penalty schedule).

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The Two DPDP Breach Notification Duties

When a breach happens, the clock starts immediately, on two fronts at once.

1. Notify Affected Users, Without Delay

Every affected individual must be told about the breach without delay: what happened, what data was involved, and what they should do to protect themselves. Waiting to "assess the situation" for weeks is not an option.

2. Detailed Board Report Within 72 Hours

A detailed report must reach the Data Protection Board of India within 72 hours: the nature of the breach, its scope, the data affected, and the steps you are taking to contain and fix it.

72 hours sounds like a lot until a real incident hits. In practice, that window gets consumed by discovering the breach, understanding what was exposed, and coordinating a response. Businesses without a prepared plan almost always miss it, and that is a ₹200 crore problem on top of the breach itself.

What a DPDP Breach Response Plan Must Include

Meeting the 72-hour rule is only possible if these pieces exist before the breach happens.

  • Detection and monitoring: you cannot report a breach you never noticed, so logging and alerts come first
  • A documented 72-hour runbook: who does what, in what order, the moment a breach is confirmed
  • Ready user notification templates: so notifying affected people takes hours, not days
  • A Board reporting process: who compiles and files the detailed 72-hour report
  • Tamper-resistant logs kept at least 1 year: your evidence of what happened and how you responded
  • Prevention safeguards: encryption, access controls, MFA, and backups, since weak security is its own ₹250 crore violation

Our Breach Response Setup service builds exactly this: detection, runbook, templates, and reporting protocols, so a bad day never becomes a ₹200 crore day.

Get My Breach Readiness Checked, Free

Breach Rules Are Already Live

The penalty framework has been active since November 2025. Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Building breach readiness is part of the 2-6 months a compliance setup takes.

Want the Complete DPDP Picture?

Breach reporting is one obligation among many. Our main guide covers consent, penalties, rights, deadlines, and the full compliance checklist.

Learn Everything About DPDP Compliance

DPDP Breach Reporting: Frequently Asked Questions

What counts as a data breach under the DPDP Act?

Any unauthorized access, leak, or loss of personal data, even if it happened by mistake. There is no risk threshold or "minor breach" category: every breach is reportable to affected users and to the Data Protection Board.

Could You File a Board Report Within 72 Hours?

If the honest answer is "probably not", start with a free audit. We will show you exactly what your breach readiness is missing.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.