Personal Data Breach
What Is a Personal Data Breach?
A personal data breach is any unauthorized or accidental event that compromises the confidentiality, integrity, or availability of personal data. This includes, but is not limited to:
Unauthorized access, disclosure, or sharing of personal data
Accidental loss or destruction of data
Data corruption or alteration
Loss of access to systems containing personal data These incidents must be treated as breaches under the DPDPA and its Rules.
Obligations of a Data Fiduciary (Organization)
A. Implement Reasonable Security Safeguards
Data fiduciaries must maintain reasonable technical and organizational safeguards to protect personal data against breach risks. This includes:
Encryption
Access controls
Logging and monitoring
Incident response capabilities These safeguards are required by the DPDPA itself and further elaborated in the subordinate Rules.
B. Breach Detection and Internal Response
Establish processes to detect, respond to, and contain data breaches.
Maintain incident response teams or protocols to assess and manage breach events quickly.
Record the breach event and actions taken from detection through remediation. Prompt action is critical even though the law does not prescribe a specific minimum threshold for reporting — all breaches must be treated seriously.
Reporting Requirements
Under the DPDPA 2023 and the DPDP Rules 2025 (notified 14 Nov 2025):
A. Notify the Data Protection Board
A data breach must be reported without undue delay to the Data Protection Board of India once discovered.
The Rules indicate organizations should inform the Board promptly, and a detailed report is usually expected within a specified timeframe — commonly interpreted as 72 hours after becoming aware of the breach.
The data fiduciary must provide:
Description of the breach
Nature and scope of affected data
When and how the breach occurred
Estimated impact
Remediation and mitigation steps taken
Contact details for follow-up or clarifications
B. Notify Affected Data Principals
Data fiduciaries must also notify each affected individual (data principal) without undue delay and in clear, plain language. Notice to individuals should include:
What happened
What personal data was involved
Potential consequences for the impacted individuals
Steps taken or planned to mitigate harm
Contact information for further assistance The notification should be understandable to a lay person, not just technical stakeholders.
Content of Breach Notices
Both Board-level and data principal breach reports should cover:
To the Data Protection Board:
Nature and extent of the breach
Categories of personal data affected
Approximate number of data principals affected
Timeline of breach discovery and reporting
Mitigation actions taken
Point of contact within the organization for inquiries
To the Affected Individuals:
Simple description of what happened
Explanation of what data elements were exposed
Likely consequences
Steps individuals can take to protect themselves
Contact information for support or queries
Recordkeeping & Internal Documentation
Organizations must establish and maintain:
A breach register detailing all incidents
Internal investigation logs
Documentation of how and when notifications were sent
Remediation timelines and corrective actions Maintaining these records supports audit readiness and regulatory compliance.
Penalties for Non-Compliance
Failure to comply with breach reporting obligations under the DPDPA can result in significant penalties, especially if breaches are not reported or are handled inadequately:
Failure to notify the Data Protection Board and data principals can attract substantial fines under the Act.
Last updated