King Stubb & Kasiva Talk to KSK
HomeData PrivacyData Breach Response & Notification Counsel under India’s DPDP Act
Insight · Data Privacy

Data Breach Response & Notification Counsel under India’s DPDP Act

RSBy Rajesh Sivaswamy, KSK Data PrivacyUpdated 16 Jun 20262 min read

A personal data breach is one of the highest-risk moments under the DPDP Act: the failure to notify can attract a penalty of up to ₹200 crore, and the failure to maintain reasonable security safeguards up to ₹250 crore. Rule 7 of the DPDP Rules, 2025 sets specific notification duties and timelines. This page explains them and how KSK’s data-privacy team supports breach response.

The notification timeline

Under Rule 7, on becoming aware of a personal data breach a data fiduciary must:

Are you a Significant Data Fiduciary?

Answer 25 questions to see your DPDPA risk level and whether the DPO obligation applies to you — free, instant, with a branded PDF.

Check your compliance score →
  • Notify each affected data principal “without delay” — describing the breach (nature, extent, timing), the likely consequences, the mitigation taken, the safety steps the individual can take, and a contact point.
  • Give the Data Protection Board an initial intimation “without delay”, followed by a detailed report within 72 hours (extendable on request) — covering updated facts, circumstances and reasons, remedial measures, findings on who caused it, and a summary of the notices sent to individuals.

Our detailed analysis is here: data breach notification obligations, along with the interaction with CERT-In’s reporting rules, which impose their own, faster timelines.

Why preparation matters

The 72-hour clock and the “without delay” standard leave little room to improvise. Organisations that have a breach-response playbook, defined roles, holding statements and notification templates ready tend to meet the timelines and limit exposure. Reasonable security safeguards beforehand (Section 8(5)) also reduce both the likelihood of a breach and the penalty risk — see reasonable security safeguards.

How KSK helps

We help clients before, during and after an incident: building breach-response playbooks and notification templates; advising in real time on whether an incident is a notifiable personal data breach and on parallel CERT-In and sectoral obligations; drafting and coordinating notifications to the Board and affected individuals; managing the 72-hour detailed report; and advising on remediation, regulator engagement and potential adjudication before the Data Protection Board.

Related reading

See our guides on penalties and adjudication and data-breach management. To assess your current readiness, use the free Compliance Scorecard.

Talk to KSK about your DPDP readiness

Our data-privacy team advises Indian and global businesses on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. To understand where you stand, try our free DPDPA Compliance Scorecard or speak to our team.

This page is general information about Indian data-protection law and is not legal advice or a solicitation. Provisions of the DPDP Act and Rules are subject to phased commencement and further notification.

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.

Frequently Asked Questions

DPDP Act — quick answers

What is the data-breach notification timeline under the DPDP Act?
Under Rule 7 of the DPDP Rules, 2025, a data fiduciary must notify each affected data principal without delay, and must give the Data Protection Board an initial intimation without delay followed by a detailed report within 72 hours of becoming aware of the breach (extendable on request).
What must be reported to the Data Protection Board after a breach?
An initial intimation of the nature, extent, timing and likely impact, and then within 72 hours a detailed report covering updated facts, the circumstances and reasons, remedial measures, findings on who caused the breach, and a summary of the notices sent to affected individuals.
What is the penalty for failing to report a data breach in India?
Failing to notify a personal data breach to the Board or to affected individuals can attract a penalty of up to ₹200 crore under the Schedule to the DPDP Act, and a failure to take reasonable security safeguards up to ₹250 crore.
Does CERT-In breach reporting still apply alongside the DPDP Act?
Yes. CERT-In's directions impose their own cyber-incident reporting obligations, often on a faster timeline, and continue to apply in parallel with the DPDP Act's breach-notification duties. Many incidents will trigger both, so response plans should address them together.

This FAQ is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 — not legal advice. Provisions are subject to phased commencement and further notification. Speak to the KSK data-privacy team for advice on your specific situation.

Continue reading — Latest Insights
Data Privacy

Significant Data Fiduciary (SDF) Readiness, DPIA & Audit under the DPDP Act

16 Jun 2026
Data Privacy

Data Protection Officer (DPO) Services in India under the DPDP Act

16 Jun 2026
Data Privacy

DPDP Act Compliance & Advisory: A Practical Guide for Businesses in India

16 Jun 2026