Data Breach Notification Obligations Under the DPDP Act & DPDP Rules: Building a Modern Incident Response Framework for Indian and Multinational Enterprises

Posted On - 19 November, 2025 • By - Jidesh Kumar

Introduction

In today’s digital ecosystem, data breaches are no longer rare events they are inevitable operational risks. From ransomware attacks and phishing-driven intrusions to misconfigured cloud servers and insider threats, breaches occur across industries, jurisdictions, and platforms. Recognising this risk, the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 introduce one of India’s most comprehensive and enforceable breach notification regimes, centred on Rule 7.

Rule 7 transforms incident response from a voluntary or IT-managed function into a statutory obligation, mandating dual notification to both affected Data Principals and the Data Protection Board (DPB) “without undue delay.” Unlike many global frameworks, Rule 7 sets out detailed breach reporting content requiring clarity on scope, cause, consequences, remediation, and preventive frameworks.

The implications for Indian companies, offshore processors, global MNCs, cloud vendors, telecom entities, financial institutions, healthcare providers, and digital platforms are profound. A breach under the DPDP regime triggers compliance, risk, operational, legal, and reputational consequences simultaneously.

1. Section 8(6): Mandatory Breach Notification

Section 8(6) of the Act mandates that Data Fiduciaries must notify the Data Protection Board, and the affected Data Principals, in the event of a personal data breach. This is non-negotiable and enforceable.

2. Section 33 (Penalty Schedule)

Breach-related failures including inadequate safeguards or delayed notification can attract penalties up to ₹250 crore.

3. Section 28–29: Inquiry and Directions

The DPB may conduct inquiries, issue directions, seek log trails, and impose corrective measures.

4. Section 36: Government Power to Demand Information

The Government may request breach details, logs, and forensic reports for national security or public interest.

Rule 7: India’s Detailed Breach Notification Framework

Rule 7 operationalises Section 8(6). It imposes granular obligations.

1. Dual Notification Requirement

Upon any personal data breach, Data Fiduciaries must notify affected users, and the Data Protection Board, as soon as reasonably possible. This dual channel is stricter than several international regimes.

2. Content of Notifications to Users

User notifications must include nature of the personal data breach, categories of personal data affected, potential consequences, steps taken by the Data Fiduciary, advice to Data Principals on protective actions. This ensures transparency and empowers users to take mitigating measures.

3. Content of Notifications to the DPB

This includes causes of the breach, period and systems affected, categories and volume of data involved, number of users affected, detection timeline, remedial actions taken, steps to prevent recurrence, identities of responsible persons (if known), and updates as investigations progress. This is akin to a structured incident report demanded by global regulators.

4. Continuous Reporting

DPB may demand follow-up reports until remediation is complete.

How India’s Breach Regime Compares Globally

GDPR

  • 72-hour regulator notification is mandatory.
  • Notification to individuals required only when risk is high.

DPDP (India)

  • No fixed-hour timeline, but “without undue delay” means immediate.
  • Dual notification mandatory in all breaches involving personal data.
  • Requires comprehensive report content.

CPRA (California)

  • Notification to affected consumers required under state breach laws.
  • No mandatory regulator reporting unless involving specific data.

China’s PIPL

  • Mandatory notification to both regulator and individuals for serious breaches.

Insight:

India’s regime is one of the strictest in Asia, particularly because:

  • it requires universal dual notification,
  • content obligations are detailed,
  • reporting is forensic in nature,
  • penalties are business-threatening.

Categories of Breaches Covered

Rule 7 covers any unauthorised acquisition, access, use, disclosure, alteration, or loss of personal data.

Examples:

  • ransomware attacks,
  • phishing and credential compromise,
  • insider theft,
  • cloud misconfigurations,
  • database leaks,
  • API exploitation,
  • lost devices containing personal data,
  • erroneous data sharing,
  • insecure log storage,
  • third-party service-provider breaches.
  • There is no “materiality threshold”- all personal data breaches must be reported.

Incident Response Challenges Under DPDP

1. Multi-Cloud and SaaS Complexity: Breaches often originate in:

  • AWS/Azure/GCP misconfigurations,
  • SaaS providers,
  • offshore processors,
  • multi-tenant systems.
  • DPDP requires Data Fiduciaries to report breaches even if the breach occurs at a vendor.

2. Very Short Detection and Notification Window: “Without undue delay” effectively means:

  • real-time detection,
  • 24/7 monitoring,
  • automated alerting,
  • pre-approved notification templates.

3. High Precision in Reporting

Companies must supply forensic-quality information early even before investigations conclude.

4. Notifying Millions of Users: Large platforms may need:

  • multi-channel notifications (email/SMS/in-app),
  • load-balanced systems,
  • templated messaging,
  • multilingual communications.

5. Dual Pressure: DPB + Users

Notifying users increases reputational risk; notifying the DPB increases regulatory risk.

Required Elements of a DPDP-Compliant Incident Response Framework

Companies must create a DPDP Incident Response (DPDP-IR) system with the following components:

1. Governance & Leadership

  • Incident Response Committee (IRC): comprising Legal, IT Security, Engineering, Product, Communications, HR, and Executives.
  • Board oversight: boards must receive periodic briefings on breaches and response readiness.
  • DPO (for SDFs): must centrally coordinate breach governance.

2. Policies & SOPs

  • Data breach response policy
  • Forensic readiness policy
  • Notification SOPs like Incident classification matrix
  • Vendor breach response SOP
  • Containment procedures
  • Legal escalation matrix
  • Each SOP must reflect DPDP timelines.

 3. Detection & Monitoring Infrastructure

  • SOC (Security Operations Centre)
  • SIEM (Security Information & Event Management)
  • IDS/IPS (Intrusion Detection/Prevention Systems)
  • API monitoring
  • Data loss prevention (DLP)
  • Cloud posture management (CSPM)
  • Endpoint Detection & Response (EDR)
  • Automated logging (Rule 6 & Rule 8)
  • Detection must be continuous and automated.

 4. Forensic Investigation Capability

Companies must have:

  • forensic toolkits,
  • external cyber-forensic partners,
  • chain-of-custody procedures,
  • log preservation architecture,
  • volatile memory capture tools.
  • DPDP requires early reporting even while forensics continue.

 5. Notification Engine

Companies need a central breach-notification module capable of:

  • sending mass notifications,
  • tracking delivery logs,
  • storing evidence of dispatch,
  • updating users,
  • integrating with CRM/email/SMS gateways.
  • For regulated industries (banking, telecom, insurance), sectoral notifications must also be triggered.

6. Documentation & Audit Trails

DPB inquiries demand:

  • timeline of events,
  • logs,
  • evidence of containment,
  • copies of notifications,
  • forensic reports,
  • DPIAs for affected systems,
  • vendor communications,
  • remedial action plans.
  • Proper documentation becomes a legal defence.

Rule 6 requires that Data Fiduciaries ensure processors adopt reasonable security safeguards.

Key contractual requirements:

  • breach notification timelines,
  • indemnities for failures,
  • audit rights,
  • security certifications,
  • subcontractor approval mechanisms,
  • deletion obligations,
  • data restoration controls.
  • A breach at the processor is legally a breach at the Data Fiduciary under DPDP.

Cross-Border Breaches: The DPDP + Rule 15 Intersection

If an offshore processor suffers a breach:

  • It must notify the Indian Data Fiduciary immediately.
  • The Indian entity must notify users + the DPB.
  • Retention of logs (Rule 8) becomes essential for offshore investigations.
  • The DPB may demand data held abroad.

This can create conflicts with:

  • GDPR restrictions,
  • US discovery rules,
  • China’s state security laws,
  • EU–US Cloud Act issues.
  • Companies must draft contracts anticipating these conflicts.

Special Considerations for Significant Data Fiduciaries (SDFs)

SDFs face:

  • higher scrutiny,
  • annual security audits,
  • mandatory DPIAs,
  • algorithmic transparency obligations,
  • DPO oversight.
  • DPB investigations into SDFs will likely be intensive.

Industry-Specific Implications

Fintech & BFSI: Breaches often involve high-risk data:

  • KYC documents,
  • financial transactions,
  • Aadhaar numbers.
  • RBI, NPCI, and CERT-In obligations coexist with DPDP.

Healthcare

Medical data is highly sensitive. Hospitals, labs, healthtech apps must manage:

  • EMR/EHR breaches,
  • telemedicine platform leaks,
  • third-party diagnostic systems.

E-Commerce & Retail

  • Large-scale user databases and marketing systems make them prime targets.

Telecom & ISPs

  • Network-level breaches may expose millions of records.

EdTech & Gaming

  • Often process children’s data—penalties escalate.

Penalties, Liability & DPB Enforcement Risk

Penalties under DPDP include:

  • ₹250 crore for failure to adopt safeguards leading to breach,
  • ₹200 crore for children’s data breaches,
  • ₹50 crore for other compliance failures.

DPB may also:

  • issue directions to stop processing,
  • require audits,
  • mandate security upgrades,
  • initiate inquiries,
  • recommend blocking of platforms (Section 37).
  • Breach documentation and logs become critical evidence.

18-Month Implementation Roadmap

Phase 1 (Months 1–4): Readiness Assessment

  • Gap analysis
  • Vendor assessments
  • Forensic readiness audit
  • SOC maturity review

Phase 2 (Months 4–10): IR Architecture

  • Drafting SOPs
  • Implementing SIEM/SOC
  • Notification templates
  • Automated tracking

Phase 3 (Months 10–15): Simulation & Testing

  • Breach drills
  • Tabletop exercises
  • User-notification dry runs

Phase 4 (Months 15–18): Documentation & Certification

  • Internal audits
  • SDF DPIAs
  • Board reporting
  • Compliance certification readiness

Conclusion

Rule 7 of the DPDP Rules, read with Section 8 of the DPDP Act, creates one of India’s most robust data breach regimes. This framework makes breach response a legal, technical, and governance obligation, demanding readiness across:

  • cybersecurity systems,
  • legal processes,
  • user communications,
  • documentation,
  • vendor ecosystems,
  • forensic preparedness.

Companies that build mature, automated, and well-documented incident response frameworks will not only reduce regulatory exposure but also build lasting trust with users, business partners, and regulators in an increasingly security-conscious digital economy.

Contributed by – Aurelia Menezes