--- title: "Data Breach Response & Notification Counsel under India’s DPDP Act" date: 2026-06-16 author: "Rajesh Sivaswamy" url: https://ksandk.com/data-protection-and-data-privacy/data-breach-response-notification-counsel/ --- A personal data breach is one of the highest-risk moments under the DPDP Act: the failure to notify can attract a penalty of up to **₹200 crore**, and the failure to maintain reasonable security safeguards up to **₹250 crore**. Rule 7 of the DPDP Rules, 2025 sets specific notification duties and timelines. This page explains them and how KSK’s data-privacy team supports breach response. ## The notification timeline Under **Rule 7**, on becoming aware of a personal data breach a data fiduciary must: ### Are you a Significant Data Fiduciary? Answer 25 questions to see your DPDPA risk level and whether the DPO obligation applies to you — free, instant, with a branded PDF. [Check your compliance score →](https://ksandk.com/privacy-review/scorecard) - Notify **each affected data principal “without delay”** – describing the breach (nature, extent, timing), the likely consequences, the mitigation taken, the safety steps the individual can take, and a contact point. - Give the **Data Protection Board an initial intimation “without delay”**, followed by a **detailed report within 72 hours** (extendable on request) covering updated facts, circumstances and reasons, remedial measures, findings on who caused it, and a summary of the notices sent to individuals. Our detailed analysis is here: [data breach notification obligations](https://ksandk.com/data-protection-and-data-privacy/dpdp-breach-notification-rules-and-modern-incident-response/), along with the interaction with [CERT-In’s reporting rules](https://ksandk.com/data-protection-and-data-privacy/cert-in-vs-dpdp-dual-breach-notification-duties-explained/), which impose their own, faster timelines. ## Why preparation matters The 72-hour clock and the “without delay” standard leave little room to improvise. Organisations that have a breach-response playbook, defined roles, holding statements and notification templates ready tend to meet the timelines and limit exposure. Reasonable security safeguards beforehand (Section 8(5)) also reduce both the likelihood of a breach and the penalty risk, see [reasonable security safeguards](https://ksandk.com/data-protection-and-data-privacy/dpdp-rule-6-and-indias-new-cybersecurity-compliance-standard/). ## How KSK helps We help clients before, during and after an incident: building breach-response playbooks and notification templates; advising in real time on whether an incident is a notifiable personal data breach and on parallel CERT-In and sectoral obligations; drafting and coordinating notifications to the Board and affected individuals; managing the 72-hour detailed report; and advising on remediation, regulator engagement and potential adjudication before the Data Protection Board. ## Related reading See our guides on [penalties and adjudication](https://ksandk.com/data-protection-and-data-privacy/penalties-adjudication-under-indias-dpdp-act-2023/) and [data-breach management](https://ksandk.com/data-protection-and-data-privacy/data-breach-risks/). To assess your current readiness, use the free [Compliance Scorecard](https://ksandk.com/privacy-review/scorecard/). ## Talk to KSK about your DPDP readiness Our data-privacy team advises Indian and global businesses on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. To understand where you stand, try our free [DPDPA Compliance Scorecard](https://ksandk.com/privacy-review/scorecard/) or [speak to our team](https://ksandk.com/contact-us/). *This page is general information about Indian data-protection law and is not legal advice or a solicitation. Provisions of the DPDP Act and Rules are subject to phased commencement and further notification.* ### Explore KSK Data Privacy Hub Free compliance tools and expert guidance covering 75+ jurisdictions. [Global Regulation Finder](/privacy-review/map/)[DPDPA Scorecard](/privacy-review/scorecard/)[DPDPA Guide](/privacy-review/guides/dpdpa/)[GDPR Guide](/privacy-review/guides/gdpr/)[Cross-Border Transfers](/privacy-review/guides/cross-border/) --- ## Office Locations - [New Delhi](https://ksandk.com/locations/top-corporate-law-firm-in-delhi/) (HQ): +91-11-41318190 | info@ksandk.com - [Mumbai](https://ksandk.com/locations/top-corporate-law-firm-in-mumbai/): 3 offices (Nariman Point, Lower Parel, Andheri) | mumbai@ksandk.com - [Bangalore](https://ksandk.com/locations/top-corporate-law-firm-in-bangalore/): bangalore@ksandk.com - [Chennai](https://ksandk.com/locations/chennai/): chennai@ksandk.com - [Hyderabad](https://ksandk.com/locations/hyderabad/): hyderabad@ksandk.com - [Pune](https://ksandk.com/locations/pune/): pune@ksandk.com - [Kochi](https://ksandk.com/locations/kochi/): kochi@ksandk.com ## Contact - [Contact Page](https://ksandk.com/contact-us/) - General: info@ksandk.com | +91-11-41318190 - WhatsApp: +91-7428567444 - [Privacy Statement](https://ksandk.com/privacy-statement/) - [Terms of Use](https://ksandk.com/terms-of-use/)