In short: A DPDP data breach notice India triggers a dual legal obligation under the Digital Personal Data Protection Act, 2023: you must notify the Data Protection Board of India without delay and then file a detailed report within 72 hours, while simultaneously informing every affected individual — regardless of how minor the breach appears.
Key points
- The DPDP Rules, 2025 were notified on 13–14 November 2025, fully operationalising the Digital Personal Data Protection Act, 2023. Breach notification obligations fall under Rule 7 and will become enforceable by mid-May 2027 after an 18-month implementation phase.
- A “personal data breach” is defined broadly: any unauthorised processing or accidental disclosure, alteration, loss, or destruction of personal data that compromises confidentiality, integrity, or availability — covering ransomware attacks, misconfigured cloud buckets, and phishing incidents alike.
- There is no minimum threshold for reporting. Every personal data breach, no matter how small, triggers the same dual notification obligation to the Data Protection Board of India and to every affected individual.
- Rule 7 creates a two-phase reporting structure: an immediate preliminary notice to the Board “without delay,” followed by a comprehensive detailed report within 72 hours of the fiduciary becoming aware of the breach.
- The 72-hour deadline can be extended if you make a written request to the Board — but you must proactively seek that extension; it is not automatic.
- As a Data Fiduciary, your business is legally responsible for both notifications; you cannot rely on a processor or vendor to discharge this obligation on your behalf without confirming that responsibility clearly in your contracts.
What does the law actually say about a DPDP data breach notice India?
The Digital Personal Data Protection Act, 2023 contains the core obligation in Section 8(6): when a personal data breach occurs, the Data Fiduciary must give intimation to both the Data Protection Board of India and to each affected Data Principal.
This is a dual obligation — notifying only your customers without informing the Board, or vice versa, means you are only half-compliant. The manner and content of that intimation are set out in Rule 7 of the DPDP Rules, 2025.
The definition of “personal data breach” under Section 2 of the Act is deliberately wide. It is not limited to hacking. A misconfigured cloud storage bucket that briefly exposed customer names, or an employee accidentally emailing salary data to the wrong recipient, can each qualify as a reportable breach.
When do these obligations actually kick in for your business?
This is the question most SMEs are asking right now. The DPDP Act and Rules were notified in November 2025, but not all provisions came into force immediately.
Phase I (effective from 13 November 2025) focused on setting up the Data Protection Board of India. The breach notification obligations — along with notice standards, individual rights, grievance timelines, and other day-to-day compliance duties — are contained in the Rules that commence 18 months after publication. That means full enforceability arrives in mid-May 2027.
Use this window to build your internal processes now, not at the last minute. Businesses that treat 2027 as the start date, rather than the deadline, will struggle.
Step-by-step: How to respond when a breach occurs
Step 1 — Contain and assess
The moment you detect or are told about a potential breach, activate your incident response plan. Isolate the affected system, preserve logs, and assemble the people who need to know: your IT lead, legal counsel, and the compliance officer or founder if it is a small team.
Determine whether the incident meets the statutory definition of a personal data breach. If any personal data has been accessed, disclosed, altered, lost, or destroyed without authorisation — even accidentally — the answer is almost certainly yes.
Step 2 — Send the initial notification to the Board without delay
Rule 7 requires you to send a preliminary report to the Data Protection Board of India immediately after you become aware. “Without delay” means as fast as is reasonably practicable — do not wait until you have the full picture.
This initial notice should summarise the nature of the breach, its probable extent, the timing, and the likely impact. Think of it as raising your hand to the regulator, not as a final confession of what went wrong.
Step 3 — Notify every affected Data Principal
Simultaneously, or as close to simultaneously as your situation allows, you must inform each individual whose personal data was compromised. There is no minimum harm threshold — if their data was involved, they are entitled to know.
Your notice to individuals should be clear, jargon-free, and should tell them what happened, what data was affected, and what steps you are taking to protect them. For guidance on drafting notices and other consumer-facing legal documents, explore the Law for You guides on The Courtroom, which cover plain-language compliance in everyday business situations.
Step 4 — File the detailed 72-hour report to the Board
Within 72 hours of becoming aware of the breach (or within any extended period the Board permits on your written request), you must submit a comprehensive report. This is not a form-filling exercise — the law specifies the content in detail.
| Required element | What to include |
|---|---|
| Events and circumstances | A full account of how and when the breach occurred, including the sequence of events leading up to it |
| Measures taken or proposed | Steps already implemented to contain or mitigate the risk, plus any further actions planned |
| Person responsible | Your findings, at the time of filing, about who or what caused the breach — internal actor, external attacker, or system failure |
| Remedial actions for recurrence | Specific measures you are putting in place to prevent a similar breach happening again |
| Individual notifications report | A summary of the intimations given to affected Data Principals — who was notified, when, and how |
Step 5 — Document everything
Keep a contemporaneous record of every decision you made and every action you took from the moment you detected the breach. If the Board investigates later, your documentation is your defence.
Record timestamps for detection, containment steps, notification drafts, dispatch records, and any external legal advice received.
Common mistakes small businesses make
Waiting for certainty before notifying. The law does not require you to have all the answers before you notify the Board. Send the initial notice promptly, then follow up with the detailed report once you have completed your internal investigation.
Assuming a small breach does not need to be reported. The DPDP Act sets no floor on reportable breaches. Scope and severity are irrelevant to whether the obligation arises — they may be relevant to the Board’s response, but not to your duty to report.
Treating vendor agreements as a shield. If your cloud provider or payroll processor suffers the breach, you — as the Data Fiduciary — remain the party legally obligated to notify the Board and affected individuals. Review your vendor contracts now to establish clear responsibilities and information-sharing timelines.
Frequently asked questions
Does my small business have to report every data breach under the DPDP Act, even minor ones?
Yes. The DPDP Act and Rule 7 of the DPDP Rules, 2025 do not set any minimum threshold based on the scale or severity of a breach. Every personal data breach — whether it affects one individual or one million — triggers the same dual notification obligation to the Data Protection Board of India and to each affected individual. There is no “de minimis” exception.
What happens if my business cannot complete the detailed report within 72 hours?
The law allows for an extension, but only if you make a written request to the Data Protection Board of India before the deadline expires. The extension is not automatic — you must proactively seek it and explain why you need more time. Do not simply miss the deadline and hope for leniency; make the request in writing as early as you realise you will need it.
My IT vendor caused the breach. Are they responsible for the DPDP data breach notice India?
As the Data Fiduciary, your business holds the primary legal obligation to notify both the Board and affected individuals — regardless of whether a third-party vendor caused the breach. Your vendor may be contractually liable to you for causing the incident, but that does not transfer your statutory notification duty. Review your vendor agreements now to ensure they require prompt disclosure to you so you can meet your own deadlines.
Primary sources
- Digital Personal Data Protection Act, 2023 — India Code (indiacode.nic.in): the authoritative text of the Act, including the definitions and Section 8(6) notification obligation.
- Ministry of Electronics and Information Technology (MeitY) — meity.gov.in: the nodal ministry responsible for notifying the DPDP Rules, 2025 and publishing official guidance.
- Press Information Bureau (pib.gov.in): official government press releases on the notification of the DPDP Rules on 14 November 2025.
Written by Editorial Team, The Courtroom · Last verified 2026-07-09
This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.



