DPDP Act Breach Notification Rules: The Complete 72-Hour and 6-Hour Guide

Understanding India's Dual Breach Notification Framework India's data breach notification landscape is unique in the world: organisations face two parallel reporting obligations with different timelines, different authorities, and different consequences for non-compliance. Understanding both is essential for any business operating in India. The Digital Personal Data Protection (DPDP) Act requires notification to the Data Protection Board of India (DPBI) and affected data principals within 72 hours of becoming aware of a personal data breach. Simultaneously, the CERT-In Cyber Security Directions (April 2022) mandate reporting cyber incidents — including data breaches — to CERT-In within 6 hours . This guide provides a complete walkthrough of both obligations, including what constitutes a reportable breach, step-by-step notification processes, reporting templates, and the penalties for non-compliance. What Constitutes a "Personal Data Breach" Under DPDP? The DPDP Act defines a personal data breach broadly as any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. This includes, but is not limited to: External attacks — Hacking, ransomware, phishing-based data exfiltration Insider threats — Unauthorised employee access, data theft by staff Accidental exposure — Misconfigured cloud storage, accidental email to wrong recipient, unencrypted data in transit Physical breaches — Loss or theft of devices containing personal data Vendor breaches — Data processor (third-party vendor) experiencing a breach affecting your data principals' data Ransomware events — Even if data is encrypted (not exfiltrated), loss of access constitutes a breach Obligation 1: DPBI Notification (72 Hours) Who Must Report? Every Data Fiduciary (the organisation that determines the purpose and means of processing personal data) must report a personal data breach to the DPBI. If your data processor (vendor) suffers a breach, you as the Data Fiduciary are still responsible for the notification. Timeline Notification must be made to the DPBI within 72 hours of becoming aware of the breach. "Becoming aware" means the point at which the organisation has reasonable certainty that a breach has occurred — not when it was first suspected. What to Include in the DPBI Notification The notification should contain: Nature of the breach — What happened, what type of incident (hacking, accidental disclosure, etc.) Categories of data affected — Names, email addresses, financial data, health data, etc. Approximate number of data principals affected Likely consequences — Potential impact on affected individuals Measures taken — Steps taken to contain the breach and mitigate harm Contact details — DPO or designated contact person for follow-up Remediation timeline — Expected timeline for full remediation Notification to Affected Data Principals In addition to notifying the DPBI, Data Fiduciaries must also inform affected data principals about the breach. The notification to individuals should be in clear, plain language and should include: Description of the breach in simple terms What personal data was involved What steps the organisation is taking What the individual can do to protect themselves Contact details for further information Obligation 2: CERT-In Reporting (6 Hours) Background The Indian Computer Emergency Response Team (CERT-In) issued Directions on Information Security Practices in April 2022, which mandate reporting of specified cyber security incidents within 6 hours of noticing the incident or being informed about it. Types of Incidents That Must Be Reported to CERT-In The 6-hour reporting requirement applies to a broader range of incidents than just personal data breaches: Targeted scanning/probing of critical networks or systems Compromise of critical systems or information Data breaches or data leaks Attacks on servers and network infrastructure Attacks on critical infrastructure and cloud computing systems Attacks or malicious activities affecting IoT devices and systems Attacks or incidents involving digital payment systems Malware attacks including ransomware Unauthorised access to social media accounts Identity theft, spoofing, and phishing attacks How to Report to CERT-In Reports can be submitted via: Email — incident@cert-in.org.in Phone — 1800-11-4949 (toll-free) Online portal — CERT-In incident reporting portal What to Include in the CERT-In Report Organisation name, sector, and contact details Date and time of the incident (when noticed/informed) Type of incident (from the prescribed categories) Systems/networks/applications affected Brief description of the incident Immediate actions taken Impact assessment (if available) Step-by-Step Breach Response Process Hour 0-1: Detection and Initial Containment Confirm the breach — Verify that a breach has actually occurred (not a false positive)