Understanding India's Dual Breach Notification Framework

India's data breach notification landscape is unique in the world: organisations face two parallel reporting obligations with different timelines, different authorities, and different consequences for non-compliance. Understanding both is essential for any business operating in India.

The Digital Personal Data Protection (DPDP) Act requires notification to the Data Protection Board of India (DPBI) and affected data principals within 72 hours of becoming aware of a personal data breach. Simultaneously, the CERT-In Cyber Security Directions (April 2022) mandate reporting cyber incidents — including data breaches — to CERT-In within 6 hours.

This guide provides a complete walkthrough of both obligations, including what constitutes a reportable breach, step-by-step notification processes, reporting templates, and the penalties for non-compliance.

What Constitutes a "Personal Data Breach" Under DPDP?

The DPDP Act defines a personal data breach broadly as any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability.

This includes, but is not limited to:

  • External attacks — Hacking, ransomware, phishing-based data exfiltration
  • Insider threats — Unauthorised employee access, data theft by staff
  • Accidental exposure — Misconfigured cloud storage, accidental email to wrong recipient, unencrypted data in transit
  • Physical breaches — Loss or theft of devices containing personal data
  • Vendor breaches — Data processor (third-party vendor) experiencing a breach affecting your data principals' data
  • Ransomware events — Even if data is encrypted (not exfiltrated), loss of access constitutes a breach

Obligation 1: DPBI Notification (72 Hours)

Who Must Report?

Every Data Fiduciary (the organisation that determines the purpose and means of processing personal data) must report a personal data breach to the DPBI. If your data processor (vendor) suffers a breach, you as the Data Fiduciary are still responsible for the notification.

Timeline

Notification must be made to the DPBI within 72 hours of becoming aware of the breach. "Becoming aware" means the point at which the organisation has reasonable certainty that a breach has occurred — not when it was first suspected.

What to Include in the DPBI Notification

The notification should contain:

  1. Nature of the breach — What happened, what type of incident (hacking, accidental disclosure, etc.)
  2. Categories of data affected — Names, email addresses, financial data, health data, etc.
  3. Approximate number of data principals affected
  4. Likely consequences — Potential impact on affected individuals
  5. Measures taken — Steps taken to contain the breach and mitigate harm
  6. Contact details — DPO or designated contact person for follow-up
  7. Remediation timeline — Expected timeline for full remediation

Notification to Affected Data Principals

In addition to notifying the DPBI, Data Fiduciaries must also inform affected data principals about the breach. The notification to individuals should be in clear, plain language and should include:

  • Description of the breach in simple terms
  • What personal data was involved
  • What steps the organisation is taking
  • What the individual can do to protect themselves
  • Contact details for further information

Obligation 2: CERT-In Reporting (6 Hours)

Background

The Indian Computer Emergency Response Team (CERT-In) issued Directions on Information Security Practices in April 2022, which mandate reporting of specified cyber security incidents within 6 hours of noticing the incident or being informed about it.

Types of Incidents That Must Be Reported to CERT-In

The 6-hour reporting requirement applies to a broader range of incidents than just personal data breaches:

  • Targeted scanning/probing of critical networks or systems
  • Compromise of critical systems or information
  • Data breaches or data leaks
  • Attacks on servers and network infrastructure
  • Attacks on critical infrastructure and cloud computing systems
  • Attacks or malicious activities affecting IoT devices and systems
  • Attacks or incidents involving digital payment systems
  • Malware attacks including ransomware
  • Unauthorised access to social media accounts
  • Identity theft, spoofing, and phishing attacks

How to Report to CERT-In

Reports can be submitted via:

  • Email — incident@cert-in.org.in
  • Phone — 1800-11-4949 (toll-free)
  • Online portal — CERT-In incident reporting portal

What to Include in the CERT-In Report

  1. Organisation name, sector, and contact details
  2. Date and time of the incident (when noticed/informed)
  3. Type of incident (from the prescribed categories)
  4. Systems/networks/applications affected
  5. Brief description of the incident
  6. Immediate actions taken
  7. Impact assessment (if available)

Step-by-Step Breach Response Process

Hour 0-1: Detection and Initial Containment

  1. Confirm the breach — Verify that a breach has actually occurred (not a false positive).
  2. Activate the incident response team — Notify IT Security, Legal, DPO, and senior management.
  3. Contain the breach — Isolate affected systems, revoke compromised credentials, block malicious IPs.
  4. Preserve evidence — Ensure forensic evidence is not destroyed during containment.

Hour 1-6: CERT-In Notification

  1. Prepare CERT-In report — Compile available information about the incident.
  2. Submit to CERT-In — File the report via email, phone, or online portal within 6 hours.
  3. Document submission — Record the submission timestamp and acknowledgement.

Hour 6-72: Investigation, DPBI Notification, and Data Principal Communication

  1. Conduct detailed investigation — Determine scope, categories of data affected, number of individuals impacted.
  2. Prepare DPBI notification — Compile comprehensive notification with all required details.
  3. Submit to DPBI — File notification within 72 hours of becoming aware of the breach.
  4. Notify affected data principals — Send clear, plain-language notifications to affected individuals.
  5. Continue containment and remediation — Implement permanent fixes for the vulnerability exploited.

Post-72 Hours: Remediation and Review

  1. Complete root cause analysis — Identify the underlying vulnerability or process failure.
  2. Implement corrective measures — Fix the root cause and strengthen controls.
  3. Update breach documentation — Complete the breach register with final details.
  4. Provide follow-up reports — Submit supplementary information to DPBI and CERT-In as investigation progresses.
  5. Conduct lessons-learned review — Update incident response plans based on findings.

Penalties for Non-Compliance

DPDP Act Penalties

Failure to notify the DPBI of a personal data breach can attract penalties of up to ₹200 crores (approximately $24 million USD). The actual penalty amount depends on the severity, number of affected individuals, and the organisation's cooperation with the Board.

CERT-In Non-Compliance

Failure to report incidents to CERT-In within 6 hours can result in penalties under the Information Technology Act, 2000, including imprisonment of up to one year and/or fines. CERT-In also has the authority to issue binding directions to non-compliant organisations.

Building a Breach-Ready Organisation

Preparing for a breach before it happens dramatically improves response effectiveness. Key preparedness measures include:

  • Incident Response Plan — Document and regularly test your breach response procedures.
  • Response Team — Designate team members from IT, Legal, Communications, and leadership.
  • Communication Templates — Pre-draft notification templates for DPBI, CERT-In, and data principals.
  • Tabletop Exercises — Conduct simulated breach scenarios quarterly.
  • Vendor Agreements — Ensure vendor contracts require immediate breach notification to you.
  • Breach Register — Maintain a log of all breaches (even minor ones) for audit purposes.

Tools like the Complynz DPDP assessment can help identify gaps in your breach response readiness, while the platform's breach response workflows help automate notification timelines and track remediation actions. Start with a DPDP compliance scan to assess your current breach preparedness posture.