What is the DPDP breach notification 72-hour rule in India?
Indian Data Fiduciaries should notify the Data Protection Board of India within 72 hours of confirming a personal data breach (without undue delay under Section 8), and many operators must also report to CERT-In within 6 hours under the IT Rules.
The 72-hour window is the operational standard cited in DPDP Rules discussions and enterprise runbooks—document discovery time, containment, and notification timestamps.
Parallel CERT-In obligations apply to many internet-facing businesses; do not conflate DPBI and CERT-In templates.
Complynz breach templates and consulting engagements include dual-track notification workflows.
Related Act sections
Tools & resources
Back to Complete DPDP Guide | All DPDP FAQs
DPDP implementation support
- Gap assessment & remediation roadmap (INR 49,999+)
- Breach runbook & DPBI templates
- SDF / DPO / DPIA programs