DPDP breach notification works on two clocks that start the moment you become aware of a personal data breach. Under Rule 7 of the DPDP Rules, 2025, you must notify every affected Data Principal without delay, and notify the Data Protection Board of India without delay, followed by a detailed report within 72 hours. A third, separate clock runs in parallel: the CERT-In Directions require reporting cybersecurity incidents within six hours. There is no minimum threshold, the clock runs continuously through nights and weekends, and the penalty for getting it wrong reaches ₹200 crore.

If you take one thing from this article: the time to build your breach response is now, not at hour one of an actual incident.

What counts as a personal data breach

The DPDP Act defines a personal data breach broadly. It is any unauthorised processing, or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access, that compromises the confidentiality, integrity or availability of personal data. A leaked database is a breach. So is ransomware that locks you out of your own data. So is a misconfigured bucket exposed for two days, or one employee account compromised by a phishing link.

There is no severity threshold. A breach affecting one person carries the same notification duty as a breach affecting one million.

When the clock starts

The clock does not start when the breach happened. It starts when you become aware of it. And it runs in calendar hours, continuously, including weekends and public holidays. If your security team confirms a breach at 6 PM on a Friday, your detailed Board report is due by 6 PM on Monday.

This single fact reshapes how you have to operate. Breach readiness cannot be a business-hours function. The escalation path, the templates and the decision-makers all have to be reachable around the clock.

The two notifications you owe under Rule 7

1. To affected Data Principals, without delay

The moment you become aware, you must notify each affected individual, in concise, clear and plain language, through their user account or any channel they registered with you (email, SMS, app notification). The notice must cover:

  • A description of the breach: its nature, extent and timing.
  • The likely consequences for that individual.
  • The measures you have taken or are taking to mitigate the risk.
  • The steps the individual can take to protect themselves.
  • Business contact details for someone who can answer their questions.

“Without delay” means what it says. You do not wait for the forensic report to finish. You notify on a best-knowledge basis and follow up as you learn more.

2. To the Data Protection Board, in two stages

First, an initial intimation without delay: the nature, extent, timing and location of the breach, and its likely impact. This is your alarm bell so the Board can act if it needs to.

Then, a detailed report within 72 hours of awareness (extendable only if the Board grants a written extension request). The detailed report must include:

  • The broad facts, circumstances and causes of the breach.
  • The mitigation measures taken and proposed.
  • Findings on the person or entity responsible, if known.
  • The steps taken to prevent a recurrence.
  • A summary of the notifications you sent to affected Data Principals.

Breach notification under DPDP is not a one-and-done filing. The Board can ask for follow-up reports, and your disclosure duty continues until the matter is remediated.

Do not forget the CERT-In six-hour clock

Here is the part that catches well-prepared teams off guard. The CERT-In Directions of April 2022, issued under Section 70B of the Information Technology Act, 2000, require organisations to report cybersecurity incidents, including data breaches, to the Indian Computer Emergency Response Team within six hours of becoming aware. That is a completely separate obligation, owed to a separate regulator, with its own penalty framework. It does not replace your DPDP duties, and your DPDP duties do not replace it.

So a single incident can trigger three filings on three clocks. Here is how they compare.

ObligationRecipientDeadlineTrigger
CERT-In incident reportCERT-InWithin 6 hoursAwareness of a cyber incident
DPDP initial intimationData Protection BoardWithout delayAwareness of the breach
DPDP detailed reportData Protection BoardWithin 72 hoursAwareness of the breach
DPDP user noticeAffected Data PrincipalsWithout delayAwareness of the breach

One more thing on vendors. If a Data Processor suffers the breach, the duty to notify the Board and individuals still rests with you, the Data Fiduciary. That is why your processing contracts must require the processor to alert you immediately, with enough detail for you to make your own filings on time.

Your hour-by-hour playbook

When an incident lands, work this sequence. It is built so the tightest clock (CERT-In, six hours) is never the thing you forget.

  1. Detect and confirm. Verify it is a genuine breach. The awareness clock is now running for all obligations.
  2. Activate the response team. Security lead, legal lead, communications lead, and a board-level escalation contact. One named owner per task.
  3. Contain. Stop the bleeding: revoke access, isolate systems, rotate credentials.
  4. File the CERT-In report (by hour 6). On best-knowledge basis if needed; a partial report now beats a perfect report late.
  5. Send the Board’s initial intimation. Nature, extent, timing, location, likely impact. Keep it factual and concise.
  6. Scope the impact. Determine whose data was affected and through which purposes. This is where a clean consent and data map saves you days.
  7. Notify affected Data Principals. As soon as you can give meaningful information. Do not wait until hour 71.
  8. Investigate. Root cause, full scope, attack vector, timeline, exfiltration versus exposure.
  9. File the Board’s detailed report (by hour 72). Cover all required elements, including a summary of the user notices you sent.
  10. Follow up. Send a second update to users when the investigation closes. Silence after the first notice reads as a cover-up.

Build this before the clock ever starts

None of the above is achievable from a standing start. The single most useful pre-breach investment is a centralised, queryable record of whose data you hold and why, so that at hour two you can answer “who is affected and how do we reach them” in minutes rather than days.

Have these in place now:

  • A cross-functional incident response team with named owners and 24/7 reachability.
  • Pre-drafted templates for CERT-In, the Board (initial and detailed, separately), and affected users.
  • A consolidated consent ledger and data map that ties individuals to purposes.
  • Processor contracts that require immediate breach notification to you.
  • At least one tabletop rehearsal, run against the clock, before May 2027.

What it costs to get this wrong

Failure to notify a breach to the Board or to affected Data Principals attracts a penalty of up to ₹200 crore. If inadequate security safeguards allowed the breach in the first place, that is a separate failure carrying up to ₹250 crore. Both can be imposed from a single incident. The Data Protection Board sets the amount after inquiry, weighing the gravity, the duration, and any prior history of non-compliance.

Where this fits in your wider compliance

Breach notification is one line on a longer list. See the full DPDP compliance checklist for the rest, and the DPDP Act explained for the foundations. To see how ready you are to meet the 72-hour clock today, take the free Axiom DPDP readiness assessment, or have Axiom’s DPDP compliance service build your response plan with you.

FAQs

What is the DPDP breach notification timeline?

Two clocks run from the moment you become aware. You must notify affected Data Principals without delay, and notify the Data Protection Board with an initial intimation without delay, followed by a detailed report within 72 hours (extendable only on written request to the Board). Separately, CERT-In requires a cyber-incident report within six hours.

Do I have to report every breach, even small ones?

Yes. The DPDP Rules set no minimum threshold. A breach affecting a single individual carries the same duty to notify both that person and the Board as a breach affecting millions. Whether the Board acts on a minor incident is its call, but the notification duty is yours regardless.

When does the 72-hour clock start?

When you become aware of the breach, not when it occurred. The window runs in continuous calendar hours, including nights, weekends and public holidays. Awareness at 6 PM on Friday means the detailed Board report is due by 6 PM on Monday.

Can I get an extension on the 72-hour report?

Yes, but it is not automatic. Rule 7 lets you submit a written request to the Board for a longer period, and the Board must grant it. If complex forensics make the window genuinely unworkable, request the extension proactively rather than missing the deadline in silence.

What if the breach happened at my vendor, not me?

The duty to notify the Board and affected individuals still rests with you as the Data Fiduciary. The Data Processor must inform you without delay. Make sure your processing contracts require immediate notification with enough detail for you to meet your own filing deadlines.

See where you actually stand

The free Axiom DPDP readiness assessment turns this guide into your number, your gaps, and your next move, in a few minutes.

Take the free assessment

Related articles

DPDP Act The DPDP Act Explained: India's Data Protection Law in Plain English Read more DPDP Act DPDP Compliance Checklist: What Indian Businesses Must Do Before May 2027 Read more DPDP Act Significant Data Fiduciary Under the DPDP Act: Are You One, and What It Means Read more