In This Article
What Auditors Focus On
When assessing DPDPA breach response capability, auditors verify that you can actually execute the 72-hour notification requirement. They look beyond documentation to evidence of operational readiness.
Auditor Perspective
Auditors ask: "If a breach occurred tonight, could this organisation detect it, contain it, and notify the Board within 72 hours?" Documentation alone does not answer this question.
Key Assessment Questions
- Is there a documented, approved breach response plan?
- Are roles and responsibilities clearly defined?
- Are contact details current and accessible 24/7?
- Has the plan been tested?
- Are notification templates ready?
- Is there a breach register (even if empty)?
- Can staff articulate their roles?
Runbook Structure
An audit-ready breach response runbook should include:
Section 1: Overview and Scope
- Purpose and objectives
- Definition of personal data breach
- Scope (what types of incidents are covered)
- Relationship to other incident response procedures
- Document ownership and review schedule
Section 2: Roles and Responsibilities
| Role | Responsibilities | Proof Point |
|---|---|---|
| Incident Commander | Overall coordination, decision authority, external communications approval | Named individual, contact details, backup identified |
| Privacy Lead | Regulatory assessment, notification drafting, principal communications | Named individual, DPDP knowledge demonstrated |
| Technical Lead | Containment, investigation, evidence preservation | Named individual, technical capability verified |
| Legal Counsel | Legal advice, notification review, regulatory liaison | Internal or external counsel identified, engagement letter |
| Communications Lead | Internal communications, media (if needed), principal notifications | Named individual, templates ready |
Section 3: Detection and Escalation
- Sources of breach detection (technical alerts, user reports, third-party notification)
- Initial triage criteria
- Escalation triggers and paths
- 24/7 contact mechanism
Section 4: Response Phases
- Phase 1 (0-4 hours): Confirmation, team activation, initial assessment
- Phase 2 (4-24 hours): Containment, scope determination, evidence preservation
- Phase 3 (24-72 hours): Investigation, notification preparation, Board notification
- Phase 4 (72+ hours): Principal notification, remediation, recovery
- Phase 5 (Post-incident): Root cause analysis, lessons learned, improvements
Section 5: Notification Procedures
- Board notification process (Form DPB-1)
- Principal notification criteria and process
- Processor notification (if you are a processor)
- Other notifications (regulators, partners, media)
Section 6: Templates and Tools
- Board notification template
- Principal notification templates
- Internal escalation forms
- Investigation checklist
- Timeline tracker
Section 7: Appendices
- Contact list (current)
- External resources (forensics, legal, PR)
- Relevant policies referenced
- Form templates
Proof Points by Phase
Detection Proof Points
- Security monitoring configuration documentation
- Alert rules for potential data breaches
- Sample alerts from monitoring system
- User reporting channel (screenshot/documentation)
- Third-party notification receipt process
Escalation Proof Points
- Escalation criteria documented
- Contact list current (verified within 90 days)
- 24/7 contact mechanism tested
- Backup contacts identified
- Escalation time targets defined
Response Proof Points
- Response team roster with current details
- Authority to act documented
- Technical containment capabilities
- Forensic capability (internal or external)
- Evidence preservation procedures
Notification Proof Points
- Board notification template ready
- Data Protection Board contact details known
- Principal notification templates (multiple scenarios)
- Principal contact data accessible
- Mass notification capability
Required Templates
Board Notification Template (Form DPB-1)
Pre-populated template with:
- Organisation details (static)
- Contact person details (static)
- Placeholder sections for breach-specific information
- Guidance notes for completion
- Submission instructions
Principal Notification Templates
Prepare templates for common scenarios:
- Credential compromise
- Payment data breach
- General personal data exposure
- Ransomware affecting personal data
- Third-party processor breach
Internal Templates
- Initial incident report form
- Escalation notification
- Team briefing template
- Timeline tracker
- Post-incident report
Testing and Exercises
Auditors look for evidence that breach response has been tested:
Tabletop Exercises
- Scenario-based discussion exercise
- At least annually (more frequent for high-risk)
- Involving key response team members
- Documented exercise records
Exercise Documentation
- Exercise date and participants
- Scenario used
- Issues identified
- Improvements recommended
- Action items and completion status
Sample Tabletop Scenario
"It is 10 PM Friday. Your security team receives an alert that a database containing customer personal data has been accessed by an unknown IP address. Initial investigation suggests approximately 50,000 customer records may have been exposed, including names, email addresses, phone numbers, and encrypted passwords. The attack vector appears to be a compromised employee credential. Walk through your response."
Exercise Frequency
| Risk Level | Minimum Frequency | Recommended |
|---|---|---|
| High (SDF or sensitive data) | Annual | Semi-annual |
| Medium | Annual | Annual |
| Low | Biennial | Annual |
Common Audit Gaps
These gaps frequently result in audit findings:
Documentation Gaps
- No documented breach response plan
- Plan exists but not approved
- Plan not reviewed in over 12 months
- Missing role assignments
Contact List Gaps
- Contact details out of date
- No 24/7 contact mechanism
- No backup contacts
- External resources not pre-engaged
Template Gaps
- No Board notification template
- Templates not aligned with current regulations
- Principal notification templates missing
- Templates not reviewed by legal
Testing Gaps
- No evidence of testing ever conducted
- Testing more than 18 months ago
- Key personnel not involved in testing
- No follow-up on exercise findings
Register Gaps
- No breach register maintained
- Near-misses not tracked
- No lessons learned documentation
Quick Fix for Empty Breach Register
Even if you have had no breaches, maintain a breach register that documents: "No personal data breaches occurred during [period]." This demonstrates you are tracking and would record if breaches occurred.