Breach Response Overview

The DPDP Act requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches, and to notify the Data Protection Board and affected data principals when breaches occur.

Key Timelines

Board Notification: Within 72 hours of becoming aware of the breach.
Principal Notification: Without undue delay after breach containment, where harm is likely.

What is a Personal Data Breach?

A personal data breach under DPDP includes:

Types of Breaches

  • Confidentiality Breach: Unauthorised disclosure or access to personal data
  • Integrity Breach: Unauthorised alteration of personal data
  • Availability Breach: Loss or destruction of personal data

Examples

  • Hacking or cyber attack exposing personal data
  • Accidental email sent to wrong recipients
  • Lost or stolen device containing personal data
  • Malware or ransomware affecting personal data
  • Insider theft or unauthorised access
  • Misconfigured database exposing data publicly
  • Physical theft of documents containing personal data

What is NOT a Breach (generally)

  • Unsuccessful hacking attempts (if no data accessed)
  • System downtime without data loss
  • Authorised access to personal data
  • Scheduled data deletion

Response Phases

Phase 1: Detection and Assessment (0-4 hours)

  • Confirm breach has occurred
  • Activate incident response team
  • Begin initial assessment
  • Determine scope (systems, data, principals affected)
  • Document discovery time (this starts the 72-hour clock)

Phase 2: Containment (4-24 hours)

  • Stop ongoing breach (isolate systems, revoke access)
  • Preserve evidence for investigation
  • Prevent further data exposure
  • Assess whether personal data was actually accessed/exfiltrated

Phase 3: Investigation (24-72 hours)

  • Determine root cause
  • Identify all data affected
  • Identify all principals affected
  • Assess potential harm to principals
  • Prepare notification to Board

Phase 4: Notification (Within 72 hours)

  • Submit notification to Data Protection Board
  • Assess need for principal notification
  • Prepare principal communications

Phase 5: Recovery (Post-72 hours)

  • Complete remediation
  • Restore systems to secure state
  • Notify affected principals
  • Monitor for further impact

Phase 6: Post-Incident (2-4 weeks)

  • Conduct post-incident review
  • Implement lessons learned
  • Update controls to prevent recurrence
  • Document for future reference

Notifying the Data Protection Board

Who Must Notify

  • The Data Fiduciary (not the processor)
  • Processors must notify their Data Fiduciary

When to Notify

  • Within 72 hours of becoming aware of the breach
  • "Aware" means when you have reasonable certainty a breach has occurred
  • Clock starts when breach is confirmed, not when investigation is complete

What to Include (Form DPB-1)

  • Name and contact details of Data Fiduciary
  • Nature of the personal data breach
  • Categories of personal data affected
  • Approximate number of data principals affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Measures taken or proposed to mitigate harm
  • Name and contact of person for further information

If Information Incomplete

  • Submit what you know within 72 hours
  • Provide additional information in phases
  • Explain why information is incomplete
  • Commit to providing updates

Notifying Data Principals

When to Notify Principals

Notify affected data principals when the breach is likely to result in harm to them, considering:

  • Nature and sensitivity of data breached
  • Risk of identity theft, fraud, or financial loss
  • Risk of reputational harm or discrimination
  • Whether data was encrypted/protected
  • Whether breach has been contained

Timing

  • Without undue delay after breach is contained
  • Prioritise notification where harm is imminent
  • Do not delay unreasonably to avoid embarrassment

What to Include

  • Description of the breach (in plain language)
  • Types of personal data affected
  • Steps being taken to address the breach
  • What the principal should do to protect themselves
  • Contact for further information

How to Notify

  • Direct communication (email, SMS, letter) preferred
  • Public notice only if direct communication not feasible
  • Use principal's preferred language where known
  • Ensure message is clear and actionable

Notification Timeline

Time Action Responsible
T+0 Breach detected/reported Detector (staff, system, third party)
T+1 hour Initial triage and confirmation IT Security / Privacy Team
T+4 hours Containment initiated; scope assessed Incident Response Team
T+24 hours Investigation underway; draft notification Privacy Lead / Legal
T+48 hours Notification reviewed and approved Executive / DPO
T+72 hours Notification submitted to Board Privacy Lead
T+72+ hours Principal notifications sent Communications / Privacy

Notification Templates

Board Notification (Form DPB-1 Elements)

Your notification should address:

  1. Data Fiduciary Details: Legal name, registration number (if applicable), contact person, contact details
  2. Breach Description: Date/time discovered, date/time occurred (if known), nature of breach, how detected
  3. Data Affected: Categories of personal data, sensitivity assessment, volume of records
  4. Principals Affected: Number affected, categories of principals
  5. Impact Assessment: Likely consequences, severity assessment
  6. Response Actions: Containment measures, remediation steps, timeline
  7. Mitigation: Actions to reduce harm to principals
  8. Contact: Person for Board follow-up

Principal Notification Template

Key elements for principal communication:

  • Opening: Clear statement that a breach has occurred
  • What Happened: Brief, plain language description
  • Your Data: Specific types of their data affected
  • Our Actions: Steps taken to contain and investigate
  • Your Actions: Specific steps they should take (change passwords, monitor accounts, etc.)
  • Contact: How to reach you for questions
  • Apology: Acknowledgment and commitment to improvement

Post-Breach Actions

Immediate Follow-Up

  • Respond to Board queries promptly
  • Handle principal inquiries
  • Monitor for signs of data misuse
  • Consider credit monitoring/identity protection for principals

Root Cause Analysis

  • Conduct thorough investigation
  • Identify technical and procedural failures
  • Document findings

Remediation

  • Implement technical fixes
  • Update policies and procedures
  • Retrain affected staff
  • Verify remediation effectiveness

Lessons Learned

  • Conduct post-incident review
  • Update incident response plan
  • Share learnings across organisation
  • Consider tabletop exercises based on incident

Preparation Checklist

Prepare now to respond effectively later:

People

  • Incident response team identified and trained
  • Escalation contacts current (24/7 available)
  • External resources identified (forensics, legal, PR)
  • DPO/Privacy Lead authority to act

Process

  • Incident response plan documented
  • Breach assessment criteria defined
  • Notification templates prepared
  • Communication channels established
  • Regular tabletop exercises conducted

Technology

  • Detection and alerting capabilities
  • Forensic investigation tools
  • Data mapping to identify affected principals
  • Communication tools for mass notification

Documentation

  • Breach register (even if empty)
  • Board notification form template
  • Principal notification templates
  • Contact lists current

The time to prepare for a breach is before it happens. Organisations with tested incident response plans consistently perform better when real breaches occur.

DPDP India Breach Response Incident Management