When a personal data breach occurs, the clock starts immediately. India's DPDP Act imposes strict notification obligations — to the Data Protection Board and to affected individuals. Without a tested response plan, organisations face both reputational catastrophe and penalties up to ₹250 crore. Be ready before it happens.
The DPDP Act defines a personal data breach broadly — any incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data. These six categories are the most common triggers.
Every minute from detection to containment matters. Follow this six-phase playbook to respond correctly — and meet every DPDP notification obligation.
The moment a potential incident is identified — by monitoring systems, staff reports, or external notification — triage begins. Establish: Has personal data been exposed, lost, or altered? How? What systems and data are affected?
Prevent the breach from spreading. Apply immediate technical controls to stop ongoing unauthorised access or data exfiltration, while preserving evidence for investigation and regulatory reporting.
Conduct a thorough assessment of the breach — identifying exactly what personal data was exposed, how many data principals are affected, and the likely harm to those individuals. This assessment drives notification decisions.
Meet the DPDP Act's notification obligations — reporting to the Data Protection Board within 72 hours and notifying affected data principals as soon as possible. Accuracy and completeness are critical — late or inaccurate notifications attract additional penalties.
Restore affected systems and data from clean backups, implement remediation measures to close the vulnerability exploited, and validate that no residual attacker presence remains in the environment.
Conduct a formal post-breach review to understand root cause, assess response effectiveness, update the breach response plan, and implement systemic improvements to prevent recurrence. Document everything for the DPB.
The DPDP Act imposes specific notification requirements for both the Data Protection Board and affected data principals. Here is exactly what each notification must contain.
Under the DPDP Act, breach-related violations attract some of the highest penalties in the legislation.
| Violation | DPDP Act Section | Maximum Penalty | Mitigating Factor |
|---|---|---|---|
| Failure to implement adequate security safeguards | §8(5) | ₹250 Crore | Having a tested breach plan & DPIA evidence reduces penalty |
| Failure to notify DPB of breach within required timeframe | §8(6) | ₹200 Crore | Prompt notification and cooperation with DPB mitigates |
| Failure to notify affected data principals of breach | §8(6) | ₹200 Crore | Timely, accurate notification to all affected principals |
| Children's data breach — inadequate protection | §9 | ₹200 Crore | Separate consent controls and age-verification systems |
| Third-party processor breach — inadequate DPA controls | §8(3) | ₹150 Crore | Comprehensive DPAs with security requirements evidenced |
| Failure to produce breach notification records on DPB request | §25 | ₹50 Crore | Complete incident documentation maintained throughout |
The organisations that respond best to breaches are those that prepared before one happened. This checklist covers the 18 must-have elements of DPDP breach readiness.
KavachOne facilitates annual DPDP breach response tabletop exercises — testing your team, your plan, and your notification workflows under realistic pressure, without the stakes of a real incident.
Conducted by KavachOne's certified incident response and DPDP compliance experts.
KavachOne designs, documents, and tests DPDP-compliant data breach response plans for Indian organisations — integrating with your ROPA, PII Scanner, and ConsentiQo platform to ensure you can respond and notify within 72 hours, every time.
