Rule 7: Intimation of Personal Data Breach
Statutory Text — Rule 7:Intimation of personal data breach. (click to expand)
(1) On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary,—
(a) a description of the breach, including its nature, extent and the timing and location of its occurrence;
(b) the consequences relevant to her, that are likely to arise from the breach;
(c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may take to protect her interests; and
(e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
(2) On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board,—
(a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b) within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,—
(i) updated and detailed information in respect of such description;
(ii) the broad facts related to the events, circumstances and reasons leading to the breach;
(iii) measures implemented or proposed, if any, to mitigate risk;
(iv) any findings regarding the person who caused the breach;
(v) remedial measures taken to prevent recurrence of such breach; and
(vi) a report regarding the intimations given to affected Data Principals.
(3) In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.
Rule 7 specifies the precise notification obligations following a personal-data breach. It requires prompt, transparent communication to both the affected individuals and the Data Protection Board of India (DPBI).
The goal is twofold: to enable citizens to protect themselves, and to help the regulator assess the adequacy of the organisation’s safeguards and response.
Additionally, the DPBI will maintain a central database of incidents and will be able to correlate patterns across multiple similar attacks, including linking them to possible nation-state activities that may require government intervention.
1. Immediate Notification to Affected Individuals
When a breach occurs—whether accidental or malicious—the Data Fiduciary must promptly notify every affected Data Principal in clear and plain language. The notification should describe what happened, what data may have been exposed, potential consequences, steps already taken by the organisation, and recommended protective measures for users.
If a mobile-wallet application detects that an attacker accessed user profiles, the company must inform users through their registered email or in-app alerts. Messages should avoid jargon and state facts such as the date, scope, and immediate next steps (e.g., password reset, credit-monitoring advice).
Transparent and empathetic messaging strengthens trust and reduces reputational impact. Delay or concealment can be viewed as non-compliance, leading to penalties under the DPDPA.
Free Template: Sample Breach Notification Email / Message to Affected Data Principals
Subject: Important Notice: Data Security Incident Affecting Your Personal Information
Dear [Name of Data Principal],
We are writing to inform you that on [Date of Incident], we detected a data-security incident involving our systems. Our investigation has found that [brief description of the breach – e.g., unauthorised access to a customer database due to a compromised API key].
What happened
The incident occurred on [Date / Time / Location of Occurrence] and was discovered on [Date of Discovery]. It affected certain records stored in our system.
What information was involved
Based on our current findings, the affected data may include [specify categories such as email address, mobile number, transaction details, etc.]. No financial passwords or payment details were impacted (if applicable).
What we have done
Immediately after discovering the breach, we secured the affected systems, revoked unauthorised access, and notified the Data Protection Board of India within the required timeline. We have also engaged independent security experts to conduct a root-cause analysis and strengthen our defences.
What you can do
We recommend that you:
- Change your passwords or PINs for accounts linked to our services.
- Ignore unsolicited emails or calls requesting personal details or OTP codes.
- Monitor your account activity and report any suspicious transactions immediately.
Who to contact
For any questions or clarifications, please reach out to our Data Protection Officer:
[Full Name of Contact Person]
Data Protection Officer, [Organisation Name]
📧 [Email Address]
📞 [Phone Number]
Business Hours: [Insert Timings]
We sincerely apologise for the inconvenience and assure you that we are taking all necessary measures to protect your information and prevent any recurrence.
Warm regards,
[Authorised Signatory Name]
[Title] | [Organisation Name]
[Website URL]
This communication is made in compliance with Rule 7(1) of the Digital Personal Data Protection Rules, 2025.
Free Template: Data Breach Intimation Report to the Data Protection Board of India
To:
The Secretary
Data Protection Board of India (DPBI)
[Official email / portal address once notified]
Subject: Intimation of Personal Data Breach under Rule 7(2) of the Digital Personal Data Protection Rules, 2025
1. Basic Details of the Data Fiduciary
- Name of Organisation: [Insert full legal name]
- Registered Address: [Insert address]
- Contact Person / Designation: [Insert name, title]
- Email & Phone: [Insert official contact details]
- DPO Registration ID (if applicable): [Insert or “N/A”]
- Date and Time of Becoming Aware of Breach: [Insert timestamp]
2. Description of the Breach (Rule 7(2)(a) and (b)(i))
Provide a factual and concise description covering the following:
- Nature of Breach: [e.g., unauthorised access / data exfiltration / ransomware / accidental exposure]
- Extent of Impact: [Approx. number of affected records or users]
- Timing and Duration: [Start – End if known]
- Location of Occurrence: [Data centre / application / vendor system]
- Categories of Personal Data Affected: [Specify e.g., contact, KYC, health, financial, etc.]
3. Events and Root Cause (Rule 7(2)(b)(ii))
Summarise the circumstances and technical or human factors that led to the breach.
Example: “The incident originated from a compromised API key used by a third-party integration, allowing unauthorised access to limited customer records.”
Include forensic or preliminary findings if available.
4. Mitigation Measures Implemented (Rule 7(2)(b)(iii))
Describe immediate containment actions and ongoing improvements:
- Access isolation, credential resets, patching, log review, malware removal.
- User-facing safeguards (password resets, credit-monitoring offers).
- Strengthening of IAM, network segmentation, or DLP controls.
5. Identification of Responsible Parties (Rule 7(2)(b)(iv))
State whether any internal user, vendor, or external actor has been identified as the cause of the breach.
If under investigation, specify status and expected completion date.
6. Remedial and Preventive Actions (Rule 7(2)(b)(v))
List the structural improvements being undertaken to prevent recurrence:
- Policy revisions, enhanced monitoring, periodic VAPT, or staff training.
- Contractual or disciplinary measures against negligent parties.
- Planned third-party security audits or technology upgrades.
7. Intimation to Data Principals (Rule 7(2)(b)(vi))
Confirm whether affected individuals have been notified, the method used, and timeline.
Attach a sample of the communication sent (see Annex 7A).
| Notification Channel | Date Sent | Audience Size | Delivery Evidence (Y/N) |
|---|---|---|---|
| [DD/MM/YYYY] | [Count] | [Attach log] | |
| SMS / In-App | [DD/MM/YYYY] | [Count] | [Attach screenshots] |
8. Impact Assessment
Provide an initial estimate of potential consequences for Data Principals (financial, reputational, or identity-related) and the organisation’s business operations.
9. Supporting Attachments
Attach investigation summary, technical logs, screenshots, or correspondence that corroborate the report.
10. Declaration
We, [Organisation Name], confirm that the above information is true to the best of our knowledge and that this intimation has been made in compliance with Rule 7(2) of the Digital Personal Data Protection Rules, 2025.
Authorised Signatory: _________________________
Name / Designation: _________________________
Date: _________________________
Seal / Digital Signature: _________________________
This report shall be updated if new facts emerge or investigation findings change.
Filed within seventy-two (72) hours of awareness of the breach unless otherwise permitted by the Board.
2. Structured Reporting to the Data Protection Board
In addition to user communication, the Data Fiduciary must report every breach to the DPBI. The rule divides the reporting obligation into two phases:
- Initial Notification (Without Delay): A short preliminary report sent immediately after detection, summarising the nature, extent, timing, and probable impact of the breach.
- Detailed Report (Within 72 Hours): A comprehensive submission including investigation findings, sequence of events, root cause, corrective measures, responsible individuals (if identified), and evidence of notifications sent to users.
The 72-hours limit mirrors global best practices. The Board may allow a longer period in exceptional circumstances, but the fiduciary must formally request it in writing with justification.
An effective process requires internal playbooks defining escalation paths: detection → assessment → legal & DPO review → Board notification → public/user communication.
3. Understanding “Awareness” of a Breach
The 72-hours window begins when the organisation becomes aware that a breach involving personal data has occurred—not merely when an incident is first suspected.
Awareness typically means confirmation through initial investigation, detection systems, or reports from processors. Therefore, organisations must maintain robust incident-detection and verification procedures to avoid ambiguity about when “awareness” begins.
4. Communication Channels and User Accounts
Rule 7(3) defines “user account” broadly to include all forms of digital presence used to access services—such as web portals, apps, email, or registered phone numbers. Fiduciaries must ensure at least one reliable communication mode is always valid and tested.
A bank, for instance, may issue breach notifications through its secure portal and SMS, while an e-commerce firm may notify users via email and in-app alerts. Multi-channel notification ensures no affected user remains uninformed.
5. Content and Tone of Notifications
Notifications must be factual, concise, and instructive, avoiding speculation or blame. They should list what data was affected, likely consequences (identity theft, phishing risk, financial loss), steps already taken (password resets, account freezes), and guidance for user protection (update credentials, monitor statements, enable MFA).
Each message must include contact details of a responsible person—often the Data Protection Officer (DPO) or an authorised representative—so users can seek clarifications. This transparency demonstrates accountability and empathy, reducing potential complaints.
- Always use the same channels your users normally rely on — for example, in-app alerts, registered email addresses, or verified SMS gateways — ensuring authenticity and immediate visibility.
- Use secure, verified domains to avoid phishing confusion, and digitally sign or brand the communication so recipients trust its origin.
- When notifying a large user base, adopt a multi-channel approach (email + app + SMS) and ensure all messages are synchronised in content and timing.
- Maintain delivery logs and screenshots as evidence of compliance in case the Data Protection Board requests proof of user intimation.
6. Internal Coordination and Evidence Preservation
Compliance depends on well-designed breach-response governance. Security teams, DPOs, and legal advisors must coordinate seamlessly to document every step—detection timestamps, decisions, and communications.
Logs, screenshots, and reports form part of evidence demonstrating due diligence. Organisations using SOC and SIEM systems should tag incidents by severity and automatically trigger workflows for DPO review.
Maintaining this documentation helps prove that the fiduciary acted “without delay” and fulfilled all sub-clauses of Rule 7(2).
7. Example Scenarios
A bank discovers unauthorised access to its database exposing 50000 customer PAN records. It immediately blocks the intrusion by locking affected accounts, notifies customers through email/SMS, and reports the incident to the DPBI within 24 hours, followed by a detailed report within the next 48 hours. This meets the requirements of Rule 7.
A hospital’s billing system is hit by ransomware, encrypting patient files. The hospital notifies patients, explains potential disclosure of insurance details, informs DPBI within 72 hours, and outlines its mitigation and recovery plan.
A social-media app delays disclosure for weeks while conducting an internal inquiry. Users learn about the breach through the press. Even if later mitigated, the delay constitutes non-compliance, exposing the company to penalties and reputational damage.
8. Building Readiness
- Organisations should maintain a Breach Response Playbook aligned with Rule 7.
- It must define severity tiers, notification templates, responsible teams, escalation matrices, and communication protocols with regulators and users.
- Integrating these processes with existing SOC tools ensures real-time visibility and faster response. Periodic breach-simulation and table-top exercise drills further strengthen preparedness.
Learn how Securze’s Incident Response & Digital Forensics Team can help you design, simulate, and operationalise compliant data-breach-management workflows.
Summary
Rule 7 transforms breach response from an optional act of goodwill into a legal duty of transparency.
It demands that Data Fiduciaries act swiftly, notify both users and the Board, and demonstrate documented diligence.
By maintaining strong detection systems, clear escalation channels, and pre-approved communication templates, organisations not only comply with DPDPA 2025 but also preserve public trust in times of crisis.