Q4 - Do all breaches need to be reported to affected individuals, or only severe ones?
Under the Digital Personal Data Protection Act, 2023 (DPDPA), all data breaches must be reported both to the Data Protection Board of India and to the affected Data Principals (individuals) — there is no distinction in the law between “minor” and “severe” breaches.
However, in practice, the Central Government may prescribe thresholds or exceptions through rules, allowing organizations to prioritize notifications for breaches that pose a real risk of harm to individuals.
1. Legal Requirement
Section 8(5) —
Every Data Fiduciary shall protect personal data in its possession from breach of security safeguards.
In the event of such a breach, the Data Fiduciary shall notify the Board and each affected Data Principal in such manner as may be prescribed.
This provision makes notification mandatory to:
- The Data Protection Board of India, and
- Each affected individual, once a breach occurs.
The law does not limit reporting only to “severe” or “high-impact” cases.
2. What May Change Through Future Rules
While the Act itself requires universal reporting, the Central Government (under Section 40) may later issue rules specifying:
- The form and timeline of breach notifications (for example, similar to CERT-In’s 6-hour rule);
- Thresholds for reporting — e.g., breaches that result in actual or likely harm such as identity theft, fraud, or financial loss;
- Exceptions for negligible incidents where data was not exposed or immediately contained.
Until such rules are notified, the safest interpretation is to treat all data breaches as reportable events.
3. Why Broad Reporting Is Required
The DPDPA aims for transparency and accountability.
Reporting all breaches helps:
- Build user trust;
- Enable prompt action by the Data Protection Board;
- Encourage companies to maintain robust security practices.
Failure to notify — even for small breaches — may still attract penalties up to ₹250 crore under Section 33(1) and the Schedule (Entry 2).
4. Practical Approach for Companies
| Breach Type | Example Scenario | Reporting Requirement |
|---|---|---|
| Serious breach | Customer database leaked, exposing contact and ID details. | Notify the Board and each affected user immediately. |
| Moderate breach | Employee emails accidentally shared with wrong recipients. | Notify both; document remedial measures. |
| Minor incident (fully contained) | Test system logs briefly exposed internally but not accessed externally. | Report to Board; user notification may be limited if future rules permit. |
A FinTech app experiences unauthorized access to 500 customers’ transaction details. It promptly reports the incident to the Data Protection Board and notifies each affected user, even though no financial loss occurs. This fulfills its duty under Section 8(5) and demonstrates good faith compliance.
Another company experiences a similar breach but withholds notice, arguing that “no harm” occurred. The Data Protection Board later discovers the omission and imposes a ₹20 crore penalty for non-disclosure.
5. Key Takeaway
- All data breaches must be reported to both the Board and affected individuals.
- The severity of harm may affect how the Board responds, but not whether notification is required.
- Future Government rules may refine the reporting thresholds, but until then, organizations should err on the side of full disclosure.
Referenced Provisions:
- Section 8(5) – Duty to protect data and report breaches to Board and affected individuals.
- Section 33(1) – Penalties for non-compliance.
- Section 40(2) – Power of the Central Government to prescribe detailed notification rules.
- Schedule (Entry 2) – Breach of security safeguards punishable up to ₹250 crore.