Skip to main content

Step 07 - Breach Management Under DPDPA

Under the Digital Personal Data Protection Act (DPDPA), 2023, a personal data breach means any unauthorized access, disclosure, alteration, or loss of personal data that may compromise the privacy of individuals. The law is strict: breaches must be reported to both the Data Protection Board of India and affected individuals within 72 hours of becoming aware of the incident.
This makes breach management one of the most time-sensitive compliance obligations under the DPDPA.

1. What Counts as a Breach?

  • Unauthorized access by hackers (e.g., ransomware attack).
  • Accidental disclosure (e.g., sending sensitive data to the wrong recipient).
  • Loss of storage devices containing personal data (e.g., stolen laptop with customer records).
  • System failures leading to exposure (e.g., misconfigured cloud storage bucket).
Example

If a crypto trading exchange loses control of customer wallet keys due to a server hack, this qualifies as a personal data breach.

2. Who to Report

Breaches must be reported to two audiences:

  • The Data Protection Board of India

  • Affected Data Principals (Individuals)

Every affected individual must be directly notified, usually by email or SMS.

  • The notice must explain:
    • What data was compromised.
    • When and how the breach occurred.
    • What remedial steps are being taken.
    • How the individual can protect themselves (e.g., reset password, monitor accounts).

3. How to Report a Breach (Step-by-Step)

Step 1: Detect and Contain

  • Activate your internal Breach Response Team (IT, compliance, legal, communications).
  • Contain the breach (e.g., shut down the compromised server, block unauthorized accounts).

Step 2: Assess the Impact

  • Identify what categories of personal data were affected (Aadhaar, PAN, bank account, health data, passwords).
  • Estimate how many individuals were impacted.

Step 3: Notify the Data Protection Board

  • Log into the Board’s online portal (or use official email if interim guidance provides one).
  • Submit the following details:
    • Nature of the breach.
    • Categories of data affected.
    • Number of individuals impacted.
    • Steps taken to contain and mitigate the breach.
    • Contact details of the Grievance Officer or DPO.

Step 4: Notify the Affected Individuals

  • Draft a clear email or SMS to impacted customers or employees.
Template Example

Subject: Important Notification of Data Breach

Dear [Name],

On [Date], we detected unauthorized access to our systems which exposed your [data type, e.g., phone number, Aadhaar-linked account]. We have contained the breach and reported it to the Data Protection Board.

What you should do: [e.g., reset password, monitor account].

For assistance, please contact our Grievance Officer at grievance@[company].com or call +91-XXXXXXXXXX.

Regards,
[Company Name]

Step 5: Document and Improve

  • Record the incident, actions taken, and lessons learned.
  • Update security policies and conduct staff retraining.

4. Example Scenarios Across Industries

  • Banking: A bank’s mobile app leaks transaction histories due to a software bug. Customers are notified to change credentials and monitor accounts.
  • Pharma: A hospital chain loses patient MRI scans in a ransomware attack. Patients are informed and regulators are updated.
  • E-Commerce: A retailer’s server exposes 50,000 delivery addresses. Customers receive breach notices by email.
  • Social Media: A platform discovers unauthorized scraping of users’ profile pictures and phone numbers. Affected users are notified via in-app alerts.

Failure to notify within 72 hours can lead to penalties up to ₹250 crore. More importantly, lack of transparency damages customer trust permanently. By preparing a breach management framework in advance, organizations can respond swiftly and responsibly.