Skip to main content

Security Safeguards and Breach Notification

The Digital Personal Data Protection Act (DPDPA), 2023 requires every organization, whether small or large, to protect the personal data it collects with strong technical and organizational safeguards. Security is not treated as an afterthought; it is the backbone of compliance. Organizations are expected to anticipate risks, prevent misuse, and respond immediately when things go wrong.

  • Mandatory Security Safeguards
    Every Data Fiduciary must implement “reasonable security safeguards.” In practice, this includes measures such as encryption of sensitive data, secure storage systems, access control for employees, regular backups, and activity logs to monitor who accessed the data. These safeguards should be proportional to the risks involved.

    Example

    A hospital like ABC Medical Services that stores patient health records must ensure that those records are encrypted and can only be viewed by authorized doctors, not by every hospital staff member.

  • Breach Detection and Response
    If personal data is accidentally exposed, stolen, or misused, the event is considered a personal data breach. The organization must act immediately to investigate the cause, contain the damage, and prepare an official report.

  • Breach Notification to the Board

    Critical Obligation

    Every personal data breach must be reported to the Data Protection Board of India within seventy-two hours (72) of discovery. The notification must include details of the nature of the breach, the categories of personal data affected, and the remedial measures being taken.

  • Notification to Individuals
    If the breach poses a risk to the rights of Data Principals, the affected individuals must also be informed without delay. This allows them to take protective steps such as changing passwords, monitoring accounts, or blocking suspicious transactions.

    Example

    If XYZ Bank discovers that customer Aadhaar numbers and linked mobile numbers (e.g., 7890XXXXXXX) were leaked through a compromised server, it must not only inform the Board but also alert its customers, so they can take precautions.

  • Consequences of Not Reporting

    Critical Point

    Failure to notify a breach can attract severe penalties. In addition to financial fines (up to ₹250 crore depending on severity), the organization may face orders to suspend certain activities or improve its security posture. More importantly, hiding a breach can result in reputational loss that damages customer trust permanently.

  • Continuous Security Practices
    The Act also expects organizations to adopt a culture of ongoing security, not just a one-time effort. This means conducting periodic vulnerability assessments, updating software patches, training employees against phishing, and maintaining clear internal policies on handling personal data.

By making breach notification mandatory, the DPDPA ensures that individuals are not left in the dark when their data is compromised. It also compels organizations to take security seriously, knowing that their handling of a breach will be subject to scrutiny by regulators and the public alike.