Introduction
The Digital Personal Data Protection Act, 2023 (DPDPA), along with the Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules), outlines comprehensive requirements for handling data breaches in India. These frameworks summarize key provisions related to data breach management, emphasizing accountability for entities processing personal data. The DPDPA establishes a statutory framework that mandates specific obligations for Data Fiduciaries to ensure the protection of personal data in the event of a breach.
A “personal data breach” under Section 2(u) of the Act is defined broadly to encompass unauthorized or accidental acts—including disclosure, acquisition, sharing, alteration, destruction, or loss of data—that compromise the confidentiality, integrity, or availability of personal data. Such breaches may arise from malicious cyber activities or systemic failures.
The draft DPDP Rules, 2025, showcases similarities with international standards such as the ISO/IEC 27001, and include technical measures like encryption, obfuscation, access controls etc. under Rule 6(1)(a). The draft rules also mention organizational measures such as regular audits, vulnerability assessments, incident response protocols and contractual safeguards.
Reporting Requirements
- Immediate Notification: Rules 7(1) of the Draft Rules, 2025 states that upon becoming aware of a personal data breach, a Data Fiduciary must notify both the affected Data Principals and the Data Protection Board (DPB) “without delay” about the nature, extent, timing, and location of the breach.
- Detailed Reporting: Within 72 hours of awareness of the breach, Data Fiduciaries are required to submit a detailed report to the DPB as per Rule 7(2) of the Draft Rules. This report must include:
- Facts and circumstances leading to the breach
- Risk mitigation measures being implemented
- Findings related to the person responsible for the breach
- Details of notifications sent to affected individuals.
- Content of Notification: According to Rules 7(1), the notifications to affected individuals must include:
- The nature and extent of the breach
- Potential consequences arising from it
- Mitigation measures being taken
- Contact information for inquiries.
Penalties:
- No Materiality Threshold: All breaches must be reported regardless of their severity or potential impact on Data Principals. This lack of a materiality threshold increases the compliance involved in data breach management.
- Penalties for Non-Compliance: Organizations face severe penalties for failing to report breaches or implement reasonable security measures. Section 33 of the DPDPA provides the Data protection Board of India (DPBI) with power to investigate breaches, assess compliance, and levy administrative fines. The section also allows the DPBI to penalize data fiduciaries for non-compliance, such as delayed reporting, inadequate safeguards, or negligent handling. While deciding upon the penalizing amount, the DPBI may take the following points into consideration the fiduciary’s efforts to mitigate harm, cooperation with authorities and scale and sensitivity of compromised data. Penalties can reach up to INR 200 crore (~$24 million) for failure to notify a breach and up to INR 250 crore (~$30 million) for inadequate security safeguards.
In addition to complying with the DPDPA, businesses will need to streamline their reporting obligations with those required by the Indian Computer Emergency Response Team (CERT-In) and relevant sectoral regulators, where applicable.
Key Aspects of GDPR Data Breach Management
Under the General Data Protection Regulation (GDPR), data breach management is governed by Articles 33 and 34, which mandate organizations (Data Controllers) to report personal data breaches to the supervisory authority and, in certain cases, notify affected individuals. If the breach is likely to result in a high risk to affected individuals, they must be informed without undue delay, including details on potential consequences and mitigation measures. Even if a breach is not reported, organizations must maintain internal records of all breaches, per Article 33(5). Failure to comply can result in fines up to €10 million or 2% of global turnover under Article 83(4).
India’s DPDP Act, 2023, and draft DPDP Rules, 2025, have similar breach notification obligations. Rule 7 mandates reporting to the Data Protection Board of India (DPB) within 72 hours and notifying affected individuals. However, unlike GDPR, India’s law has no materiality threshold, requiring all breaches to be reported. Additionally, penalties under DPDP can reach INR 250 crore.
Best Practices in Data Breach Management
In addition to complying with the reporting and notification requirements under the DPDPA 2023 and Draft DPDP Rules, 2025, organizations should adopt global best practices to mitigate damage and strengthen future security measures. The first step is immediate breach containment and risk assessment, where organizations isolate affected systems, revoke compromised credentials and identify the breach’s root cause.
1. Develop an Incident Response Plan (IRP)
- Importance: An IRP outlines the steps to take when a data breach occurs, helping to minimize damage and restore trust.
- Components: The plan should include team roles, reporting procedures, incident management, legal compliance steps, containment strategies, and post-breach review processes.
2. Employee Training and Awareness
- Training Programs: Regular training sessions for employees on data security best practices can significantly reduce human error, which is a common cause of breaches.
- Awareness Campaigns: Employees should be educated about phishing attacks, password security, and the importance of reporting suspicious activities.
3. Regular Vulnerability Assessments
- Proactive Identification: Conducting regular assessments helps identify and address vulnerabilities before they can be exploited.
- Continuous Monitoring: Implementing systems to monitor for suspicious activity can aid in early detection of potential breaches.
4. Data Classification and Access Control
- Data Discovery Tools: Utilize tools to classify sensitive data based on its importance and risk level.
- Principle of Least Privilege: Limit access to sensitive information based on job requirements and review the provided privileges quarterly to reduce insider threats.
5. Post-Incident Analysis
Understanding the Incident
- Root Cause Analysis: Post-incident analysis involves a thorough examination of the incident to identify the root causes, vulnerabilities, and procedural gaps along with technical shortcomings that led to the breach. This understanding helps organizations address fundamental issues and prevent similar incidents in the future.
- Incident Timeline Reconstruction: By creating a detailed timeline of events leading up to and following a breach, organizations can better understand how the attack occurred, including entry points and duration of unauthorized access. This information is vital for strengthening defenses against future attacks.
- Identifying Weaknesses: The analysis helps detect vulnerabilities in security controls, response strategies, and employee training programs. For example, if a breach occurred due to misconfigured access controls, this would be highlighted for immediate remediation.
6. Continuous Improvement
- Actionable Recommendations: The findings from post-incident analysis should lead to specific recommendations for improving incident response capabilities and security measures. These recommendations may include updating response plans, refining communication channels, or implementing new security technologies.
- Documentation and Follow-Up: Thorough documentation of the analysis process ensures that valuable insights are retained and can be referenced in future incidents. Creating a follow-up report summarizing lessons learned and recommended actions is essential for ongoing improvement.
7. Engagement with External Experts
- Third-Party Support: Collaborate with cybersecurity firms for expert guidance on breach prevention strategies and incident response readiness. Involve legal experts to navigate regulatory requirements effectively during a breach incident.
Data breach management Across Different Sectors
Data breach management varies significantly across different sectors due to the unique nature of the data handled, regulatory requirements, and the specific risks each industry faces. Here’s an overview of how breach management differs across various sectors:
1. Finance
The financial sector operates within a highly regulated environment, with strict compliance mandates under laws such as the RBI’s Guidelines on Storage of Payment System Data, Master Direction on Digital Payment Security Controls and the SEBI’s Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories. This list is non-exhaustive and constantly evolving. Due to the high stakes involved in protecting sensitive financial data, financial institutions maintain well-defined breach response protocols. Regular audits, security assessments, and adherence to standards such as PCI DSS (Payment Card Industry Data Security Standard) help mitigate risks and enhance resilience against cyber threats.
A significant challenge in the financial sector is managing third-party vendor security. Many breaches originate from external partners, making it crucial for financial institutions to establish strict security baselines and due diligence mechanisms for vendors. By enforcing strong third-party risk management frameworks, financial organizations can minimize vulnerabilities and prevent data breaches originating from outsourced services.
2. Manufacturing
The manufacturing sector has become a prime target for cybercriminals, particularly due to its interconnected global supply chains. Threat actors often exploit business partner vulnerabilities and software supply chain weaknesses, leading to significant operational disruptions. To safeguard against cyber threats, manufacturing firms must implement effective data classification mechanisms and improve network security. By categorizing sensitive data such as intellectual property, trade secrets, and operational information, organizations can prioritize security measures and allocate resources efficiently.
Given the potential for production downtime and financial losses following a breach, manufacturers emphasize incident response training. Employees across all levels are trained in cyber hygiene, breach detection, and rapid response protocols, ensuring swift containment of security incidents and minimizing business disruptions.
3. Retail
The retail sector processes large volumes of customer personal data and payment information, making it a high-value target for cybercriminals. Point-of-sale (POS) system vulnerabilities are a major concern, as many breaches occur through compromised payment terminals. To mitigate risks, retailers invest in secure payment processing systems, tokenization, and compliance with PCI DSS standards. These measures help in preventing unauthorized access to customer financial information.
Conclusion: Strengthening Data Breach Management Under the DPDP Act
In an era where data breaches have become increasingly sophisticated and frequent, effective data breach management is no longer optional—it is a business imperative. The Digital Personal Data Protection (DPDP) Act, 2023, along with the draft DPDP Rules, 2025, establishes a clear regulatory framework that holds organizations accountable for safeguarding personal data. From implementing robust security measures to ensuring swift breach detection, reporting, and remediation, businesses must adopt a proactive approach to compliance.
Compliance with the DPDP Act is not just about meeting legal obligations; it is about demonstrating a commitment to responsible data stewardship. Organizations that prioritize strong data governance, incident response readiness, and continuous security enhancements will be better positioned to navigate regulatory challenges, protect consumer interests, and maintain their competitive edge in the digital marketplace.
Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.
The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!
Learn more about the Draft Rules here:
