Responding to Data Breaches: Key Obligations Under the DPDPA, 2023 and DPDP Rules, 2025

Introduction  

The Digital Personal Data Protection Act, 2023 (DPDPA), together with the Digital Personal Data Protection Rules, 2025 (DPDP Rules), establishes comprehensive and updated requirements for managing data breaches in India. The combined framework outlines detailed obligations for data fiduciaries, emphasising accountability and ensuring that entities processing personal data implement robust safeguards in the event of a breach. The 2025 DPDP Rules further operationalise the Act by prescribing clearer procedural and security expectations aligned with contemporary risk environments.  

A “personal data breach” under Section 2(u) of the Act is defined broadly to include unauthorised or accidental disclosure, acquisition, sharing, alteration, destruction, or loss of personal data that compromises its confidentiality, integrity, or availability. Such incidents may arise from malicious cyberattacks, employee negligence, system vulnerabilities, or operational failures. The DPDP Rules, 2025, incorporate enhanced technical and organisational measures consistent with international security standards such as ISO/IEC 27001. Rule 6(1)(a) introduces mandatory safeguards, including encryption, obfuscation, and granular access controls. The rules also reinforce organisational requirements such as periodic audits, vulnerability assessments, structured incident response protocols, and mandatory contractual safeguards with data processors to ensure end-to-end protection across the data lifecycle. 

 Reporting Requirements 

Immediate Notification: Rule 7(1) of the Digital Personal Data Protection Rules, 2025 states that upon becoming aware of a personal data breach, a Data Fiduciary must intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through their user account or any mode of communication registered with the Data Fiduciary. The intimation must include the nature, extent, timing, and location of the breach. 

Detailed Reporting: Within 72 hours of becoming aware of the breach (or within such longer period as the Data Protection Board may allow upon written request), Data Fiduciaries are required to submit detailed information to the Data Protection Board as per Rule 7(2).  

This report must include: 

• Updated and detailed description of the breach, including its nature, extent, timing and location of occurrence, and the likely impact 

• The broad facts related to the events, circumstances and reasons leading to the breach 

• Measures implemented or proposed to mitigate risk 

• Any findings regarding the person who caused the breach 

• Remedial measures taken to prevent recurrence of such breach 

• A report regarding the intimations given to affected Data Principals 

  Content of Notification: According to Rule 7(1), the notifications to affected individuals must include: 

• A description of the breach, including its nature, extent and the timing of its occurrence 

• The consequences relevant to the Data Principal that are likely to arise from the breach 

• The measures implemented and being implemented by the Data Fiduciary to mitigate risk 

• The safety measures that the Data Principal may take to protect their interests 

• Business contact information of a person who is able to respond on behalf of the Data Fiduciary to queries 

  Penalties 

• No Materiality Threshold: All breaches must be reported regardless of their severity or potential impact on Data Principals. This lack of a materiality threshold increases the compliance burden in data breach management. 

• Penalties for Non-Compliance: Organizations face severe penalties for failing to report breaches or implement reasonable security measures. Section 33 of the DPDPA provides the Data Protection Board with power to investigate breaches, assess compliance, and levy administrative fines. The section also allows the Board to penalize data fiduciaries for non-compliance, such as delayed reporting, inadequate safeguards, or negligent handling. While deciding upon the penalizing amount, the Board may take the following points into consideration: the fiduciary’s efforts to mitigate harm, Businesses must ensure cooperation with authorities while considering the scale and sensitivity of the compromised data. Penalties can reach up to INR 200 crore (~$24 million) for failure to notify a breach and up to INR 250 crore (~$30 million) for inadequate security safeguards. 

In addition to complying with the DPDPA, businesses will need to align their reporting obligations with those required by the Indian Computer Emergency Response Team (CERT-In) and relevant sectoral regulators, where applicable. 

Key Aspects of GDPR Data Breach Management 

Under the General Data Protection Regulation (GDPR), data breach management is governed by Articles 33 and 34, which mandate organizations (Data Controllers) to report personal data breaches to the supervisory authority and, in certain cases, notify affected individuals. If the breach is likely to result in a high risk to affected individuals, they must be informed without undue delay, including details on potential consequences and mitigation measures. Even if a breach is not reported, organizations must maintain internal records of all breaches, per Article 33(5). Failure to comply can result in fines up to €10 million or 2% of global turnover under Article 83(4). 

Comparative Analysis: GDPR vs. DPDPA 

India’s DPDP Act, 2023, and the Digital Personal Data Protection Rules, 2025, establish breach notification obligations that align with international standards while maintaining India-specific requirements. Rule 7 mandates reporting to the Data Protection Board within 72 hours and notifying affected individuals. However, unlike GDPR, India’s law has no materiality threshold, requiring all breaches to be reported regardless of risk level. Additionally, penalties under DPDPA can reach INR 250 crore, reflecting the regulatory framework’s emphasis on robust data protection in India’s digital ecosystem 

 Best Practices for Managing Data Breaches 

In addition to adhering to the reporting and notification obligations outlined in the DPDPA 2023 and the Digital Personal Data Protection Rules, 2025, organisations should implement best practices to minimise harm and enhance security protocols.  The first stage entails containment of the breach and a comprehensive risk assessment, during which organisations isolate compromised systems, revoke compromised credentials and determine the underlying cause of the breach. 

1. Develop an Incident Response Plan (IRP) 
   Importance: An IRP outlines the steps to take in the event of a data breach, minimising damage and restoring trust.

2. Components: The plan should include team roles, reporting procedures, incident management, legal compliance steps, containment strategies, and post-breach review processes.  

3. Employee Training and Awareness Training Programs: Regular training sessions for employees on data security best practices reduce human error, a common cause of breaches. 

4. Awareness Campaigns: Employees should be educated about phishing attacks, password security, and the importance of reporting suspicious activities.  

5. Regular Vulnerability Assessments Proactive Identification: Conducting regular assessments helps identify and address vulnerabilities before they can be exploited. 

6. Continuous Monitoring: Implementing systems to monitor suspicious activity aids in early detection of potential breaches.  

7. Data Classification and Access Control Data Discovery Tools: Utilize tools to classify sensitive data based on importance and risk level. 

8. Principle of Least Privilege: Limit access to sensitive information based on job requirements and review privileges quarterly to reduce insider threats.  

Post-Incident Analysis 
Understanding the Incident  

1. Root Cause Analysis: Post-incident analysis involves a thorough examination of the incident to identify the root causes, vulnerabilities, and procedural gaps along with technical shortcomings that led to the breach. This understanding helps organizations address fundamental issues and prevent similar incidents in the future.  

2. Incident Timeline Reconstruction: By creating a detailed timeline of events leading up to and following a breach, organizations can better understand how the attack occurred, including entry points and duration of unauthorized access. This information is vital for strengthening defenses against future attacks.  

3. Identifying Weaknesses: The analysis helps detect vulnerabilities in security controls, response strategies, and employee training programs. For example, if a breach occurred due to misconfigured access controls, this would be highlighted for immediate remediation.  

 Continuous Improvement  

1. Actionable Recommendations: The findings from post-incident analysis should lead to specific recommendations for improving incident response capabilities and security measures. These recommendations may include updating response plans, refining communication channels, or implementing new security technologies.  

2. Documentation and Follow-Up: Thorough documentation of the analysis process ensures that valuable insights are retained and can be referenced in future incidents. Creating a follow-up report summarizing lessons learned and recommended actions is essential for ongoing improvement.  

 Engagement with External Experts  

Third-Party Support: Collaborate with cybersecurity firms for expert guidance on breach prevention strategies and incident response readiness. Involve legal experts to navigate regulatory requirements effectively during a breach incident.  

 Data breach management Across Different Sectors   

Data breach management varies significantly across different sectors due to the unique nature of the data handled, regulatory requirements, and the specific risks each industry faces. Here’s an overview of how breach management differs across various sectors:  

Finance  

The financial sector operates within a highly regulated environment, with strict compliance mandates under laws such as the RBI’s Guidelines on Storage of Payment System Data, Master Direction on Digital Payment Security Controls and the SEBI’s Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories. This list is non-exhaustive and constantly evolving. Due to the high stakes involved in protecting sensitive financial data, financial institutions maintain well-defined breach response protocols. Regular audits, security assessments, and adherence to standards such as PCI DSS (Payment Card Industry Data Security Standard) help mitigate risks and enhance resilience against cyber threats.  

A significant challenge in the financial sector is managing third-party vendor security. Many breaches originate from external partners, making it crucial for financial institutions to establish strict security baselines and due diligence mechanisms for vendors. By enforcing strong third-party risk management frameworks, financial organizations can minimize vulnerabilities and prevent data breaches originating from outsourced services.  

Manufacturing  

The manufacturing sector has become a prime target for cybercriminals, particularly due to its interconnected global supply chains. Threat actors often exploit business partner vulnerabilities and software supply chain weaknesses, leading to significant operational disruptions. To safeguard against cyber threats, manufacturing firms must implement effective data classification mechanisms and improve network security. By categorizing sensitive data such as intellectual property, trade secrets, and operational information, organizations can prioritize security measures and allocate resources efficiently.  

Given the potential for production downtime and financial losses following a breach, manufacturers emphasize incident response training. Employees across all levels are trained in cyber hygiene, breach detection, and rapid response protocols, ensuring swift containment of security incidents and minimizing business disruptions.  

Retail 

The retail sector processes large volumes of customer personal data and payment information, making it a high-value target for cybercriminals. Point-of-sale (POS) system vulnerabilities are a major concern, as many breaches occur through compromised payment terminals. To mitigate risks, retailers invest in secure payment processing systems, tokenization, and compliance with PCI DSS standards. These measures help in preventing unauthorized access to customer financial information.  

Conclusion:  

In an era where data breaches have become increasingly sophisticated and frequent, effective data breach management is no longer optional; it is a business imperative. The Digital Personal Data Protection (DPDP) Act, 2023, along with the Digital Personal Data Protection Rules, 2025, establishes a clear regulatory framework that holds organizations accountable for safeguarding personal data. From implementing robust security measures to ensuring prompt, swift breach detection, reporting, and remediation, businesses must adopt a proactive approach to compliance. 

Compliance with the DPDP Act is not just about meeting legal obligations; it reflects a commitment to responsible data stewardship. Organizations that prioritize strong data governance, incident response readiness, and continuous security enhancements will be better positioned to navigate regulatory challenges, protect consumer interests, and maintain their competitive edge in the digital marketplace.