Data Breach Legal Obligations in India

India's data protection landscape underwent a fundamental transformation with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act), which received Presidential assent on 11 August 2023. While the Act is being operationalised in phases, its provisions on personal data breaches establish clear obligations for Data Fiduciaries — broadly, any person or entity that determines the purpose and means of processing personal data — and define the consequences of non-compliance with rigour not seen in prior Indian law. Organisations that process personal data must now treat a data breach not merely as a cybersecurity incident but as a legal event with prescribed timelines, notification obligations, and potential financial exposure of up to ₹250 crore per instance of non-compliance.

This article sets out the obligations that arise when a personal data breach is discovered, the interaction of the DPDP Act with pre-existing reporting frameworks, and the practical governance steps that organisations should have in place before an incident occurs.

What Constitutes a Personal Data Breach

The DPDP Act defines a personal data breach as any unauthorised processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data. This definition is deliberately broad. It captures not only external attacks — ransomware, credential theft, SQL injection — but also internal incidents such as accidental emailing of customer data to the wrong recipient, misconfigured cloud storage buckets, and insider exfiltration. Any of these events, if they affect personal data of Indian data principals or data principals whose data is processed in India, may trigger notification obligations under the Act.

Significant Data Fiduciaries — a class to be designated by the Central Government based on volume, sensitivity, and risk — face heightened obligations including mandatory data protection impact assessments and the appointment of a Data Protection Officer (DPO). These entities should expect notification thresholds to be set at a lower severity level than those applicable to general Data Fiduciaries once the Rules are notified under the Act.

Notification Obligations: Data Protection Board and Affected Individuals

Under Section 8(6) of the DPDP Act, every Data Fiduciary is obligated to notify the Data Protection Board of India and each affected Data Principal in the event of a personal data breach. The notification must be made "in such manner and as soon as possible" as may be prescribed by the Rules under the Act. The Rules, once finalised, are expected to prescribe a specific notification timeline — anticipated to be seventy-two hours from the point of reasonable discovery, in alignment with international norms such as the GDPR.

The notification to the Data Protection Board must contain prescribed particulars including the nature and scope of the breach, the categories and approximate number of data principals affected, likely consequences, and the measures taken or proposed to address the breach. Notification to affected Data Principals must be in clear, plain language and must include information sufficient for the individual to assess the risk to their rights and interests.

Organisations operating in sectors with pre-existing reporting frameworks must manage multiple, parallel notification requirements. CERT-In's April 2022 Directions mandate reporting of data breaches within six hours of detection for covered entities, including service providers, intermediaries, data centres, and body corporates. The RBI requires regulated entities to report cyber incidents to CERT-In and separately to RBI's Cyber Security and IT Examination (CSITE) Cell within specified timelines. These obligations run in parallel with the DPDP Act and are not subsumed by it.

Existing Framework: IT Act Section 43A and SPDI Rules

Until the DPDP Act Rules come into force, the Reasonable Security Practices framework under Section 43A of the IT Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) continue to govern the handling of sensitive personal data. The SPDI Rules impose obligations on body corporates to collect, retain, and secure categories of sensitive personal data — including passwords, financial information, health data, biometrics, and sexual orientation — with specified security standards (ISO/IEC 27001 or an equivalent approved code of practice). Breach of these obligations can give rise to civil liability of up to ₹5 crore per instance under Section 43A and unlimited liability under Section 43 for negligent or dishonest disclosure.

Building a Defensible Response

The defensibility of an organisation's response to a personal data breach depends almost entirely on the quality of preparation that preceded it. Organisations should maintain an incident response plan that identifies the breach notification chain, designates a breach response team, maps personal data flows including third-party processors, and sets internal trigger thresholds for escalation to legal counsel and the DPO. Data processing agreements with processors must impose equivalent security and notification obligations, and must require processors to notify the Data Fiduciary within a timeframe that enables compliance with the prescribed regulatory window.

When a breach occurs, legal counsel should be engaged before any external communication — regulatory, media, or customer — is made. Premature or inaccurate notifications can aggravate regulatory exposure, trigger contractual breach claims from business partners, and undermine the organisation's position in subsequent litigation. Counsel should be involved in scoping the breach, assessing the jurisdictional reach of the notification obligation, managing regulatory correspondence, and coordinating any forensic investigation required to establish root cause and scope.