WikiFrameworksIndia's DPDPBreach Notification (Regulator)

Breach Notification (Regulator)

Updated: 2026-02-08

Plain English Translation

Under Section 8(6) of the Act, if a security incident compromises personal data, you must execute a specific DPDP breach notification procedure to inform the Data Protection Board of India. Unlike some laws that only require reporting significant harm, this Act requires data breach reporting India for any personal data breach, defined broadly as any unauthorized processing, accidental disclosure, or loss of access. You must provide this intimation in the prescribed form and manner, which draft rules suggest includes an initial report without delay followed by a detailed report within 72 hours.

Executive Takeaway

Every security incident involving personal data triggers a mandatory reporting obligation to the Data Protection Board. Failure to report carries a penalty of up to INR 200 crore, making rapid detection and transparency critical.

ImpactHigh
ComplexityHigh

Why This Matters

  • Failure to report a breach attracts a specific penalty of up to INR 200 crore under Schedule (2) of the Act.
  • The definition of breach is broad, covering any unauthorized processing or accidental loss, meaning even minor incidents may trigger data protection board India notification.

What “Good” Looks Like

  • An Incident Response Plan + regulator notification template (e.g., managed in WatchDog Policy Management) so a draft Board intimation can be produced within hours of confirming a breach.
  • Simulated table-top exercises ensuring the team knows how to fill the data breach notification form for the Board.
  • Slack or Teams alerts configured on Indicators of Compromise (IoCs) and changes to identify anomalies.

Common Questions

Under Section 8(6), a breach must be reported. Draft Rule 7 clarifies this must be done 'without delay' for the initial intimation, followed by a detailed report within 72 hours.

Section 2(u) defines a 'personal data breach' as any unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data.

Draft rules suggest the report must include the nature, extent, and time of the breach, likely impact, risk mitigation measures, and details of the Data Protection Officer.

Yes, while the Act says 'as prescribed', draft Rule 7 specifies reporting 'without delay' and submitting a comprehensive updated report within 72 hours.

Section 8(6) explicitly places the responsibility on the Data Fiduciary to give intimation of the breach to the Board and the affected Data Principal.

The Board is expected to function as a digital office (Section 28). Reporting will likely be through an online portal or digital form as prescribed by the rules.

Failure to report a breach to the Board or Data Principal can attract a penalty extending to two hundred crore rupees under Schedule (2) of the Act.

If the incident meets the definition of 'personal data breach' under Section 2(u)—which encompasses unauthorized processing, disclosure, or loss of access—it must be reported, regardless of harm.

Official Standard Text

DPDP Section 8(6)

"In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed."

Revision History

VersionDateAuthorDescription
1.0.02026-02-08WatchDog Security GRC Wiki TeamInitial publication from DPDP Workbook