India

What is a data breach notification obligation under DPDPA?

Within 72h
Reporting deadline
₹250 cr
Max penalty
100% harm
Threshold for notification
Board + persons
Who must be notified
The Short Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), a data fiduciary must notify the Data Protection Board of India and affected individuals without undue delay upon becoming aware of a personal data breach that is likely to cause harm.

What the Law Says

The Digital Personal Data Protection Act, 2023 imposes mandatory breach reporting obligations on data fiduciaries when a breach is likely to cause harm to individuals.

A data fiduciary must notify the Data Protection Board of India and every affected individual 'without undue delay' after becoming aware of a personal data breach.

The notification must include details of the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address it.

This obligation applies only if the breach is 'likely to cause harm' — defined under the Act to include financial loss, identity theft, discrimination, or psychological harm.

Statutory Text

Where a data fiduciary has reason to believe that a personal data breach has occurred, it shall, as soon as possible and, in any case, within such time as may be prescribed, report such breach to the Board and to the affected data principal.

Digital Personal Data Protection Act, 2023, s. 8(4) — Obligation to report personal data breach
Statutory Text

The Central Government may, by notification, specify the manner and form of reporting of personal data breach under sub-section (4).

Digital Personal Data Protection Act, 2023, s. 8(5) — Power to prescribe reporting manner

What to Do

1

Immediately assess whether the breach is likely to cause harm to affected individuals.

2

Report the breach to the Data Protection Board of India within 72 hours of awareness (as per draft rules).

3

Notify each affected individual directly — via email, SMS, or prominent website notice — with clear details of the breach and protective steps.

4

Document all actions taken, including internal investigation findings and remediation measures.

5

Appoint a grievance officer and maintain records for at least 5 years as required under Section 9.

Sources

statuteDigital Personal Data Protection Act, 2023, s. 8(4) — Obligation to report personal data breachstatuteDigital Personal Data Protection Act, 2023, s. 8(5) — Power to prescribe reporting manner

Same Question, Other Jurisdictions

CanadaAustraliaIrelandSingaporeEuropean UnionSouth KoreaUKUS-CaliforniaUS-New YorkCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.