If you have ever managed a real security incident, you know it is far from glamorous. There are no fancy dashboards, no superhero moments, and no instant fixes. What does exist instead is focused teams working under pressure, validating facts, containing exposure, and racing against time to restore order.
Breach response is operationally intense, evidence-driven, and unforgiving of delay.
This blog is for the teams who make DPDPA breach response work in practice: security operations centres, IT infrastructure and application owners, compliance and risk teams, Data Protection Officers (DPOs), legal functions, and business leadership who must act when controls fail and the Data Protection Board of India expects clear answers.
What the DPDP Rules Actually Demand
Definition
The DPDP Act defines a personal data breach as any unauthorised processing or accidental disclosure, acquisition, sharing, alteration, destruction, or loss of personal data that compromises confidentiality, integrity, or availability. This definition covers cyberattacks, misconfigurations, access errors, operational failures, insider misuse, and third-party data breaches. For reference, see Section 2(u) of the Digital Personal Data Protection Act, 2023.
Organisations rely on legacy systems, cloud platforms, email services, and vendor-managed environments, or even manual and on-premise processes, all of which can trigger personal data protection obligations in India.
Breach assessment therefore cannot be limited to malicious incidents alone.
Security Safeguards
The DPDP Rules require organisations to implement reasonable security practices, including technical and organisational measures such as encryption, obfuscation, tokenisation, and access controls like Role-Based Access Control (RBAC), supported by regular audits, monitoring mechanisms, and defined incident response procedures. For reference, see Rule 6(1)(a) of the DPDP Rules, 2025.
During a breach review, Data Protection Board of India assesses whether the safeguards were actually implemented, correctly configured, and operational at the time of the incident. Compliance is not about plans or promises; it is about proof. Security safeguards must be backed by evidence.
Breach Notification Obligations
- Notification to Data Principals
Affected data principals must be informed without delay once organisational awareness of a personal data breach is established, as required under Rule 7(1) of the Digital Personal Data Protection Rules, 2025. Notifications must be clear and delivered through registered communication channels, describing the nature, extent, timing, and location of the breach, along with steps for risk mitigation. - Timely Reporting to the Data Protection Board of India
A detailed breach report must be submitted to the Data Protection Board of India within 72 hours of detection, in accordance with Rule 7(2) of the Digital Personal Data Protection Rules, 2025. The 72-hour reporting timeline continues to run regardless of internal escalations or approval processes, unless a formal extension is sought and granted by the Board. Bottom line? The reporting clock starts the moment a breach is identified.
The Three Capabilities That Decide Breach Outcomes under the DPDP Rules
The 72-hour breach reporting requirement under the DPDP Rules enforces operational discipline, requiring organisations to move rapidly from detection to evidence-backed decision-making.
Effective breach response is built on early visibility, documented evidence, and coordinated execution.
In practice, breach readiness under DPDP Rules rests on three foundational capabilities, the 3 Es.
1. Early Detection & Awareness
• Breach must be detected quickly through monitoring, internal alerts, unusual system behaviour, internal audits, user reports, third-party notifications, or public disclosures of breach.
• Delayed detection remains the most common implementation gap and often leads to missed reporting timelines and regulatory penalties.
• Organisations should have a SOC implemented with SIEM monitoring, define internal escalation SLAs, and assign clear roles for immediate response.
Early detection is what sets a controlled incident apart from a full-blown crisis.
2. Evidence Preservation & Integrity
• All required evidence must be collected and preserved to maintain a complete audit trail.
• Breach reporting under DPDP Rules is evidence-backed, and missing or inconsistent records can undermine the organisation’s credibility even when technical impact is limited.
• Structured incident logs, configuration snapshots, and documented containment actions are essential for regulatory review.
Proper evidence enables a confident response.
3. Execution Across Functions
• Security, IT, compliance, legal, and communications teams must operate in parallel and co-ordination.
• Delays caused by unclear ownership, sequential approvals, or fragmented workflows can jeopardise the 72-hour reporting timeline.
• A pre-defined war-room structure, clear role assignments, and standard operating procedures must be established and tested regularly.
If teams do not move in tandem, critical time is lost.
From Readiness to Resolution
1. Preparation
To respond effectively under the DPDP Rules, organisations should have processes, responsibilities, and evidence-handling measures established before a breach occurs.
- Breach Identification Matrix
A breach identification matrix is a structured decision process to assess and classify suspected breaches for reporting. A pre-defined framework ensures consistent classification of incidents, clear assessment of personal data involvement, CIA (Confidentiality, Integrity, Availability) impact, and notification requirements.
An example of the matrix is shown below.
| Scenario | Data Type | CIA Impact | Reporting Obligation | Priority |
| Misconfigured cloud storage exposing PII data | Personal data & metadata | Confidentiality | Yes | Critical |
| Email sent to wrong recipient with PII | Personal data (contact, ID) | Confidentiality | Yes | High |
| Ransomware encrypting CRM | Personal data | Availability + Integrity | Yes | Critical |
| Unauthorised access to HR records, internally | Personal data | Confidentiality | Yes | High |
| External unauthorised access to HR records | Personal data | Confidentiality | Yes | Critical |
- Regulator-friendly Evidence Format
After classifying an incident, it should be documented clearly with all relevant evidence and rationale. The DPDP Rules do not mandate a template, though regulatory review focuses on clarity and completeness. An example structure is provided below.
| Sr. No. | Section | Key Details |
| 1. | Executive Summary | Incident overview, incident description, affected asset, timeline, awareness timestamp (72-hour start) |
| 2. | Data Privacy Impact Assessment | Data categories, criticality, volume, affected data principals, data location |
| 3. | Detection and Response | Detection source, immediate response actions taken, and escalation path |
| 4. | Technical Narrative & Root Cause Analysis | Attack or misconfiguration, affected systems, access paths, logs, hashes, timelines |
| 5. | Containment, Eradication & Recovery | Actions taken, responsible teams, timestamps, recovery validation |
| 6. | Lessons Learnt | Summary of observations, identified gaps, and corrective actions |
| 7. | Safeguards, Gaps & Third Parties | Encryption, access controls, obfuscation (Rule 6(1)(a)), vendor involvement |
| 8. | Notifications, Reporting & Remediation | Data principal notices (Rule 7(1)), Board report (Rule 7(2)), audits, VAPT, policy updates |
- Pre-built DPDP & CERT-In Reporting Templates
Organisations should maintain ready-to-use templates for both internal and regulatory reporting. These templates save time and reduce errors when responding under pressure. - War Room Team with Clear Ownership
Teams should have pre-assigned roles with authority to act in parallel. Clear ownership prevents delays and ensures timely response.
A sample RACI (Responsible, Accountable, Consulted, Informed) is shown below.
| Sr. No. | Operational Focus | Role | RACI |
| 1. | Incident detection, containment, forensic investigation | Security Operations | R, A |
| 2. | System isolation, patching, service restoration and recovery | IT Infrastructure/Applications | R, A |
| 3. | Notification assessment, DPDP and CERT-In reporting, regulator interface | Compliance/Data Protection Officer (DPO) | R, A |
| 4. | Liability assessment, contractual review, legal privilege, extension requests | Legal | C |
| 5. | External messaging, stakeholder and media communication | PR & Communications | R, A |
| 6. | Data impact validation, customer and business alignment | Business Owner | C |
| 7. | Decision approvals, resource unblocking, escalation support | Executive Sponsor (CISO/CIO/CTO/CRO) | A, C |
| 8. | Oversight and situational awareness | Board of Directors | I |
Templates should support Data Principal notifications and encourage reporting breach details and mitigation measures taken to the Data Protection Board.
- Privacy-focused Tabletop Exercises
Regular, scenario-driven simulations help teams rehearse responses, identify gaps, and improve escalations, coordination, and evidence-handling under pressure.
| Scenario Type | Examples of Scenarios | Purpose |
| Operational exposure | Misconfigured cloud storage, wrong-recipient emails, access control or privilege failures | To test internal detection and response |
| Third-party incidents | Processor or vendor mishandling personal data, shared responsibility issues | To validate oversight and coordination |
| End-to-end response | Full breach simulation including detection, evidence preservation, escalation, and notification within 72 hours | To strengthen response muscle memory and readiness |
Anzen’s DPDPA experts regularly run tailored tabletop exercises for organisations across sectors, helping their teams validate real-world readiness, stress-test escalation paths, and build response “muscle memory” before an actual breach puts them under regulatory scrutiny.
2. Execution: During the 72 Hour Window
DPDPA does not expect perfect answers, but it does require structured execution, clear documentation, and timely action.
For complex judgment calls, coordination challenges, and/or evidence validation, it is never recommended to proceed without an expert’s analysis. Anzen works with you, to make robust decisions, confirm evidence integrity, and ensure breach handling.
3. Post-incident: Closing the Loop
Under the DPDP Rules, organisations are expected to ensure that incidents lead to corrective action, strengthened safeguards, and improved readiness. Post-incident reviews, continuous improvement of controls and further granular controls, continuous refinement of evidence handling, and updates to response playbooks ensure that future incidents are handled faster, with greater clarity and regulatory confidence.
To conclude, the DPDP Rules do not measure breach response by intent or effort. It is assessed based on speed of awareness, quality of evidence, clarity of decisions, and discipline of execution within the 72-hour window. Organisations that prepare for this reality are not just compliant but remain resilient during regulatory review.
Our prompt crisis management strategies reassure and strengthen your organisation, empowering your business to respond effectively when it matters most.
