Skip to main content
Home » Data Privacy & DPDPA » DPDPA Breach Notification: Inside the 72-Hour Window

DPDPA Breach Notification: Inside the 72-Hour Window

Shashikant Kalsha

July 2, 2026

Blog features image

DPDPA Breach Notification: Inside the 72-Hour Window

Most organizations discover the true state of their security program in the worst possible way: mid-incident, with a clock running. The Digital Personal Data Protection Act, 2023 makes that clock explicit — and short.

What the DPDPA defines as a breach

The Act defines a personal data breach broadly: any unauthorized processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access that compromises its confidentiality, integrity, or availability. Note what is missing: a materiality threshold. A misdirected export, a misconfigured bucket, a lost laptop with unencrypted records — each can qualify, whether or not an attacker was involved.

The two notifications you owe

Under the DPDP Rules, 2025, when a breach occurs a Data Fiduciary owes two distinct notifications:

  1. To every affected Data Principal — without delay. In clear, plain language: what happened, the likely consequences for them, what you are doing about it, what they can do to protect themselves, and a human contact who can answer questions. Through their registered mode of communication.
  1. To the Data Protection Board — in two stages. An initial intimation promptly on becoming aware of the breach, followed by a detailed report within 72 hours: the nature and extent of the breach, the data involved, the timeline and circumstances, remedial measures taken, and findings about who did it — with the possibility of seeking extended time from the Board for the detailed report where justified.

Failure to notify carries its own penalty under the Act's Schedule — up to ₹200 crore — separate from the up-to-₹250-crore exposure for failing to maintain reasonable security safeguards in the first place. A breach can therefore generate two independent penalty events: one for the safeguard failure, one for the notification failure.

Why 72 hours is shorter than it sounds

Seventy-two hours sounds like three days. In practice it decomposes into a brutal sequence: detect the incident, confirm personal data is involved, scope which records and which people, classify severity, draft principal-facing notices your lawyers will sign, dispatch them across channels, file the initial intimation, then assemble a detailed, accurate report for the Board — while simultaneously containing the incident itself.

Organizations that meet the window share three traits: they maintain a live map of where personal data lives (so scoping takes hours, not days); they keep pre-approved notification templates in every language they serve; and they rehearse. Organizations that miss it usually lost the first 48 hours deciding who owns the problem.

Building the 72-hour playbook

A DPDPA-ready breach response program looks like this:

  • Detection wiring — security alerts, DLP events, and processor notifications flow into one incident intake with automatic personal-data triage.
  • A classification protocol — pre-agreed criteria for what counts as a reportable breach, so the escalation decision takes minutes.
  • Pre-drafted notices — Data Principal and Board templates, legally reviewed in advance, needing only incident specifics.
  • A war-room runbook — named roles (incident lead, legal, comms, engineering), a decision log, and timestamps on everything.
  • Processor contracts that cooperate — your vendors are contractually bound to tell you fast; their delay does not pause your clock.
  • Evidence by default — every action recorded as it happens, because the Board's follow-up questions will be about sequence and timing.

Rehearse before it's real

Run a tabletop exercise against the 72-hour window twice a year. Time each stage. Most teams discover their true bottleneck is not detection but drafting and approval — exactly the stages that can be prepared in advance.

Data Adhikaar by Qodequay Technologies builds this playbook into software. The Suraksha agent drives the 72-hour window end to end: classifies the incident, scopes affected Data Principals from the live data map, drafts principal and Board notifications for human approval, dispatches them, and time-stamps every step into a tamper-evident Evidence Vault — so when the Board asks what you did and when, the answer is an export, not a reconstruction.

Hope is not a breach response plan. Take the free readiness assessment and see whether your current program would survive a 72-hour test.

General guidance on the DPDP Act, 2023 and DPDP Rules, 2025 — not legal advice.

Author profile image

Shashikant Kalsha

As the CEO and Founder of Qodequay Technologies, I bring over 20 years of expertise in design thinking, consulting, and digital transformation. Our mission is to merge cutting-edge technologies like AI, Metaverse, AR/VR/MR, and Blockchain with human-centered design, serving global enterprises across the USA, Europe, India, and Australia. I specialize in creating impactful digital solutions, mentoring emerging designers, and leveraging data science to empower underserved communities in rural India. With a credential in Human-Centered Design and extensive experience in guiding product innovation, I’m dedicated to revolutionizing the digital landscape with visionary solutions.

Follow the expert : linked-in Logo

Have a project in mind?

Free 30-minute consultation with our team — or see our products in action.

Book a 30-min Consultation