Skip to main content
Compliance
DPDPA
Data Breach
Breach Notification
CERT-In
Incident Response
Data Protection Board

The 72-Hour Breach Notification Rule: A DPDP Survival Guide for Indian Businesses

Under the DPDP Act, a personal data breach triggers a 72-hour reporting clock to the Data Protection Board — and notification to every affected user. Here is how to be ready before the clock starts.

Consently Team
11 May 2026
9 min read

The Clock Starts Whether You Are Ready or Not

Most Indian businesses think of a data breach as an IT incident. Under the Digital Personal Data Protection (DPDP) Act, it is a regulatory event with a hard deadline attached.

The moment your organisation becomes aware of a personal data breach, two obligations activate:

  1. Notify the Data Protection Board of India (DPBI) "without delay," and submit a detailed report within 72 hours.
  2. Notify every affected Data Principal — every individual whose data was involved.

There is no minimum threshold. A breach affecting one person carries the same notification duty as a breach affecting one million. And the 72-hour window runs continuously — weekends, public holidays, and 2 a.m. on a Sunday all count.

"Awareness" Is the Trigger — and It Is Earlier Than You Think

The clock does not start when the breach happened. It starts when you become aware of it. If your security team confirms a breach at 6 p.m. on a Friday, your detailed DPBI report is due by 6 p.m. on Monday.

This has a sharp implication: vague monitoring is now a legal liability. The longer it takes you to detect a breach, the more exposed you are — but once you do detect it, the 72-hour countdown is unforgiving. You cannot afford to spend two of those days deciding who owns the response.

What the DPBI Report Must Contain

The detailed report to the Board is expected to describe:

  • The nature and extent of the breach — what data, how much, which categories of Data Principals.
  • The timing and location — when it occurred, when it was detected, where in your systems.
  • The likely impact on affected individuals.
  • The remedial measures taken or planned to mitigate harm.
  • The steps Data Principals can take to protect themselves.

The notification to affected users must be in clear, plain language — not legalese — and must tell them what happened, what it means for them, and what they should do next.

Do Not Forget CERT-In Runs in Parallel

Key Insight: The DPDP 72-hour rule does not replace your existing CERT-In obligations — it stacks on top of them.

Under the CERT-In Directions of April 2022, certain cybersecurity incidents must be reported to CERT-In within 6 hours of detection. A single breach can therefore trigger two separate clocks: 6 hours to CERT-In, 72 hours to the DPBI. Your incident response plan must account for both, with both timelines pre-mapped to named owners.

A Breach Response Plan You Can Actually Execute

The businesses that survive a breach with their reputation intact are not the ones that never get breached. They are the ones who rehearsed the response. Build this before you need it:

  1. Detection and escalation — define exactly what counts as "awareness" and who must be told within the first hour.
  2. A standing breach response team — security, legal, communications, and a DPDP point-of-contact, with deputies for when people are on leave.
  3. Pre-drafted templates — DPBI report, CERT-In report, and user notification, all drafted and legally reviewed in advance. You fill in facts; you do not write from scratch at hour 50.
  4. A consent and data map — you cannot notify "every affected Data Principal" if you do not know whose data you hold, for what purpose, and how to reach them.
  5. An immutable audit log — proof of when you detected, when you reported, and what you did. If the Board questions your timeline, your logs are your defence.
  6. A tabletop drill — run a simulated Friday-evening breach once a quarter. The gaps you find in a drill are free; the gaps you find in a real incident are expensive.

Why Your Consent Infrastructure Is Part of Breach Readiness

Notifying "every affected Data Principal" is impossible if your consent and data records are scattered across spreadsheets, marketing tools, and legacy databases. The single most useful pre-breach investment is a centralised, queryable record of whose data you hold and why.

Consently's platform gives you exactly that: a consolidated consent ledger, purpose-level data mapping, and immutable audit trails. When the 72-hour clock starts, you can answer "who is affected and how do we reach them" in minutes — not days. And our zero-PII Consent ID architecture means the consent layer itself is a smaller breach target.

The 72-hour rule rewards preparation and punishes improvisation. Get your consent and data records in order before the clock ever starts.

Share this article
TwitterLinkedIn

Related Articles

Compliance

Verifiable Parental Consent Under DPDP Rules 2025: The New Compliance Frontier for EdTech, Gaming & Social Apps

The DPDP Rules 2025 require verifiable parental consent before processing any data of a user under 18. Here is what EdTech, gaming, and social platforms must build before May 2027.

6 May 20268 min
Compliance

DPDP Rules 2025 Are Here: Complete Implementation Timeline for Indian Businesses

India's DPDP Rules 2025 were officially notified on 13 November 2025. This guide breaks down the three-phase implementation timeline, what you must do by November 2026 and May 2027, and how to start compliance today.

24 Mar 202612 min
Compliance

Website Privacy Policy Best Practices 2026: India DPDPA Complete Guide

India's DPDP Rules 2025 have changed what a privacy policy must say. This guide covers exactly what your website's privacy policy must include to comply with DPDPA 2023, what language to use, and the 10 most common mistakes Indian businesses make.

12 Mar 20269 min