DPDPA Rules-Data Breach Notification

Data Breach Notification is an important aspect of compliance of any data protection law. DPDPA 2023 also requires a notification both to the DPBI and the Data Principal in the event of a data breach.

The DPDPA 2023 act had simply stated that in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. Now the the DPDPA rules expands the requirement.

The rules prescribe that as soon as the Data Fiduciary becomes aware of the data breach, one intimation has to be sent immediately to the DPBI with preliminary information including

(a)a description of the breach, including its nature
(b)the date and time when the Data Fiduciary became aware of the breach
(c)the timing or duration of occurrence of the breach
(d)the location where the breach occurred
(e)the extent of the breach, in terms of the nature and quantum of data involved and
(f)the potential impact of the breach  

Within the next 72 hours the Data Fiduciary needs to file a second report with details of the breach. DPBI is expected to provide suitable submission forms on its website for the purpose. In this second report the broad facts related to the events, circumstances and reasons leading to the breach need to revealed along with the remedial measures taken.

Additionally information has to be given to the data principal also which should contain the information about the breach as it affects the specific data principal. The rule seems to avoid specifying the time period within which the intimation has to be provided to the data principal.

Perhaps MeitY has to indicate either the 72 hour time limit specified for intimation to the DPBI as also the time limit for data principal or specify a longer duration.

In case there is a need for more time to report the breach because of the need for a detailed investigation, data fiduciary may seek additional time from the DPBI after the second report.

As of now, every data breach under DPDPA is also a data breach under ITA 2000 and hence the need to report to CERT IN as per the CERT IN guidelines will also be required.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.