Introduction
India’s data protection framework has taken a turn for the worse in recent times. The Digital Personal Data Protection Act 2023 (DPDP Act) was enacted. The Draft DPDP Rules 2025 have been put out. Operationalizing the Data Protection Board of India is underway. There is a particular implication for organizations dealing with personal data in light of these developments. Data breach response has now been made into a legal rather than technical issue.
A data breach is no longer simply a security incident to be contained and quietly resolved. Under the DPDP Act 2023, it is a regulatory event that triggers mandatory notification to the Data Protection Board and to every affected Data Principal, carries potential financial penalties, and will attract Board scrutiny. Organizations that are unprepared to act as the DPDP Act 2023 expects them to will face consequences that go far beyond the initial data breach.
That is the simple query that forms the foundation of this article. The answer in most cases, from what evidence is available, appears to be no. Breaches are reported late. Organizations do not have effective incident response policies. Inventory of personal data held by organizations is incomplete. Vendors’ agreements do not provide adequate leeway for notification. This article aims to explore the DPDP Act's requirements, the readiness gaps, and organizational actions needed in anticipation of enforcement.
The Data Breach Landscape in India
India is among the most breach-affected countries in the world. IBM’s Cost of a Data Breach Report 2024 placed the average cost of a data breach in India at INR 195 million, a figure that has risen consistently over the past five years. Hundreds of millions of people have suffered personal information leaks in major data security breaches in banking, insurance, health care, and online shopping businesses.
What the above-mentioned examples show, however, is a general problem that exists in those industries - the majority of the organizations deal with data security breaches in a late and fragmented way, only having to report the data breach once they become legally obliged to do so. Internal data breaches are discovered after prolonged periods of time. Internal data breaches are passed to legal/compliance departments without a formal procedure or are delayed until necessary. In cases where data breaches have become public through media reports, regulatory notifications only came after media reports, not before them. This kind of reactive, compliance-led, and disclosure-averse response to breaches is what the DPDP Act seeks to counteract.
In India, the sectors which are more prone to security breaches contain huge amounts of personal information, operate with very complicated third-party data processing ecosystems, and have very old IT infrastructures with low security systems.
What the DPDP Act 2023 Requires: Breach Notification Obligations
The DPDP Act 2023 establishes clear obligations for Data Fiduciaries in the event of a personal data breach. Section 8(6) of the Act requires every Data Fiduciary to notify the Data Protection Board of India and each affected Data Principal upon becoming aware of a personal data breach. The Draft DPDP Rules 2025 elaborate on this obligation. The notification must contain specified details about the nature of the breach, the categories and approximate volume of personal data affected, the likely consequences, and the remedial measures taken or proposed.
Several aspects of these requirements deserve particular attention.
First, the trigger is awareness, not confirmation. An organization that suspects a breach has occurred cannot wait for a forensic investigation to conclude before initiating notification. The obligation arises when the organization becomes aware that a breach has likely occurred, a standard that demands robust internal escalation processes.
Second, Significant Data Fiduciaries face heightened scrutiny. Organizations designated as Significant Data Fiduciaries under the Draft DPDP Rules 2025, on account of the volume or sensitivity of the data they process, are subject to additional compliance requirements including mandatory Data Protection Impact Assessments and periodic audits, all of which intersect directly with breach readiness obligations.
Third, notifying Data Principals directly is operationally demanding. Organizations must be able to identify which individuals are affected, reach them through verified contact channels, and communicate the breach in a comprehensible manner. This requires clean data inventories, accurate contact records, and pre-drafted communication templates. None of these can be assembled in the middle of an active incident.
The DPDP Act does not specify a fixed hour threshold for notification, unlike the GDPR’s 72-hour rule under Article 33. The phrase “without undue delay” will be interpreted by the Board in light of what a diligent organization could reasonably achieve. Regulators in comparable jurisdictions have consistently treated delays of multiple days or weeks as breaches of notification obligations in their own right. Indian organizations should plan on the assumption that notification windows will be short.
The Readiness Gap: Where Indian Organizations Fall Short
Regulatory awareness and operational readiness are not the same thing. Most compliance and legal teams in Indian organizations are broadly familiar with the DPDP Act. Far fewer have translated that awareness into actionable breach response capability. The readiness gap manifests in several specific and recurring ways.
Absence of a Documented Incident Response Plan
A formal Incident Response Plan (IRP) is the foundational document for breach readiness. It defines who does what, in what sequence, and within what timeframe when a breach is detected or suspected. In many Indian organizations, incident response exists as an informal understanding within the IT security team rather than as a documented, cross-functional protocol.
An IRP adequate for DPDP compliance must go beyond technical containment. It must integrate legal assessment of whether the incident is reportable, regulatory notification workflows covering both the Board and Data Principals, communication strategy, and evidence preservation. Building this integration across IT, legal, compliance, and communications functions requires deliberate organizational design, not improvisation during an active incident.
Slow Breach Detection and Internal Escalation
The notification obligation is triggered by awareness. Organizations with weak security monitoring will become aware of breaches late, compressing the time available to assess, respond, and notify. IBM’s 2024 data indicates that the average breach goes undetected for over 200 days globally. Indian organizations without mature Security Operations Centre capabilities face comparable or worse detection timelines. Internal escalation presents an equal problem: even where security teams detect anomalies quickly, escalation to legal and compliance functions is often slow, informal, or absent. By the time leadership is aware of a breach, the notification window may already be closing.
Incomplete Personal Data Inventories
Notifying affected Data Principals requires knowing which individuals’ data was compromised. This is not possible without an accurate, current map of what personal data the organization holds, where it is stored, who has access to it, and how it flows through internal and third-party systems. Most Indian organizations have not completed a systematic data mapping exercise. The consequence is that even where a breach is detected and escalated promptly, the organization cannot accurately identify the scope of affected individuals. Notification is then either delayed pending investigation or made on an over-inclusive basis, each carrying its own regulatory risk.
Inadequate Third-Party Breach Notification Arrangements
A significant proportion of data breaches originate in third-party systems: vendors, cloud providers, data processors, and outsourced service providers. The DPDP Act makes clear that the Data Fiduciary remains responsible for breaches occurring in the systems of its Data Processors. The vendor relationship does not transfer liability; it extends it.
Vendor contracts frequently fail to require timely breach notification from processors to the Data Fiduciary. Where breach notification clauses exist, they are often drafted with notice periods that are insufficient to support the Fiduciary’s own regulatory timelines. This creates a cascading problem: the Fiduciary cannot meet its obligations to the Board because its processor’s contractual obligations do not support it.
Untested Response Plans
An incident response plan that has never been tested is an untested plan. Organizations discover the gaps in their breach response capabilities during exercises, not during actual incidents. The pressure, coordination demands, and decision-making complexity of a real breach are not the moment to find that escalation paths are unclear, that notification templates do not exist, or that no one has clear authority to make regulatory disclosure decisions. Breach simulation exercises are still relatively rare in Indian organizational practice, which means most organizations are untested against the precise scenarios most likely to trigger their DPDP notification obligations.
Enforcement Is Coming: What the Regulatory Signals Tell Us
The Data Protection Board of India is expected to become fully operational following the finalization of the DPDP Rules 2025 . Once operational, the Board will have powers to investigate breaches of the Act, issue directions to Data Fiduciaries, and impose financial penalties. Section 25 of the DPDP Act prescribes penalties of up to INR 250 crore for failure to implement reasonable security safeguards, and up to INR 200 crore for failure to notify the Board of a personal data breach. These are not nominal amounts. They are calibrated to create a genuine compliance incentive, and they apply per breach.
The enforcement trajectory of comparable frameworks is instructive. In the years following GDPR enforcement commencing in 2018, supervisory authorities across Europe issued significant sanctions for inadequate breach notification: delays that exceeded 72 hours, notifications that lacked required information, and failures to identify affected individuals. The European Data Protection Board’s guidelines on personal data breach notification have reinforced these standards consistently. India’s Data Protection Board has been constituted with a mandate to enforce the Act effectively. There is no reason to assume a more lenient posture than that taken by European counterparts.
Early enforcement activity is likely to focus on visible, large-scale breaches in high-profile sectors. Organizations in banking and financial services, healthcare, e-commerce, and telecommunications should treat enforcement readiness as an immediate priority, not a deferred compliance project.
Building a Breach-Ready Organization
Breach readiness is not a single document or a one-time exercise. It is an organizational capability built through documented processes, tested workflows, trained personnel, and ongoing governance. The following components are foundational.
Develop and Document a Cross-Functional Incident Response Plan
The IRP must integrate IT, legal, compliance, communications, and senior leadership functions. It should define clear escalation triggers, decision trees for assessing notification obligations under the DPDP Act, and pre-approved templates for notifications to the Board and to Data Principals. It must be reviewed at least annually and updated whenever material changes occur in data processing activities or applicable regulatory requirements.
Complete a Personal Data Mapping Exercise
Organizations must know what personal data they hold, in what systems, under what access controls, and subject to what retention periods. This mapping exercise underpins not only breach response but also Data Principal rights fulfilment, lawful basis assessment, and DPIA scoping. It should cover all business units, including third-party processing arrangements. Without it, breach notification becomes guesswork.
Strengthen Vendor Contracts and Third-Party Oversight
Data Processing Agreements with all vendors who process personal data on the organization’s behalf must be reviewed and, where necessary, updated. Contracts must require vendors to notify the organization of any actual or suspected breach within a defined short window. Sub-processor obligations must be explicitly addressed. Audit rights must be exercisable and not subject to conditions that make them practically unenforceable.
Conduct Regular Breach Simulation Exercises
Tabletop exercises that simulate real breach scenarios should be conducted at least annually. Exercises should test escalation paths, notification decision-making, and communication workflows under realistic time pressure. Results should be documented and used to update the IRP. Scenarios should include breaches originating in third-party systems, where a significant proportion of real incidents occur.
Way Forward
The Ministry of Electronics and Information Technology has published the Draft DPDP Rules 2025 for public consultation. Enforcement readiness requires lead time. The organizations best placed when the Board becomes operational will be those that have used the intervening period to build genuine operational capability rather than paper compliance.
Organizations should act on the following:
- Conduct a gap assessment against DPDP Act breach notification obligations, benchmarking current IRP documentation, detection capabilities, data inventories, and vendor contracts against what the Act requires.
- Complete or commission a personal data mapping exercise covering all business units and processing activities, including third-party processors and cloud-hosted systems.
- Review and update all Data Processing Agreements to ensure vendor breach notification obligations are compatible with the organization’s own regulatory timelines under the DPDP Act.
- Implement a DPIA programme for high-risk processing activities, including large-scale sensitive data processing and automated decision-making.
- Schedule and conduct a breach simulation exercise, documenting findings and integrating them into the IRP. Include scenarios originating in third-party systems.
- Train legal, IT, compliance, and communications teams on breach notification obligations under the DPDP Act and their specific roles in the incident response process.
Conclusion
Data breaches in India are not a future risk. They are a present reality. The question the DPDP Act forces organizations to confront is not whether a breach will occur, but whether they are organized to respond when it does, in the manner and at the speed the law requires.
Both the DPDP Act 2023 and the GDPR are clear on the underlying principle: accountability for personal data does not end at the boundary of the organization, and it does not pause when a breach occurs. It intensifies. The notification obligation, the requirement to identify affected individuals, and the duty to remediate are all expressions of the same accountability principle that governs data handling in normal times.
Organizations that build breach readiness into their governance frameworks now, not just as a paper exercise but as a genuine operational capability, are better placed to meet regulatory expectations, respond to incidents effectively, and maintain the trust of the individuals whose data they hold. That is not an optional standard under the DPDP Act. It is what compliance looks like.
We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution can help you to understand Privacy and Trust while lawfully processing the personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.
For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025
We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025
We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – Your Trusted Partner in AI Risk Assessment and Privacy Compliance | AI-Nexus