DPDP Act 2023 · Rule 7 · Breach Notification
Data Breach
Notification
Rule 7 of DPDP Rules 2025 mandates timely notification of personal data breaches to the Data Protection Board and affected Data Principals.
Every breach is reportable — initial intimation without delay, detailed particulars within 72 hours.
DPDP Rules 2025 · Rule 7 · Data Protection Board of India · Last reviewed June 2026
Direct Answer
When must a breach be reported?
Under the DPDP Act 2023, a data fiduciary must notify the Data Protection Board and every affected data principal of a personal data breach without delay on becoming aware of it. Rule 7 of the MeitY DPDP Rules 2025 requires an initial intimation followed by detailed particulars within 72 hours, and unlike the GDPR it applies a no-threshold rule — every breach is reportable, with penalties reaching ₹200 crore for notification failures and ₹250 crore for inadequate security safeguards.
The Process
Breach Response Process
Detect & Assess
Identify the breach and assess its scope, impact, and the personal data affected
Contain & Mitigate
Take immediate steps to contain the breach and prevent further unauthorized access
Notify the Board
Intimate the Data Protection Board about the breach in prescribed form and manner
Notify Data Principals
Inform affected Data Principals about the breach and remedial actions
Deadlines
Notification Timeline
To Data Protection Board
Notify without unreasonable delay, and in any case within 72 hours of becoming aware of the breach.
To Affected Data Principals
Notify as directed by the Board, typically without undue delay after Board notification.
The Stakes
Penalties for Breach-Related Defaults
The Data Protection Board can impose penalties per instance under the DPDP Act 2023. Breach-related failures sit among the highest slabs.
| Default | Maximum penalty (per instance) | Statutory basis |
|---|---|---|
| Failure to take reasonable security safeguards to prevent a breach | ₹250 crore | DPDP Act 2023, Schedule |
| Failure to notify the Board / data principals of a breach | ₹200 crore | DPDP Act 2023, Schedule |
| Breach of children's-data obligations | ₹200 crore | DPDP Act 2023, Schedule |
| Other defaults (residual) | ₹50 crore | DPDP Act 2023, Schedule |
Estimate your exposure with the DPDP penalty calculator. Penalties are indicative maximums; the Board determines the actual amount considering the nature and gravity of the default.
The Contents
What to Include in Notifications
Board Notification
Data Principal Notification
Frequently Asked Questions
Common questions on DPDP breach notification, timelines, and penalties.
What is the timeline to report a data breach under the DPDP Act?
Under Rule 7 of the DPDP Rules 2025, a data fiduciary must intimate the Data Protection Board and affected data principals about a personal data breach without delay on becoming aware of it. An initial intimation is followed by detailed particulars — the nature, extent, timing, likely impact, and remedial measures — within 72 hours, a period the Board may extend on a written request showing good cause.
Does every data breach have to be reported under the DPDP Act?
Yes. Unlike the GDPR, the DPDP Rules 2025 set no risk-based threshold — every personal data breach must be reported to the Data Protection Board and to each affected data principal, regardless of how minor it appears. This makes accurate breach detection and a documented assessment process essential.
What are the penalties for failing to report a data breach?
Failure to notify a personal data breach can attract a monetary penalty of up to ₹200 crore per instance, and failure to maintain reasonable security safeguards (which often causes the breach) can attract up to ₹250 crore. Because penalties apply per instance, a single incident touching multiple obligations can compound quickly.
Who must be notified when a personal data breach occurs?
Two parties: the Data Protection Board of India, and every data principal whose personal data was affected. The data principal notification must be in clear, plain language and describe the breach, its likely consequences, the measures taken, and the steps the individual can take to protect themselves.
What information must a breach notification to the Board contain?
The intimation must describe the breach, the categories and approximate number of data principals and records affected, the likely consequences, the remedial and mitigation measures taken, and contact details of the Data Protection Officer or designated point of contact. Detailed particulars are then provided within 72 hours.
Continue your DPDP research
- DPDP Act compliance hub — the full guide to the Act, Rules 2025, and phased deadlines.
- DPDP compliance consulting in India — breach playbooks, gap assessments, and end-to-end implementation.
- DPDP penalty calculator — model your exposure across breach and security-safeguard defaults.
- Tranquility Cybersecurity credentials & proof — our certifications and track record.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreDPDP Penalties & Enforcement
Penalty tiers up to ₹250 Cr and the Data Protection Board process.
Read moreDPDP Compliance Checklist
A step-by-step checklist for DPDP Act readiness.
Read moreSignificant Data Fiduciary
Enhanced obligations for large-scale data processors under the DPDP Act.
Read moreHIPAA Breach Notification
Reporting timelines and obligations after a PHI breach.
Read moreDPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours