Data Breach Basics

A personal data breach is any incident where personal data is accessed, disclosed, altered, lost, or destroyed without authorisation — whether by an external attacker, an insider, a third-party vendor, or an accidental human error. Under DPDPA, businesses have mandatory reporting obligations when a breach occurs. There is no de minimis threshold — even a single record is in scope if it involves personal data.

What Is a Personal Data Breach?

Section 2(t) of the DPDPA defines a personal data breach as "any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."

In plain terms, a breach includes:

• Unauthorised access — hacker or attacker gaining access to a database, server, or file containing personal data
• Accidental disclosure — an email with personal data sent to the wrong recipient, a file shared publicly by mistake, a screen shared in a video call showing personal records
• Ransomware attack — encrypting or exfiltrating customer, employee, or vendor records
• Lost or stolen devices — laptop, phone, or USB drive containing personal data
• Insider misuse — an employee accessing or exporting personal data without authorisation
• Vendor-side breach — a third-party processor suffers a breach that affects personal data you gave them
• Accidental deletion — permanent loss of personal data without a backup

The Breach vs Security Incident Distinction

Not every security incident is a personal data breach. A DDoS attack that takes your website offline is a security incident — but if no personal data was accessed or disclosed, it is not a personal data breach under DPDPA. The key test is: was personal data compromised in terms of confidentiality, integrity, or availability?

Apply this three-part test to every incident:

• Confidentiality — Was personal data accessed or disclosed to someone who should not have it?
• Integrity — Was personal data altered or corrupted without authorisation?
• Availability — Was personal data permanently lost or made inaccessible?

If any of these is true, it is a breach and notification obligations are triggered.

Notification Obligations

Section 8(6) of the DPDPA requires every Data Fiduciary to notify the Data Protection Board of a personal data breach "in such manner and within such period as may be prescribed." The DPDP Rules, 2025 set out the requirements:

Board Notification

• Must be made to the Data Protection Board as soon as possible — the Rules set mandatory timelines
• Must include: nature of the breach, categories and approximate number of individuals affected, likely consequences, measures taken or planned to address the breach
• The initial report may be submitted before all details are known, with a follow-up report once investigation is complete

Individual Notification

Under Rule 7 of the DPDP Rules, 2025, Data Fiduciaries must also notify affected Data Principals of the breach. The notification to individuals must:

• Describe the nature of the personal data breach
• Explain the possible consequences of the breach
• Describe the measures being taken to address the breach
• Include contact details for the Data Fiduciary's designated contact for further information

Timing

The DPDP Rules require breach notifications to the Board to be made in two parts:

• Part 1 — an initial intimation as soon as the breach is detected
• Part 2 — a detailed report within a prescribed period following investigation

Do not wait until an investigation is complete to file the initial notification. The obligation to notify the Board begins from the moment the breach is detected, not from the moment it is fully understood.

Building Basic Breach Response Capability

You do not need a large security team to be prepared for a breach. A basic incident response plan has five stages:

• Detect — How will you know a breach has occurred? Access logs, intrusion detection, vendor alerts, or employee reports?
• Contain — How do you stop the breach from spreading? Isolate the affected system, revoke compromised credentials, suspend the affected service if necessary.
• Assess — What data was affected? How many individuals? What categories of personal data? What is the risk to those individuals?
• Notify — Notify the Board and affected individuals as required. Who in your organisation makes this decision and initiates the notification?
• Remediate — Fix the vulnerability or gap that allowed the breach. Review controls. Update procedures.

Every business, regardless of size, should have at least one named person who is responsible for steps 2, 3, and 4. Without a designated decision-maker, breach response becomes chaotic.

Practical Steps for Indian SMEs

You do not need sophisticated infrastructure to meet the basic obligations. Start here:

• Know where personal data is stored — You cannot detect or contain a breach in data you did not know you had. Maintain a simple list of every system, tool, and file location that holds personal data.
• Ensure access logging exists — Basic access logs on your CRM, HRMS, email system, and cloud storage will help you detect anomalies and scope a breach quickly.
• Designate an internal incident contact — One person who is notified first when a suspected breach is reported internally.
• Identify who makes the notification decision — Who in your organisation is authorised to notify the Board and affected individuals?
• Prepare notification templates — Draft a template Board notification and a template individual notification now, before you need them. In a breach, you will be under time pressure and emotional stress — templates reduce errors.
• Review vendor contracts — Ensure every SaaS and cloud vendor you use has a contractual obligation to notify you of breaches affecting your data, within a timeframe that lets you meet your own Board notification deadlines.

Penalties for Breach Notification Failure

The Penalty Schedule in the DPDPA sets out maximum penalties for breach-related failures:

| Failure | Maximum Penalty |

|---------|----------------|

| Failure to implement adequate security safeguards (Section 8(5)) | ₹250 crore |

| Failure to notify the Board of a personal data breach (Section 8(6)) | ₹200 crore |

These penalties are per instance of non-compliance, not per data record. The actual penalty determined by the Board will depend on factors including the severity of harm, the number of individuals affected, whether the breach was intentional or negligent, and whether the business took remedial action.