DPDP enforcement deadline: May 2027Rules notified Nov 2025Penalty exposure up to ₹250 Cr
Free ToolsTemplatesServicesWorkshopsBook Consultation
Free Tool · DPDP Act 2023

DPDP Data Breach Response Workflow — Step-by-Step Incident Playbook

3 quick steps. Get a custom breach response plan with timelines, RACI matrix, and notification templates — aligned to DPDP Act 2023, Section 8(6).

3-step builder 72-hour timeline Notification templates Free runbook
Step 1 of 3 — Company & Team
33% complete
Step 1 — Company & Response Team
Enter the key people who will own your breach response. These names will appear in your RACI matrix and notification templates.
Step 2 — Breach Types to Plan For
Select all breach scenarios your organisation wants to be prepared for. Your runbook will cover each selected type.
Step 3 — Data Scope
Help us calibrate your runbook to your organisation's data profile and worst-case breach scenario.
10,000 data subjects
1001,000,000

Sensitive data = health/medical records, financial data, biometric data, or data of children.

Breach Response Runbook

⌛ 72-Hour Response Timeline

Time WindowActionsResponsiblePriority

👥 RACI Matrix — Who Does What

R Responsible A Accountable C Consulted I Informed

📋 Internal Incident Report Template

Send to Board / Senior Leadership immediately upon incident discovery. Editable below.

✉ Data Principal Notification Template

Issued to affected data principals upon direction from the DPBI or when significant harm is likely. Editable below.

✓ Post-Incident Checklist (72+ Hours)

✉ Email Me This Full Runbook

Get the complete runbook + DPDP breach notification obligations guide delivered to your inbox. Free.

Quick Answer

What is a DPDP data breach response workflow? A DPDP-compliant breach response workflow follows five stages: Detect (identify the breach through monitoring or third-party notification), Contain (isolate affected systems to prevent further data loss), Assess (determine the scope, categories of data affected, and number of data principals impacted), Notify (alert the Data Protection Board within 72 hours and affected individuals where required), and Remediate (fix the root cause and update controls to prevent recurrence). Documenting each stage is essential for demonstrating compliance to the Board.

What is the 72-hour breach notification rule under DPDP Act 2023?

Section 8(6) of the Digital Personal Data Protection Act 2023 requires Data Fiduciaries to notify the Data Protection Board of India (DPBI) of personal data breaches promptly. While the DPDP Act itself references "promptly," the globally accepted benchmark — and the one regulators will measure against — is 72 hours from the time a breach is discovered. This aligns with GDPR Article 33 and reflects international best practice. Organisations should treat 72 hours as the hard deadline for internal triage, containment, and initial DPBI notification.

When must you notify data principals of a breach?

Under the DPDP Act 2023, notification to data principals (the individuals whose data was breached) is required when the Data Protection Board of India directs it, or when the breach is likely to cause significant harm to affected individuals. Significant harm includes financial fraud, identity theft, discrimination, reputational damage, or any other serious adverse consequence. Organisations that process sensitive personal data — health records, biometric data, financial data, or children's data — should assume that notification will be required and prepare templates in advance.

What is a RACI matrix and why does breach response need one?

A RACI matrix defines who is Responsible (does the task), Accountable (owns the outcome), Consulted (input is sought), and Informed (kept updated) for each task in your incident response plan. During a data breach, the high-stress environment and time pressure mean that role confusion — two people trying to own the same task, or critical tasks with no owner — are among the most common causes of delayed or botched responses. A RACI matrix established before an incident occurs ensures that every person knows exactly what they are expected to do the moment an incident is declared.

What are the penalties for failing to report a breach under DPDP?

Under the DPDP Act 2023, failure to notify the Data Protection Board of India of a personal data breach can attract a financial penalty of up to ₹250 crore (Schedule, Item 5). Additional penalties may apply for inadequate security measures (up to ₹250 crore) and failure to fulfil data principal rights obligations. Beyond financial penalties, the reputational damage from a publicly disclosed failure to comply with breach notification obligations can be severe — particularly for B2C organisations with large customer bases. A pre-built breach response plan is your most cost-effective insurance against both.