The 72-Hour Breach Response Playbook

The 72-Hour Breach Response Playbook: A Step-by-Step Guide for Indian Companies Under the DPDP Act

April 2026 · ComplyDP Free Resource

When a personal data breach hits your company, you have 72 hours to notify the Data Protection Board of India. Three calendar days. That includes weekends.

Most companies discover this timeline exists when they need it - and then discover they cannot meet it. Not because they lack intent, but because they lack infrastructure. Nobody knows who calls the DPBI. Nobody has a notification template. Nobody can tell you how many Data Principals are affected because nobody has a data inventory that can answer that question in real time.

This playbook is designed to be printed, laminated, and kept in your incident response binder. It assumes the worst: a breach has been detected, the clock has started, and your team needs to execute - not debate what the law requires.

Before the Breach: Pre-Incident Readiness Checklist

If you are reading this section before a breach has occurred, you are already ahead of 90% of Indian companies. Complete these items now:

Incident Response Team (IRT) roster: Named individuals with roles, mobile numbers, and backup contacts. At minimum: CISO or IT Head, Legal Counsel, DPO (if SDF), Communications Lead, Engineering Lead.

DPBI notification template: Pre-filled with company details (see Template 4 in our Compliance Template Pack). Stored in a location accessible to IRT members even if primary systems are compromised.

Data inventory: A current, searchable map of all personal data processing activities - what data, which systems, how many Data Principals. This is the single most important pre-incident investment. Without it, you cannot estimate the scope of a breach within 72 hours.

Communication templates: Pre-drafted notifications for affected Data Principals, board/management, media (if needed), and employees. Customise at the time of incident, don't draft from scratch.

Contact list: DPBI reporting contact, state cyber cell (Maharashtra Cyber, Karnataka CID Cyber, etc.), cyber insurance provider, external forensic investigation firm (retained or on speed dial), outside legal counsel with DPDP expertise.

Tabletop exercise: Run a simulated breach at least once a year. Time the team from detection to completed DPBI notification. If it takes longer than 48 hours in simulation, it will take longer than 72 hours in reality.

Hour 0–4: Detection and Initial Assessment

The clock starts when your organisation becomes aware of the breach. "Aware" means any employee, contractor, or system detects unauthorised access, disclosure, loss, or destruction of personal data. It does not start when the CISO is informed - it starts when anyone in the company knows or should have known.

Immediate actions:

Hour 0: Breach detected. The person who detects it must immediately notify the IRT lead (CISO/IT Head). Do not attempt to investigate alone. Do not attempt to "fix it quietly."

Hour 0–1: IRT Lead confirms this is a personal data breach (not just a security incident - does it involve personal data of identifiable individuals?). If yes, activate the IRT and begin this playbook.

Hour 1–2: Containment. Stop the bleeding before you assess the damage. - Isolate affected systems from the network - Revoke compromised credentials - Block identified attack vectors - Preserve forensic evidence (do NOT wipe or reimage systems yet - you may need them for investigation)

Hour 2–4: Initial scoping. - What systems are affected? - What categories of personal data are stored on those systems? - Rough estimate of Data Principals affected (order of magnitude: hundreds? thousands? lakhs?) - Is the breach ongoing or contained? - Is there evidence of data exfiltration (data leaving your network) or just unauthorised access?

Decision point at Hour 4: Do you have enough information to begin drafting the DPBI notification? If yes, proceed. If the scope is still unknown, continue investigation while beginning the notification draft in parallel. Do not wait for perfect information - the law requires notification within 72 hours, not a complete forensic report.

Hour 4–24: Investigation and Notification Drafting

Hour 4–12: Deep investigation. - Forensic analysis of affected systems - Log review: access logs, database query logs, network traffic logs, application logs - Identify the root cause: how did the attacker get in? Was it a vulnerability, phishing, insider threat, misconfiguration? - Refine the scope: specific data fields exposed, specific Data Principals affected, specific time period of exposure

Hour 12–24: Draft DPBI notification. Using your pre-filled template, complete all fields. The areas that typically take the most time: - "Approximate number of Data Principals affected": This requires querying your data inventory against the affected systems. If you don't have a data inventory, this is the moment you feel that gap most painfully. - "Categories of personal data affected": Be specific. Not "customer data" - specify names, email addresses, phone numbers, Aadhaar numbers, financial data, health records, etc. - "Likely consequences of the breach": Conduct a rapid risk assessment. Identity theft risk? Financial fraud risk? Reputational harm? Discrimination risk?

Parallel actions: - Notify cyber insurance provider (most policies require notification within 24–48 hours) - Brief senior management / board (verbal, not written - manage privilege) - Engage external forensic firm if the breach is complex or involves sophisticated attackers - Notify law enforcement if the breach involves criminal activity (coordinate with state cyber cell)

Hour 24–48: Review and Internal Approval

Hour 24–36: Legal review of DPBI notification. - Your legal counsel (internal or external) reviews the notification for accuracy and completeness - Ensure the notification does not contain admissions that could prejudice the company in subsequent proceedings - Verify that all factual statements are supported by evidence - Confirm the notification meets all requirements under Section 8(6) and Rule 8

Hour 36–48: Management sign-off. - Authorised signatory reviews and approves the notification - If you are an SDF, the DPO must be involved in this review - Final check: is the notification complete? Is it accurate based on what you know now? Does it include all required elements?

Parallel actions: - Draft Data Principal notification (separate from DPBI notification - this goes to affected individuals) - Prepare internal communication for employees - Prepare holding statement for media (if breach is likely to become public)

Hour 48–72: Submission and Communication

Hour 48–60: Submit DPBI notification. - Submit through the prescribed channel (online portal once operational, or email/physical submission as directed by the DPBI) - Retain proof of submission: confirmation receipt, email acknowledgment, courier tracking - Log the exact time of submission

Hour 60–72: Notify affected Data Principals. - Send individual notifications to affected Data Principals using your pre-drafted template - Use the communication channel most likely to reach them (email, SMS, in-app notification) - Include: what happened, what data was affected, what you are doing, what they can do, how to contact you, their right to complain to the DPBI - Do not use PR language. Be specific, honest, and human.

Post-72 Hours: Remediation and Review

The notification is submitted, but the work is not done.

Week 1–2: Complete investigation. - Full forensic report - Root cause analysis - Scope finalisation (update DPBI if the scope changes materially)

Week 2–4: Remediation. - Fix the root cause - Implement additional security controls - Review and update security policies - Conduct post-incident review with the full IRT

Month 1–3: Systemic improvements. - Update the incident response playbook based on lessons learned - Re-run the tabletop exercise with the new playbook - Review and update the data inventory - Consider: do you need a better data mapping tool? A faster notification workflow? A retained forensic firm?

Common Mistakes That Blow the 72-Hour Deadline

Mistake 1: No data inventory. You cannot estimate affected Data Principals without knowing what data sits on which systems. This is the #1 reason companies miss the deadline.

Mistake 2: Waiting for perfect information. The notification requires your best estimate, not a complete forensic report. Submit what you know, update later.

Mistake 3: No pre-drafted templates. Drafting from scratch under time pressure produces either incomplete notifications or delays.

Mistake 4: CISO tries to handle it alone. Breach response requires legal, communications, engineering, and management. The CISO coordinates; the IRT executes.

Mistake 5: No tabletop exercise. If you've never practised, your first attempt at the 72-hour workflow will be your worst.

Mistake 6: Forgetting state cyber cell coordination. In addition to the DPBI, you may need to coordinate with Maharashtra Cyber (Mumbai), Karnataka CID Cyber Crime (Bengaluru), or your state's equivalent. Build these contacts into your pre-incident checklist.

Getting Started

If your company does not have an incident response playbook today, the gap between "we are aware of the 72-hour requirement" and "we can actually meet it" is wider than you think. ComplyDP's free Readiness Scan tests your breach response readiness as one of its 43 control areas - it will tell you exactly where your gaps are before a real breach finds them for you. Start at complydp.com/scan.