DPDP Breach Notification Timeline: The Complete 72-Hour Guide

June 2026 · ComplyDP Legal Guide

The Digital Personal Data Protection Act, 2023 and the 2025 Rules impose a strict breach notification timeline on every Data Fiduciary in India. This guide explains exactly what the 72-hour deadline means, who it applies to, and how to meet it without panic.

What Is the DPDP Breach Notification Timeline?

Under Section 8(6) of the DPDP Act and Rule 8 of the 2025 Rules, every Data Fiduciary must notify the Data Protection Board of India (DPBI) of any personal data breach. Current enforcement guidance treats the deadline as 72 hours from the time the organisation becomes aware of the breach. Calendar days count. Weekends and holidays do not pause the clock.

The notification must also go to every affected Data Principal. This is a separate obligation with a separate template and often a separate channel. Most incident response plans forget the second notification until it is too late.

The 72-Hour Timeline: Hour by Hour

Hour 0–4: Detection and containment. Activate your incident response team. Isolate affected systems. Preserve logs. Do not shut down everything unless the breach is actively spreading. Document every action with timestamps.

Hour 4–12: Scope assessment. Use your data inventory to determine which systems were affected, what categories of personal data were involved, and how many Data Principals are impacted. Without a current data inventory this step alone can take 48 hours.

Hour 12–24: Draft the DPBI notification. Include the nature of the breach, the categories and approximate number of Data Principals affected, the likely consequences, and the measures taken or proposed. Pre-filled templates cut drafting time from hours to minutes.

Hour 24–48: Legal review and internal sign-off. Route the draft through your DPO or legal counsel. Confirm the designated signatory is available. Pre-designate an alternate if the primary signatory is travelling or unavailable.

Hour 48–72: Submit the DPBI notification and deploy Data Principal notifications. Log proof of submission. Begin tracking any follow-up requests from the Board. Start building your audit trail.

Who Must Notify and What Triggers the Obligation?

The notification duty sits with the Data Fiduciary, not the processor. If a processor discovers the breach, the processor must notify the Fiduciary immediately so the Fiduciary can meet the 72-hour deadline. Build a 24-hour processor-to-Fiduciary SLA into every data processing agreement.

A personal data breach is defined broadly: any unauthorised access, disclosure, alteration, loss, or destruction of personal data. Hacking, ransomware, misconfigured databases, accidental email disclosures, and insider misuse all trigger the notification duty.

What Happens If You Miss the 72-Hour Deadline?

Penalties for breach-related violations can reach ₹250 crore under Section 33 of the DPDP Act. The DPBI considers the timeliness of notification, the cooperation shown, and whether the Fiduciary had reasonable security safeguards in place. A missed deadline does not guarantee a maximum penalty, but it removes one of the strongest mitigating factors.

How to Prepare Before a Breach Occurs

Pre-fill your DPBI notification template with company details. Maintain a current, searchable data inventory. Designate and train your incident response team. Run a tabletop exercise at least once a year. Pre-draft Data Principal notification templates in plain language. The organisations that meet the 72-hour deadline are the ones that prepared in advance.

ComplyDP provides pre-built DPBI and Data Principal notification templates, an incident response workflow with time-boxed steps, and a tabletop exercise tool to test your readiness before the real event.