Breach Notification
72 hours from detection to DPBI notification. Build the workflow before you need it.
The problem
When a personal data breach hits your company, you have 72 hours to notify the Data Protection Board of India. Three calendar days. That includes weekends and holidays.
Most companies discover this timeline exists only when they need it - and then discover they cannot meet it. The bottleneck is never legal awareness ("we knew about the 72-hour rule"). The bottleneck is operational infrastructure.
To file a DPBI notification in 72 hours, you must know: what systems were affected (requires security monitoring and detection), what personal data was on those systems (requires a data inventory), how many Data Principals were affected (requires the ability to query your data inventory against affected systems), what the likely consequences are (requires a risk assessment framework), what you have done to contain the breach (requires an incident response plan), and who is authorised to sign and submit the notification (requires pre-designated authority).
Most companies cannot answer question three - "how many Data Principals were affected" - within 72 hours because they do not have a data inventory that maps people to systems. They spend the first 48 hours trying to figure out what data was even on the compromised system, leaving 24 hours for everything else.
The other deadline that companies miss: notifying affected Data Principals. This is a separate obligation, separate template, separate communication channel. Most incident response plans do not include pre-drafted individual notification templates.
What ComplyDP does
Pre-built DPBI notification template
A notification template pre-filled with your company details, contact information, and organisational structure. When a breach occurs, your team fills in breach-specific details rather than drafting from scratch under time pressure.
Incident response workflow
A step-by-step workflow that guides your team from detection through containment, investigation, notification drafting, legal review, and submission. Each step has a time allocation designed to fit within the 72-hour window.
Affected Data Principal estimator
Connected to your data inventory, the platform helps you estimate the number and categories of affected Data Principals by cross-referencing compromised systems with your processing activity register.
Data Principal notification templates
Pre-drafted individual notification templates that explain what happened, what data was affected, what you are doing, and what the individual can do - in plain language, not PR speak. Customise with breach-specific details and deploy via email, SMS, or in-app notification.
Tabletop exercise runner
Run a simulated breach exercise with your team. The platform presents a breach scenario, walks your team through the response workflow, times each phase, and generates a post-exercise report identifying bottlenecks and gaps.
How it works
- 1
Prepare before the breach
Pre-fill your DPBI notification template, designate your incident response team, and run at least one tabletop exercise. This preparation is the difference between meeting the deadline and missing it.
- 2
Detect and contain
When a breach is detected, activate the incident response workflow. The platform guides containment actions and begins the 72-hour countdown.
- 3
Investigate and draft
Use the data inventory to estimate scope. Complete the DPBI notification template with breach-specific details. Route through legal review with time-boxed deadlines.
- 4
Submit and communicate
Submit the DPBI notification with proof of submission logged. Deploy Data Principal notifications through your chosen channels. Log everything for the audit trail.
What the Act requires
| Section | Requirement |
|---|---|
| Section 8(6) | Notify the Data Protection Board of India of any personal data breach |
| Section 8(6) | Notify affected Data Principals of the breach |
| Rule 8 | Notification must include nature of breach, data affected, number of Data Principals, consequences, and measures taken |
| Rule 8 | Notification must be made within the prescribed time (72 hours based on current enforcement guidance) |
| Section 8(4) | Implement reasonable security safeguards to prevent breaches |
Frequently asked questions
Is there a fixed breach notification time (like 72 hours)?▼
The Act requires notification 'in such form and manner as may be prescribed.' Current enforcement guidance and Rule 8 point to 72 hours from detection. The notification must be to both the DPBI and affected Data Principals. Treat 72 hours as the operational deadline until the Board provides further clarification.
What is a 'personal data breach'?▼
Any unauthorised processing of personal data, or breach of security safeguards that compromises the confidentiality, integrity, or availability of personal data. This includes hacking, accidental exposure, ransomware, insider theft, misconfigured databases, and accidental email disclosures.
Do processors have breach duties too?▼
The notification obligation sits with the Data Fiduciary, not the processor. But your processor must notify you fast enough for you to meet the 72-hour deadline. Build a 24-48 hour processor-to-fiduciary notification SLA into every DPA.
How does ComplyDP assist with the 72-hour breach reporting requirement?▼
ComplyDP provides pre-built DPBI notification templates, an incident response workflow with time-boxed steps, a Data Principal notification template, and a tabletop exercise tool to test your readiness. The platform also connects to your data inventory to help estimate breach scope quickly.
Find out where you stand
10-minute diagnostic. 43 controls. No demo call required.