Qn | What is a data breach under the DPDP?
DPDP provides for actions to be taken and consequences if a breach of personal data takes place. Under the law, a ‘personal data breach’ means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data.
Let’s see a few examples of what a data breach can be –
-
Unauthorised access / hacking (malicious breach)
A life insurer’s customer database is compromised due to weak access controls, allowing a hacker to download policyholders’ names, phone numbers, PAN details, and medical disclosures.
→ Unauthorised acquisition and use of personal data. -
Accidental disclosure (human error)
An employee mistakenly emails a spreadsheet containing customer KYC details and bank account numbers to an external vendor who was not authorised to receive such data.
→ Accidental disclosure and unauthorised sharing of personal data. -
Loss of access / availability breach (operational failure)
Due to a ransomware attack or poor backup practices, a retail grocery chain loses personal data of customers stored on its systems (or access), who were loyalty members of the grocery chain (and had provided their personal data).
→ Destruction or loss of access to personal data, even without disclosure. -
Unauthorised internal use (insider misuse)
A call-centre employee accesses customer health and income data for non-business purposes (e.g., unauthorised selling leads to third parties or profiling customers for personal gain).
→ Unauthorised processing and misuse by an internal actor.
Together, these examples show that under DPDP, a breach is not limited to cyber-attacks—it equally covers human error, insider misconduct, system failures, and process weaknesses, even where no data is publicly leaked.
Rule of thumb: If personal data is accessed, used, shared, altered, or lost for any purpose other than the authorised and lawful purpose, it is likely to constitute a personal data breach.
Qn | Obligations of Data Fiduciary to keep personal data safe.
The DPDP law requires Data Fiduciaries – who have obtained and who handle or process personal data to protect the personal data. For this, they should take reasonable security safeguards to prevent such personal data breaches.
Similarly, the law also casts an obligation on Consent Managers, who provide consent management platforms, to take reasonable security safeguards to prevent data breaches.
Qn | What is considered ‘reasonable’?
The term “reasonable” allows flexibility across organisations, sectors, and risk profiles. What is reasonable is context-dependent and will typically be assessed based on factors such as the nature and sensitivity of personal data, the volume of data processed, the risk of harm to Data Principals, and the resources and role of the Data Fiduciary.
Thus a small neighbourhood store that maintains a basic customer contact list for delivery purposes would be expected to implement far simpler safeguards than a large e-commerce platform that profiles millions of users, tracks purchasing behaviour, and stores payment-related information. What is “reasonable” in each case will vary based on scale, data sensitivity, and risk. The same applies to a local clinic versus a hospital chain; or a cinema chain versus a bank.
In practice, reasonable security safeguards would include a combination of technical, organisational, and procedural controls, proportionate to the potential risk.
Qn | What ‘reasonable’ security measures can be deployed by an organisation?
The security measures can range from one or more, or all, of the following:
-
-
- Physical access controls (eg: the office is locked at night, to prevent unauthorised access to computers etc).
- System based access controls and authentication – only people with appropriate rights can access the data.
- Data encryption and storage – the personal data, when residing on computers / servers / cloud etc – is appropriately encrypted. Thus, even if the data is unauthorisedly accessed, it cannot be read or used by the threat actor.
- Vendor and other third party data processor controls and oversight – the contract provides for a range of controls and oversight mechanisms for ensuring security of personal data and preventing unauthorised access or use.
- Policies, training and awareness – regular training and awareness programmes for employees and other relevant stakeholders can prevent common risks such as phishing, unauthorised data sharing, or accidental disclosures.
- Incident detection and response capability – maintaining logs, monitoring systems, and an incident-response process to quickly detect, contain, and remediate personal data breaches.
- Data minimisation and retention controls – retaining personal data only for as long as necessary and securely deleting or anonymising data once the specified purpose is served.
-
Qn | What happens in the case of a personal data breach?
In the event of a personal data breach, the Data Fiduciary is required to take a series of steps. These include:
-
-
- Intimation to the Data Protection Board (DPB):
The Data Fiduciary must notify the Data Protection Board of India promptly (refer to the next question for the full provision).
- Intimation to the Data Protection Board (DPB):
-
-
-
- Additional breach-notification obligations may also apply under sector-specific regulations and directions issued by other authorities, such as sectoral regulators and CERT-In. While these regimes often prescribe similar breach-notification requirements, they may have different timelines and reporting formats, all of which must be complied with independently.
- Intimation to affected Data Principals:
Where required, the Data Fiduciary must also inform the affected Data Principals of the breach, enabling them to take appropriate protective measures. There is no specific timeline prescribed. But, as a right practice, it should be as soon as reasonably practicable having regard to the nature of the breach and the potential harm to Data Principals. Refer to the further question below on this topic. - Containment, mitigation, and remediation:
The Data Fiduciary is expected to take prompt and appropriate steps to review and investigate the incident, and to further contain the breach, mitigate its impact, and prevent recurrence through appropriate technical and organisational measures.
-
Qn | What are the reporting obligations of a Data Fiduciary upon becoming aware of a personal data breach?
Upon becoming aware of a personal data breach, a Data Fiduciary is required to notify the Data Protection Board of India (DPB) in two stages:
- Immediate intimation (without delay):
The Data Fiduciary must promptly inform the Board of:
-
-
- a description of the breach, including its nature, extent, timing, and location; and
- the likely impact of the breach.
-
- Detailed follow-up intimation (within 72 hours):
Within seventy-two hours of becoming aware of the breach (or such extended period as permitted by the Board), the Data Fiduciary must provide updated and detailed information, including:
-
-
- more detailed particulars of the breach;
- the events, circumstances, and reasons leading to the breach;
- measures implemented or proposed to mitigate risks;
- any findings relating to the person responsible for the breach, if identified;
- remedial actions taken to prevent recurrence; and
- a report on the intimation provided to affected Data Principals.
-
Qn | How should a Data Fiduciary intimate a Data Principal of a data breach?
A Data Fiduciary must inform the affected Data Principal of a personal data breach in a clear, concise, and plain manner, without undue delay. The intimation should be made through the Data Principal’s user account or any communication channel registered with the Data Fiduciary. The communication should, at a minimum, include:
-
-
- A brief description of the breach, including its nature, extent, and when it occurred;
- The likely consequences of the breach for the Data Principal;
- Steps taken or being taken by the Data Fiduciary to contain the breach and mitigate risks;
- Practical safety measures the Data Principal can take to protect her interests; and
- Business contact details of a person authorised to respond to queries on behalf of the Data Fiduciary.
-
Qn | What happens after reporting a breach to the Data Protection Board?
Upon receipt of an intimation of a personal data breach, the Data Protection Board of India may take the following actions:
-
-
- Direct urgent remedial or mitigation measures to address the immediate impact of the breach;
- Inquire into the circumstances of the personal data breach, including compliance with obligations under the DPDP Act; and
- Impose monetary penalties, where it considers such action fit and necessary, in accordance with the provisions of the Act.
-
Qn | Can a Data principal make a complaint to the Data Protection Board
Yes. A Data Principal can make a complaint to the Data Protection Board in respect of:
-
-
- a personal data breach, or
- a breach in observance by a Data Fiduciary of its obligations in relation to the personal data of the complainant under the DPDP Act, or
- a breach in observance by a Consent Manager of its obligations in relation to the personal data of the complainant under the DPDP Act.
-
Such a complaint may be made after exhausting the grievance-redressal mechanism provided by the Data Fiduciary, in the manner prescribed under the Act.
Qn | Can the Government or courts refer matters to the Data Protection Board?
Yes. In addition to complaints by Data Principals, the Data Protection Board may also inquire into a breach:
-
-
- on a reference made by the Central Government or a State Government, or
- in compliance with the directions of any court,
-
and may impose penalties as provided under the DPDP Act.
Qn | Other instances where DPB can act in regard to the breach?
-
-
- on receipt of an intimation of a breach of any condition of registration of a Consent Manager, to inquire into such breach and impose a penalty.
- on a reference made by the Central Government in respect of a breach in observance of the provisions of sub-section (2) of section 37 by an intermediary, to inquire into such breach and impose a penalty as provided in this Act.
-
Qn | What factors that the DPB will consider while imposing penalty for personal data breach?
When the Data Protection Board decides to impose a monetary penalty for a breach of the DPDP Act, it will not apply a one-size-fits-all approach. Instead, it will consider the overall context and seriousness of the breach.
Key factors the Board is likely to consider will include:
-
-
- how serious the breach was,
- how long it lasted, and
- what kind of personal data was affected.
-
A breach involving sensitive information, or one that continued over a long period, is likely to be treated more seriously than a minor or short-lived incident.
It will also be relevant to consider whether the breach was a one-off lapse or part of a repeated pattern of non-compliance, and whether the organisation benefited financially or avoided a loss because of the breach.
Just as importantly, the Board is also likely to consider how the organisation responded once the breach came to light. Quick action to contain the incident, reduce harm to individuals, and fix underlying issues can significantly influence the outcome.
Qn | What is the penalty provided by law for the incident of data breach?
The DPDP Act provides penalties of up to ₹250 crore for an incident involving a data breach. The actual penalty – within this range – will of course depend on the nature of the breach and circumstances.
Qn | What remedies are available to a Data Principal if a personal data breach occurs, even though the DPDP Act does not provide for compensation?
While the DPDP Act does not provide for monetary compensation to Data Principals for personal data breaches, the affected individuals do have recourse to a few remedies. The Data Principal may seek the following remedies, depending on the nature and impact of the breach:
Regulatory remedy under the DPDP Act
A Data Principal may file a complaint with the Data Protection Board of India against the Data Fiduciary or Consent Manager for a personal data breach or for non-compliance with obligations under the Act. The Board may inquire into the matter, issue directions, and impose monetary penalties on the defaulting entity. While penalties are payable to the Government, regulatory action serves as an accountability and deterrence mechanism.
Grievance redressal by the Data Fiduciary
Data Principals are entitled to seek redress through the grievance-redressal mechanism of the Data Fiduciary. This may result in corrective actions such as explanation, rectification, enhanced safeguards, or other remedial measures, even if monetary compensation is not awarded.
Civil remedies under other applicable laws
Where a data breach results in actual harm, loss, or injury, a Data Principal may pursue civil remedies under other applicable laws, such as tort law, contract law, or consumer protection laws, depending on the facts and the relationship with the Data Fiduciary. This may also result in awarding of damages or compensation.
Sector-specific remedies
In regulated sectors such as banking, insurance, telecom, or healthcare, additional remedies may be available under sectoral laws, regulatory frameworks, or ombudsman schemes, where applicable.
Criminal remedies (where applicable)
In cases involving fraud, identity theft, cheating, or other offences, affected individuals may also have recourse under applicable criminal laws, independent of proceedings under the DPDP Act.
Updated as on 20 December 2025.
~~~~~~~~~~~~~~~~~~~~~~~
From our Library:
- DPDP Resources – click here.
Regulatory Resources :
- On our DPDP Resources page above.
~~~~~~~~~~~~~~~~~~~~~~~
Note: The above article is for general informational purposes only and does not constitute professional or legal advice. Please seek specific advice for your situation. We do not warrant on the accuracy or completeness of the subject matter discussed above and disclaim all liability for any losses or damages caused to or incurred by any person.
Compliense Advisors is a Compliance Advisory firm. We advise on compliance and regulatory matters and our subject matter expertise includes Privacy (DPDP), AML (PMLA) and Anti-Financial Crime; and Insurance and Mutual Fund regulations. We can assist in your compliance framework and obligations. Write to us on info@compliense.com.
Visit our website for more such knowledge resources. If you liked this update, sign up for new articles and updates.
