Mandatory reporting of personal data breaches to the Data Protection Board and affected individuals within 72 hours.
Under DPDPA Section 8(6), every Data Fiduciary must notify the Data Protection Board of India and each affected Data Principal without delay upon becoming aware of a personal data breach. Rule 7 of Rules 2025 specifies this must occur within 72 hours. The notification must describe the nature of the breach, the data affected, remedial measures taken, and contact information for further queries. The Board may direct additional actions based on breach severity.
The 72-hour clock starts from awareness, not from completing your investigation. Late notification is a separate offence carrying penalties up to Rs 200 crore — in addition to penalties for the breach itself.
A Bengaluru fintech detects unusual database queries at 2 AM Tuesday. By 10 AM the security team confirms 15,000 customer records were accessed. The 72-hour notification clock started at 10 AM Tuesday. By Friday 10 AM, the Board and all 15,000 affected customers must be notified.
You cannot wait until your forensic investigation is complete before notifying. The 72-hour deadline requires notification with whatever information is available, with updates to follow as the investigation progresses.
DPDPA Shield automates Breach Management. See how →