India’s data protection landscape took a decisive turn with the introduction of the Digital Personal Data Protection Act, 2023 (DPDPA). Designed to safeguard the personal data of individuals (referred to as Data Principals), the Act imposes strict obligations on organizations known as Data Fiduciaries. Among its most critical compliance requirements is the 72-hour breach notification rule, which mandates prompt reporting of personal data breaches.

With the reinforcement of these obligations through the Digital Personal Data Protection Rules, 2025, organizations must now be more vigilant than ever in detecting, assessing, and reporting data breaches. Failure to comply can lead to significant financial penalties—up to ₹250 crore—and reputational damage.

This blog explores the 72-hour breach notification rule in detail, breaking down its triggers, requirements, challenges, and best practices for compliance.

What is a Personal Data Breach?

Before diving into timelines, it’s important to understand what constitutes a breach under the DPDPA. A personal data breach refers to any unauthorized access, disclosure, alteration, or loss of personal data. This includes:

• Cyberattacks (e.g., ransomware, phishing)
• Accidental data leaks
• Insider threats
• Loss or theft of devices containing personal data

Even seemingly minor incidents may qualify as breaches if they compromise personal data.

The 72-Hour Rule: When the Clock Starts

One of the most important aspects of the breach notification requirement is timing.

Under the DPDPA and Rules 2025:

• The 72-hour countdown begins the moment a breach is detected or identified, not when it is fully investigated.

This distinction is critical. Organizations often delay reporting while trying to understand the full scope of an incident—but under the law, such delays can result in non-compliance.

Detection vs. Confirmation

• Detection: When a security incident is first recognized as a potential breach.
• Confirmation: When the organization verifies the breach and its impact.

The law prioritizes early detection, meaning organizations must act quickly even with incomplete information.

Who Must Be Notified?

In the event of a breach, Data Fiduciaries are required to notify:

1. The Data Protection Board of India

This is the regulatory authority responsible for overseeing compliance under the DPDPA.

2. Affected Data Principals

Individuals whose personal data has been compromised must also be informed “without delay.”

This dual-notification requirement ensures both regulatory oversight and individual awareness.

What Must Be Included in the Notification?

The breach notification must be clear, comprehensive, and in plain language. Key elements include:

For the Data Protection Board:

• Nature of the breach
• Categories and volume of affected data
• Number of impacted Data Principals
• Likely consequences of the breach
• Steps taken to mitigate harm
• Contact details of the Data Fiduciary or Data Protection Officer

For Data Principals:

• What happened
• What data was affected
• Potential risks (e.g., identity theft, fraud)
• Steps individuals can take to protect themselves
• Support channels (helpline, email, etc.)

The emphasis on plain language ensures accessibility and transparency.

“Without Delay”: What Does It Mean?

Unlike the strict 72-hour rule for regulatory reporting, the requirement to notify Data Principals is less rigid but equally important.

“Without delay” generally implies:

• Notification should occur as soon as reasonably possible
• No unnecessary waiting for complete internal investigations
• Prioritization of user safety over reputational concerns

Delays can increase harm to individuals and attract regulatory scrutiny.

Can the 72-Hour Deadline Be Extended?

Yes, but only under specific circumstances.

Organizations may request an extension from the Data Protection Board if:

• The breach is complex and requires deeper investigation
• Critical information is not yet available
• There are legitimate operational constraints

However, such requests must be justified and documented, and there is no guarantee they will be granted.

Penalties for Non-Compliance

Non-compliance with breach notification requirements can lead to severe consequences:

• Monetary penalties of up to ₹200 crore
• Regulatory investigations
• Reputational damage
• Loss of customer trust

The DPDPA adopts a strict enforcement approach, making timely compliance essential.

Challenges in Meeting the 72-Hour Timeline

Organizations often struggle with:

1. Late Detection

Many breaches go unnoticed for days or weeks due to weak monitoring systems.

2. Internal Coordination

Gathering information across departments (IT, legal, compliance) can be time-consuming.

3. Unclear Ownership

Lack of defined roles delays decision-making during incidents.

4. Fear of Reputational Damage

Organizations may hesitate to disclose breaches quickly.

5. Incomplete Information

Initial uncertainty about the breach scope can slow reporting.

Best Practices for Compliance

To meet the 72-hour requirement effectively, organizations should adopt a proactive approach.

1. Establish an Incident Response Plan

Define clear steps for:

• Detection
• Containment
• Assessment
• Reporting

2. Appoint a Data Protection Officer (DPO)

A dedicated DPO ensures accountability and coordination.

3. Implement Real-Time Monitoring

Use advanced tools to detect anomalies and potential breaches early.

4. Conduct Regular Drills

Simulate breach scenarios to test readiness.

5. Maintain Documentation Templates

Pre-drafted notification formats can save valuable time.

6. Train Employees

Awareness programs help identify and report incidents quickly.

Comparison with Global Standards

India’s 72-hour rule aligns closely with international frameworks such as:

• General Data Protection Regulation (GDPR), which also mandates breach reporting within 72 hours
• Other global privacy laws emphasizing rapid disclosure

This alignment reflects India’s commitment to global data protection standards.

Why the 72-Hour Rule Matters

The breach notification timeline is not just a regulatory requirement—it serves critical purposes:

Protecting Individuals

Quick notification allows users to take preventive actions like:

• Changing passwords
• Monitoring financial accounts
• Avoiding phishing scams

Enhancing Transparency

It builds trust between organizations and users.

Strengthening Accountability

It ensures organizations take data protection seriously.

The Road Ahead

As enforcement of the DPDPA and Rules 2025 strengthens, organizations must move from reactive to proactive compliance. The 72-hour breach notification rule is a cornerstone of this framework, demanding speed, transparency, and accountability.

Organizations that invest in robust data governance and incident response systems will not only avoid penalties but also gain a competitive advantage in an increasingly privacy-conscious world.

FAQs on DPDP Act Breach Notification Timeline

Q1. What is the 72-hour breach notification rule under the DPDPA?

A1. It requires Data Fiduciaries to report personal data breaches to the Data Protection Board within 72 hours of detecting the breach.

Q2. When does the 72-hour clock start?

A2. The clock starts immediately upon detection of the breach, not after full investigation.

Q3. Who needs to be notified?

A3. Both the Data Protection Board of India and affected Data Principals must be notified.

Q4. What does “without delay” mean for notifying users?

A4. It means informing affected individuals as soon as possible, without unnecessary waiting.

Q5. What information must be included in the notification?

A5. Details about the breach, affected data, risks, mitigation measures, and contact information must be provided.

Q6. Can organizations delay reporting until they have full information?

A6. No. Initial reporting must happen within 72 hours, even if all details are not yet available.

Q7. Is it possible to get an extension beyond 72 hours?

A7. Yes, but only with a justified request to the Data Protection Board.

Q8. What are the penalties for failing to report on time?

A8. Penalties can go up to ₹200 crore, along with reputational damage and regulatory action.

Q9. Does every data breach need to be reported?

A9. Yes, if it involves personal data and poses a risk to Data Principals.

Q10. How can organizations ensure compliance with the 72-hour rule?

A10. By implementing strong incident response plans, real-time monitoring, employee training, and clear reporting procedures.