In a time when digital economies rely heavily on personal data, breaches of that data have far-reaching effects on not only individuals but also institutional accountability and public trust. An important step toward user rights and regulatory clarity is the introduction of a specific framework for breach reporting by India's Digital Personal Data Protection Act, 2023. This blog explores the functions of various authorities, how breach reporting operates under Indian law, and the difficulties in guaranteeing prompt, clear disclosures in a complicated regulatory environment.

1. The Statutory Foundation: Breach Reporting under the DPDP Act

1.1 Understanding Section 8(6): The Core Breach Notification Mandate

Data Fiduciaries are clearly required by law to report breaches involving personal data, as stated in Section 8(6) of the DPDP Act. Any unauthorized access, disclosure, loss, alteration, or destruction of personal data is generally referred to as a "personal data breach."

1.2 Timeline and Scope of Reporting

The Act specifies that notification should occur “as soon as practicable” and within timelines to be prescribed by the Central Government, currently detailed in the Draft DPDP Rules as 72 hours from awareness. The obligation applies to all fiduciaries processing personal data within India’s territorial scope, including government agencies and private companies.

Once a fiduciary becomes aware of such a breach, they must:

• - Notify the Data Protection Board of India (DPBI), the statutory adjudicatory authority under the Act.


• - Inform all affected Data Principals (the individuals whose data is compromised).

It's crucial to remember that the notification requirements to Data Principals in the accompanying Draft Rules frequently take into account the possibility of significant harm or impact, a common nuance in international privacy regimes, the Act generally requires reporting any personal data breach to the DPBI, offering a "zero-tolerance" approach for regulatory awareness.

2. Practical Implementation of DPDP Rules & Enforcement Realities

2.1 Defining “Awareness” and the 72-Hour Clock

According to the Draft Rules, "awareness" refers to the moment when the fiduciary has a reasonable suspicion that there has been a breach involving personal data. This practical definition takes into consideration circumstances, like ongoing forensic investigations, where the precise timing of the breach is unknown. Determining this exact moment is critical for legal professionals because waiting to notify while verifying every detail can result in serious legal risks. This highlights the necessity of strong internal protocols to establish and document the point of "reasonable belief."

2.2 Notification Process: Reporting to the Board and Individuals The fiduciary is required to:

• Submit a detailed breach report to the DPBI via an online portal (yet to be operationalized), including data categories affected, estimated number of affected individuals, and mitigation measures taken.
• Give impacted parties notices in plain language that explain the type of breach, possible dangers, and suggested countermeasures (such as changing passwords).

2.3 Maintaining a Breach Register

Fiduciaries are required to keep an internal Breach Register that records all incidents, even if a breach is judged not to be reportable to the Board (limited impact, for example). In addition to providing crucial proof for regulatory audits and proving the fiduciary's proactive approach to handling all data security incidents, regardless of their immediate reportability, this register is an essential part of proving accountability and due diligence. Additionally, once a year, significant data fiduciaries are required to perform a thorough audit and a Data Protection Impact Assessment (DPIA), with the results being reported to the Data Protection Board of India (DPBI).

2.4 Enforcement Powers and Current Status of the Data Protection Board

The Data Protection Board of India (DPBI) has significant powers under the DPDP Act to:

• - Investigate breaches


• - Impose penalties (up to ₹250 crore for serious violations)


• - Order remedial measures

The DPBI has not yet been formally established, and its operational procedures are still pending as of mid-2025. This leaves a practical gap in which fiduciaries are required by law but do not have access to a formal complaint resolution forum or live authority portal. Legal counsel is recommending thorough documentation of all incident response procedures and preparations for prompt report submission once the DPBI portal is operational in this "compliance limbo."

2.5 Penalties and Liability Under the DPDP Act

The DPBI is likely to take into account a number of factors when imposing penalties, in addition to the hefty financial penalties, which can reach up to ₹250 crore for failing to take reasonable security precautions to prevent a personal data breach and up to ₹200 crore for failing to notify the Board and affected data principals of a personal data breach. These could include the type and seriousness of the infraction, how long it lasted and how often it happened, the steps taken to lessen the harm, the fiduciary’s prior compliance history, and cooperation with the Board. To reduce possible liability, it can be essential to exhibit a strong breach response plan and adherence to best practices.

3. Navigating the Complex Regulatory Landscape: Authorities, Overlaps, and Precedence

A variety of authorities oversee India's digital ecosystem, each with the authority to impose cybersecurity, data protection, and sector-specific regulations. Although the goal of this multi-regulator framework is to fully address a variety of risks, it inevitably leads to jurisdictional overlaps, unclear procedures, and coordination issues that affect regulators as well as fiduciaries (data processors/controllers). Effective breach reporting and enforcement depend on knowing who has priority and how these overlaps actually manifest in practice.

3.1 The Principal Regulatory Authorities

• - Data Protection Board of India (DPBI): The primary adjudicatory body for breaches involving personal data is the DPBI, which was created under the Digital Personal Data Protection Act (DPDP Act). It is in charge of receiving breach reports from Data Fiduciaries, looking into complaints, enforcing fines of up to ₹250 crore, and managing the resolution of grievances pertaining to personal data.


• - Indian Computer Emergency Response Team (CERT-In): The national organization responsible for detecting, responding to, and coordinating cybersecurity incidents is CERT-In, which operates under the Information Technology Act of 2000. In order to facilitate quick containment, it requires that all cybersecurity incidents— including breaches involving personal data—be reported within six hours of discovery.


• - Sectoral Regulators: Several domain-specific regulators enforce breach reporting within their sectors, each with unique timelines and definitions:
  
  
  
  • a. Reserve Bank of India (RBI) governs banks and NBFCs, requiring prompt notification of cyber incidents and frauds.
  
  
  • b. Securities and Exchange Board of India (SEBI) mandates listed companies disclose material cybersecurity events under LODR regulations.
  
  
  • c. Insurance Regulatory and Development Authority of India (IRDAI) oversees insurers’ breach reporting.
  
  
  • d. Telecom Regulatory Authority of India (TRAI) regulates subscriber data privacy and breach reporting in telecom.
  
  
  • e. National Payments Corporation of India (NPCI), Despite not being a direct regulator in the conventional sense, it establishes cybersecurity frameworks and operational guidelines for all users of India's retail payment systems, such as RuPay and UPI. Incident reporting requirements for breaches affecting payment infrastructure or data are frequently included in its directives.
  
  
  • f. National Health Mission (NHM), Guidelines or standards for data privacy and security within the health sector are frequently issued by relevant health authorities (such as the National Health Authority overseeing the Ayushman Bharat Digital Mission). Their framework documents, such as the Health Data Management Policy, set forth expectations for breach management and reporting pertaining to sensitive health data, even though they are not a direct enforcement agency for the DPDP Act.
  
  

3.2 Precedence of Authorities: Who Takes Priority?

The DPDP Act and the related regulatory landscape do not explicitly clarify which authority’s rules prevail in cases of overlapping jurisdiction. However, practical precedence can be inferred based on statutory scope, timelines, and the nature of the breach:

• - CERT-In’s Immediate Precedence for Cybersecurity Incidents: When a breach involves cybersecurity risks, regardless of concerns about personal data, CERT-In's requirements take precedence because its mandate covers all cybersecurity incidents and enforces an urgent 6-hour reporting window. By enabling prompt threat mitigation, this urgency strengthens India's national cybersecurity posture.


• - DPBI’s Role as the Data Privacy Adjudicator: Particularly, breaches of personal data and associated privacy harms fall under the DPBI's jurisdiction. Before notifying, fiduciaries have a 72-hour window to evaluate the impact and extent of the breach. With an emphasis on individual rights and data fiduciary accountability, DPBI's breach reporting requirement is therefore a necessary but secondary step.


• - Sectoral Regulators’ Parallel Jurisdiction: Independent sectoral organizations such as the RBI, SEBI, IRDAI, TRAI, NPCI (for payment systems participants), and health sector authorities (such as NHA/NHM directives) have their own regulatory frameworks and risk models that dictate the notifications they need. Fiduciaries are required to adhere to each sectoral timeline and reporting format as their jurisdiction operates in accordance with CERT-In and DPBI. The requirements of these regulators are cumulative and cannot replace one another.

It would greatly help fiduciaries navigate this complex regulatory environment if there was more formal clarity on precedence, possibly through interagency Memoranda of Understanding or joint advisories.

3.3 Practical Problems Arising from Overlaps and Conflicts

• - Conflicting Reporting Timelines: Sectoral regulators have different timelines, DPBI's 72-hour timeline permits a more thorough impact assessment but causes confusion regarding prioritization, and CERT-In's 6-hour deadline is extremely aggressive.


• - Duplication and Fragmentation of Reporting: In addition to increasing administrative burdens and posing the risk of inconsistent information, entities frequently have to submit multiple separate reports to various regulators, which delays incident management.


• - Jurisdictional Ambiguity and Enforcement Gaps: Inconsistent enforcement, "forum shopping" by data principals, "regulatory arbitrage," and challenges with multi-agency collaboration can result from a lack of coordinated enforcement mechanisms.


• - Technical and Operational Constraints on Regulators: Response times and investigations are slowed down by the lack of integrated, user-friendly portals for many regulators and the restricted capacity for data sharing and intelligence exchange.


• - Impact on Smaller Organizations: Due to their lack of resources and experience, micro, small, and medium-sized businesses (MSMEs) have a disproportionately difficult time adhering to multiple reporting regimes.

3.4 Regulatory Efforts and the Way Forward

The DPBI has been operationalized, centralized breach reporting frameworks have been drafted, common reporting templates have been created, and more inter-regulatory coordination forums have been established in recognition of these difficulties. Fiduciaries and regulators must, however, negotiate this complicated and overlapping regulatory landscape with diligence, flexibility, and strong internal coordination until these are fully implemented.

3.5 Cross-Border Implications

Data breaches frequently result in several different reporting requirements for Indian data fiduciaries or processors with global operations, especially those working with data principals in jurisdictions like the EU (under GDPR). It is very difficult to reconcile disparate deadlines, notification content specifications, and enforcement methods across different legal frameworks. Navigating these intricate, multi-jurisdictional compliance requirements thus requires a strong international incident response plan.

4. Building a Breach-Ready Organization: Compliance in Practice

4.1 Governance: The Role of the Data Protection Officer

Particularly for Significant Data Fiduciaries, the Draft DPDP Rules place a strong emphasis on designating a Data Protection Officer (DPO) or comparable nodal officer. This person serves as the center of breach readiness and is in charge of organizing breach investigation and detection, making sure that reports are accurate and submitted on time, and keeping track of breaches. To expedite responses, even smaller fiduciaries are encouraged to assign a responsible individual.

4.2 Technical and Operational Controls for Early Detection

In order to comply with the strict 72-hour notification deadline, early breach detection is essential. Technical protections like Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) tools, Endpoint Detection and Response (EDR) technologies, frequent penetration testing, vulnerability assessments, and encryption of sensitive data are recommended for use by organizations. Operationally, quick action is ensured by setting up incident response teams with defined escalation protocols.

4.3 Data Mapping and Minimization: Foundations of Quick Response

It is crucial to comprehend the data lifecycle, including what data is gathered, where it is stored, and who can access it. Quick evaluation of the extent of the breach is made possible by thorough data inventories. By limiting needless data collection and retention, data minimization principles further reduce exposure by lowering the risk and potential damage of breaches.

5. Protecting the Data Principal: Rights, Remedies & Ethical Imperatives

5.1 Right to Be Informed and Its Practical Implications

Data principals are legally entitled to notice of breaches involving their personal information, along with concise and intelligible information about the scope and nature of the breach, the risks involved, and suggested countermeasures (such as password changes and account monitoring). People are better equipped to take precautions against fraud, identity theft, and damage to their reputation when they receive timely notice.

5.2 Access to Grievance Redress and Compensation

The DPDP Act does not provide automatic compensation, even though it permits people to file complaints with the DPBI or seek redress through fiduciaries' grievance redressal mechanisms. To obtain damages through civil litigation based on tort principles, criminal proceedings under Section 43A and Section 72A of the Information Technology Act, 2000 for wrongful disclosure, or constitutional remedies invoking the fundamental right to privacy (Article 21), victims must demonstrate harm or negligence.

5.3 Ethical and Constitutional Underpinnings

In Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court upheld the right to informational self-determination, which goes beyond the letter of the law. The foundations of democratic data governance—privacy, dignity, and trust—are compromised by nondisclosure. The necessity of transparent and timely reporting to minimize harm is underscored by recent significant events, including the Aadhaar leak, the Axis Bank breach (2020), the BigBasket data compromise (2021), and the 2024 telecom subscriber data breach. Courts may enforce remedies based on the IT Act's provisions and constitutional privacy rights if notice is not given.

6. Institutional and Operational Challenges in Implementing Breach Reporting

6.1 The Data Protection Board: An Authority in Waiting

As of mid-2025, the Data Protection Board of India (DPBI) is still not in operation, despite being empowered by the DPDP Act to supervise breach reporting and adjudication. There is no official complaint handling procedure, no publicly accessible registry, and no established portal for breach submission. This deficiency puts fiduciaries in a compliance limbo and delays enforcement.

6.2 The Absence of a Centralized Public Breach Registry

At the moment, India does not have a publicly available breach disclosure database, in contrast to countries like the EU or Australia. Although the DPDP Act does not specifically call for it, supporting a public breach registry would increase openness and public knowledge of breach patterns, which could strengthen the deterrent effect that public scrutiny can have.

6.3 Compliance Burdens on Smaller Entities

While all fiduciaries must report breaches, MSMEs are disproportionately affected. Compliance is challenging due to a lack of resources and technical know-how, particularly in the absence of sector-specific exemptions, government guidelines, or templates.

6.4 Lack of Standardization and Sectoral Coordination

There are discrepancies because no formal templates or notification formats have been released. Operational confusion results from sectoral regulators' and CERT-In's overlapping requirements. The technical or contractual capabilities of many technology vendors that work with Indian organizations have not yet been updated to enable quick breach detection and notification.


Conclusion: Strengthening Data Breach Reporting for a Safer Digital India

Summarizing the Current Landscape

A major step forward in safeguarding personal information and upholding accountability is India's data breach reporting system, which is supported by the DPDP Act and is supplemented by a number of regulatory bodies. The legal requirement to report breaches within stringent timeframes upholds Data Principals' rights and encourages a transparent fiduciary culture. Compliance and enforcement are made more difficult by the practical and legal difficulties posed by the coexistence of overlapping authorities like CERT-In, sectoral regulators, and the Data Protection Board, which has not yet been fully established.

Key Takeaways for Stakeholders

• - For Regulators: To cut down on duplication and boost the efficacy of breach response, there is an urgent need to improve coordination, standardize reporting frameworks, and create interoperable systems.
• - For Data Fiduciaries: Proactive governance, transparent internal procedures, and the ability to promptly fulfill several concurrent obligations are necessary for comprehending and navigating the complex regulatory environment.
• - For Data Principals: Strong breach notification rights give people the ability to protect their privacy and pursue remedies, boosting confidence in India's developing data governance framework.

Recommendations for Future Strengthening

To realize the full potential of India’s breach reporting framework, stakeholders must collaborate to:

• - Establish clear protocols, authority, and easily accessible portals for the reporting and adjudication of breaches in order to operationalize the Data Protection Board of India.


• - To expedite fiduciary compliance, create a centralized, unified breach reporting portal that incorporates sectoral regulator notifications, CERT-In, and DPBI.


• - Establish uniform breach notification procedures and schedules, striking a balance between the necessity of comprehensive impact assessments on personal data and the urgency of reporting cybersecurity incidents.


• - To guarantee thorough and prompt reporting, encourage regulators and smaller fiduciaries to receive technical assistance and capacity building.


• - Promote public openness by educating the public and promoting accountability through a breach registry.

India's system for reporting data breaches is at a pivotal point in time. It can become a model for protecting personal data while promoting digital innovation and trust if reforms are implemented with coordination and vigilance. Given the emergence of the internet era, the way the internet is viewed in this digital world, and the fact that people have created an online digital persona for themselves in the form of data, it is essential that personal data be viewed and safeguarded as a form of currency in this digital world, and regulations be created appropriately.

In the digital era, personal data is a form of currency. Protecting it means protecting trust, dignity, and progress.

References

1. Data protection laws in India: DLA Piper
2. CoWIN Data Breach: Legal School Blog
3. IT Act, 2000: IndiaCode
4. DPDP Rules: PIB
5. DPDP Guide: dpdpa.com
6. GDPR: GDPR.eu
7. Cost of Data Breach: IBM Report
8. RBI Cybersecurity: SCC Online
9. India Cyber Threat Report: DSCI