The Breach Reality
Data breaches are not a matter of if but when. Every organisation processing personal data faces this reality. The question is not whether you will experience a breach but how you will respond when it occurs. Under the Digital Personal Data Protection Act, 2023, your response carries significant legal consequences.
The DPDPA mandates that Data Fiduciaries notify both the Data Protection Board and affected Data Principals in the event of a personal data breach. This dual notification requirement ensures regulatory oversight while enabling individuals to take protective action. The penalties for non-compliance or delayed notification can reach Rs 200 crore.
What Constitutes a Breach
A personal data breach under the DPDPA encompasses any unauthorised processing or accidental disclosure of personal data that compromises its confidentiality, integrity, or availability. This definition is broader than many businesses assume.
A breach is not limited to external cyberattacks. An employee accessing data without authorisation is a breach. A server misconfiguration exposing data publicly is a breach. Sending personal data to the wrong recipient is a breach. Losing an unencrypted device containing personal data is a breach.
The common thread is compromise. If personal data ends up somewhere it should not be, or is accessed by someone who should not have access, you likely have a notifiable breach.
Detection Capabilities
You cannot notify what you cannot detect. Invest in monitoring capabilities that identify anomalous data access or transfer. Security Information and Event Management systems, intrusion detection tools, and data loss prevention technologies all play a role.
But technology alone is insufficient. Train employees to recognise and report potential breaches. A suspicious email, an unexpected system behaviour, or an unexplained data request should trigger investigation. The earlier you detect a breach, the more effectively you can contain it and the more credibly you can demonstrate timely response to regulators.
The Notification Obligation
Upon becoming aware of a breach, you must notify the Data Protection Board. The exact timeline awaits rules notification, but international standards suggest 72 hours as a benchmark. The notification must include the nature of the breach, categories of data affected, approximate number of Data Principals affected, and measures taken to mitigate harm.
Simultaneously, you must notify affected Data Principals. This notification enables individuals to take protective action, such as changing passwords, monitoring accounts for fraud, or being alert to phishing attempts exploiting the compromised data.
The notifications are not one-time events. If your investigation reveals additional information, you must provide supplementary notifications. If the scope of breach expands beyond initial assessment, update all parties accordingly.
Building an Incident Response Framework
Do not wait for a breach to develop your response protocol. By then, precious time will be lost to confusion and improvisation. Establish a documented incident response plan that assigns clear roles and responsibilities.
Your incident response team should include representatives from IT security, legal, communications, and senior management. Each knows their function when a breach is detected. The security team investigates and contains. Legal assesses notification obligations and regulatory exposure. Communications prepares stakeholder messaging. Senior management makes critical decisions and allocates resources.
Assessment and Containment
When a potential breach is detected, first contain it. Stop the data leak before investigating its scope. This may mean isolating affected systems, revoking compromised credentials, or blocking suspicious network traffic. Containment limits damage and demonstrates proactive response.
Then investigate. Determine what data was affected, how many individuals are impacted, how the breach occurred, and whether it has truly been contained. This investigation informs your notification content and your remediation efforts.
Document everything. Your investigation records will be reviewed by regulators assessing your response. They demonstrate due diligence, support your notification accuracy, and provide a foundation for improving security measures.
Managing Regulatory Relationships
Approach the Data Protection Board proactively. The regulator's role is not merely punitive. Early, transparent engagement can influence how the Board views your response. A business that promptly notifies, cooperates fully, and demonstrates good faith remediation is viewed more favourably than one that delays, dissembles, or deflects.
Prepare for Board inquiries. You may be asked to provide detailed breach reports, evidence of security measures, records of data processing activities, and remediation plans. Having this information organised and accessible facilitates smoother regulatory interaction.
Reputational Management
A data breach is not merely a legal problem. It is a trust problem. Your customers, partners, and stakeholders entrusted you with personal data. A breach violates that trust. How you respond determines whether trust can be rebuilt.
Be honest and proactive in communications. Do not attempt to minimise or hide the breach. News of breaches inevitably emerges, and cover-up attempts create worse reputational damage than the breach itself. Acknowledge the issue, explain what you are doing about it, and demonstrate commitment to preventing recurrence.
Offer affected individuals meaningful support. Credit monitoring services, fraud alert assistance, or direct helplines show you take their interests seriously. These measures cost money but preserve relationships that have value far exceeding the cost.
Learning and Improving
Every breach, however painful, is a learning opportunity. Conduct a thorough post-incident review. How was the breach possible? What controls failed? What worked well in your response? What could be improved?
Use these learnings to strengthen your security posture. Implement technical fixes for identified vulnerabilities. Enhance monitoring capabilities. Update incident response procedures. Train staff on lessons learned. The goal is ensuring the same breach cannot recur and similar breaches are less likely.
