DPDP Breach Notification Rules: What to Do Within the First 72 Hours

Introduction

In the digital age, a data breach isn’t a “maybe”, it’s an eventuality. For Indian businesses, that reality just became far more urgent thanks to the DPDP Act and its Rules. It mandates that a governed business must notify both the Data Protection Board of India and affected users within 72 hours of becoming aware of a personal data breach.

This blog lays out exactly what must be done in the first 72 hours after a breach and how a platform like Blutic can help streamline compliance and audit‑readiness.

What the Law Requires

Under Rule 7 of the DPDP Rules:

• A “personal data breach” is any unauthorised access, disclosure, alteration or loss of personal data. King Stubb & Kasiva+1

• Notification must be made to the Data Protection Board and the Data Principals (users) without undue delay effectively within 72 hours of detection. Bar and Bench - Indian Legal news

• The user notification must include nature of the breach, categories of data, consequences, remedial actions, and contact for queries.  

• The regulator notification must include timing, cause, number of users affected, data categories, steps taken, and measures to prevent recurrence.  

• Failure to comply with can lead to penalties of up to ₹250 crore, especially for serious or repeated breaches. Press Information Bureau+1

Why the First 72 Hours Matter

• Reputational risk: A well‑handled notification builds trust; delays or non‑notification destroy it.

• Regulatory risk: The clock starts when you become “aware” of the breach, not when it happens.  

• Operational risk: Without clear response steps in the first hours, you may lose control of the damage, propagation, and forensic evidence.

A Step‑by‑Step 72‑Hour Breach Response Guide

Hour 0–4: Detect & Triage

• Confirm the incident: identify the breach of event, impacted systems, scope.

• Activate the incident response team (legal, IT, communications, product).

• Document initial timeline and details.

Hours 4–24: Assess & Contain

• Identify categories and volume of personal data affected (names, device IDs, cookies, tracking data).

• Apply containment measures: block access, isolate affected systems, secure logs.

• Start forensic logging: access logs, change logs, network logs.

Hours 24–48: Notify Users & Regulators

• Draft the user‑facing notification: clear language, nature of breach, data categories, consequences, steps being taken, contact info.

• Draft regulator submission: cause, time period, number of users, remediation, future prevention.

• Send or schedule release of these documents in required format.

Hours 48–72: Follow‑Up & Record

• Ensure notifications have gone out and confirmations of receipt logged.

• Continue forensic investigation and gather evidence of root cause.

• Update internal logs for audit trail: detection time, response time, notifications, mitigation.

• Prepare internal executive briefings and board summary.

• Plan long‑term remediation and preventive controls (e.g., encryption, cookie consent changes, audit logs).

How Blutic Helps You Stay Ready

Blutic offers a consent‑management and compliance platform tailored for Indian businesses including breach readiness:

• Real‑time tracking of consent and cookie logs for audit‑trail support.

• Templates and workflows aligned to DPDP breach‑notification requirements.

• Integration with tag‑management and consent tools to stop trackers or data‑flows in breach of events.

• Dashboard for executives to view incident summaries, statuses, and user notifications.
  With Blutic, you’re not just installing a banner; you’re building an enterprise‑ready response engine.

Breaches will happen. Under the DPDP framework, the difference between safe and non‑compliant often comes down to how quickly and clearly you act. If you follow the 72‑hour response steps above and build your systems around audit‑ready consent logs, you’ll be prepared not just for regulation, but for user trust.

Don’t wait for the notification. Start your readiness today.