DPDP 72-Hour Breach Notification Checklist for India

DPDP 72-Hour Breach Notification Checklist

The Digital Personal Data Protection Act (DPDP) mandates strict timelines for reporting personal data breaches. Indian businesses must notify the Data Protection Board of India (DPBI) and affected Data Principals promptly, often within 72 hours of becoming aware of a breach.

This checklist provides a structured approach to manage a personal data breach under DPDP, outlining actions, responsible roles, and estimated timeframes. Following these steps helps mitigate risk and ensures compliance.

Phase 1: Immediate Response (First 12-24 Hours)

1. Identify and Contain the Breach:
   
   • Action: Isolate affected systems, revoke access, and stop further data exfiltration. Document initial findings.
   • Owner: CISO/Security Team, CTO
   • Time Estimate: 2-6 hours
   • External Help Cost (if needed): ₹50,000 – ₹1.5L (Incident Response Specialist)
   • MBS Tier Relevance: Full DPDP Consulting (includes implementation support and DPO training)
2. Preserve Evidence:
   
   • Action: Secure logs, forensic images, and other relevant data without altering them.
   • Owner: CISO/Security Team
   • Time Estimate: 1-3 hours
   • External Help Cost (if needed): ₹30,000 – ₹1L (Forensic Expert)
3. Initial Assessment & Severity Analysis:
   
   • Action: Determine the type of data compromised, the number of affected Data Principals, and potential impact.
   • Owner: CISO/Security Team, DPO/Compliance Officer
   • Time Estimate: 4-8 hours
   • MBS Tier Relevance: DPDP Readiness Audit (helps identify breach impact areas)
4. Assemble Incident Response Team:
   
   • Action: Designate a core team including legal, IT/security, communications, and compliance. Define roles and communication channels.
   • Owner: CXO/CEO
   • Time Estimate: 1-2 hours
5. Internal Communication:
   
   • Action: Inform relevant internal stakeholders (legal, HR, management) about the breach and ongoing response.
   • Owner: Management/DPO
   • Time Estimate: 1 hour

Phase 2: Notification & Mitigation Planning (24-72 Hours)

6. Prepare Initial Notification to DPBI:
   
   • Action: Draft a preliminary breach notification including known details, impact, and mitigation steps. DPDP requires notification 'without undue delay'.
   • Owner: DPO/Compliance Officer, Legal Counsel
   • Time Estimate: 6-12 hours
   • External Help Cost (if needed): ₹50,000 – ₹2L (Legal Counsel for DPDP)
   • MBS Tier Relevance: DPDP Workshop (provides prioritized recommendations for such processes)
7. Prepare Communication to Affected Data Principals (if required):
   
   • Action: Assess if the breach poses significant harm requiring direct notification to individuals. Draft communication, outlining affected data, risks, and recommended actions for them.
   • Owner: DPO/Compliance Officer, Communications Lead
   • Time Estimate: 8-16 hours
   • External Help Cost (if needed): ₹40,000 – ₹1.5L (PR/Communications Advisor)
8. Review & Approve Notifications:
   
   • Action: Legal and senior management review and approve all external communications.
   • Owner: Legal Counsel, CXO
   • Time Estimate: 2-4 hours
9. Submit Notification to DPBI:
   
   • Action: Formally submit the breach notification to the Data Protection Board of India.
   • Owner: DPO/Compliance Officer
   • Time Estimate: 1 hour
10. Implement Immediate Mitigation & Recovery Steps:
    
    • Action: Restore systems from backups, patch vulnerabilities, reset passwords, and enhance security controls based on initial findings.
    • Owner: CISO/Security Team
    • Time Estimate: Ongoing, 12-48 hours within this phase
    • MBS Tier Relevance: Full DPDP Consulting (implementation support)

Phase 3: Post-Notification & Remediation (Beyond 72 Hours)

11. Communicate with Affected Data Principals:
    
    • Action: Distribute the approved notification to individuals, offering support or resources as needed (e.g., credit monitoring).
    • Owner: Communications Lead, DPO
    • Time Estimate: 2-8 hours (distribution), ongoing (support)
12. Conduct Root Cause Analysis:
    
    • Action: Investigate how the breach occurred to prevent future incidents. Document findings.
    • Owner: CISO/Security Team, Internal Audit
    • Time Estimate: 1-3 weeks
    • MBS Tier Relevance: DPDP Readiness Audit (identifies potential gaps)
13. Enhance Security Controls & Policies:
    
    • Action: Implement new security measures, update policies, and conduct staff training based on the root cause analysis.
    • Owner: CISO/Security Team, HR, DPO
    • Time Estimate: Ongoing, 2-4 weeks
    • MBS Tier Relevance: Full DPDP Consulting (implementation, DPO training)
14. Document & Review Incident:
    
    • Action: Create a comprehensive post-incident report, including lessons learned and action items for continuous improvement.
    • Owner: DPO/Compliance Officer
    • Time Estimate: 1-2 weeks

What This Costs: DIY vs. Meridian Bridge Strategy Services

Managing a data breach effectively requires specialized expertise in cybersecurity, legal interpretation, and communication. While some initial steps can be managed internally, complex breaches often necessitate external support.

Sushant Pasamarty, founder of Meridian Bridge Strategy, emphasizes, "Preparing for a breach before it happens is not optional under DPDP. Our services build the framework and train your teams, reducing the chaos and cost during an actual incident."

Next Step: Bolster Your Breach Readiness

Don't wait for a breach to realize your organization's gaps. Understanding your data flows and current readiness is the first step towards a robust incident response plan.

Use the free calculator on dpdpworkshop.com to determine which MBS service tier is right for your business. From fundamental data mapping to comprehensive implementation support, MBS helps you build resilience.