What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Playbook•4 min read

DPDP Data Breach Response: 72-Hour Playbook

A practical 72-hour playbook for Indian businesses to respond to DPDP data breaches, including critical steps, timelines, and expert advice.

Sushant Pasumarty22 May 2026

DPDP Data Breach Response: Your 72-Hour Playbook for India

A data breach under India's Digital Personal Data Protection Act (DPDP) is not just a technical incident; it's a critical compliance event. The Act mandates timely and structured responses to mitigate harm and ensure regulatory adherence. This playbook outlines the crucial steps Indian businesses must take within the first 72 hours of discovering a personal data breach.

Ignoring these steps can lead to significant penalties, reputational damage, and loss of trust from Data Principals. Sushant Pasumarty, founder of Meridian Bridge Strategy, emphasizes proactive preparation is key, not just reactive measures.

What is a Data Breach under DPDP?

A "personal data breach" refers to any unauthorised processing of personal data. This includes accidental disclosure, acquisition, sharing, use, alteration, or destruction of personal data that compromises the confidentiality, integrity, or availability of personal data. The severity often dictates the response, but every breach involving personal data needs immediate attention.

The 72-Hour DPDP Breach Response Playbook

This timeline outlines critical actions from the moment a potential personal data breach is detected.

Hour 0-2: Initial Assessment & Containment

Action: Immediately verify the incident. Determine if personal data is involved and the scope of the potential breach. Isolate affected systems or data sets to prevent further compromise. Document initial observations.

Key Questions: What data is affected? How many Data Principals are impacted? What systems are involved?
Required: Incident response team activation, preliminary forensic tools, communication channels (internal).
MBS Support: While direct incident response isn't a core service, a DPDP Workshop or DPDP Readiness Audit would have established these protocols.

💡 Key Insight: Speed is paramount. The initial hours are about stopping the bleeding and understanding the immediate impact.

Hour 2-24: Deeper Investigation & Risk Assessment

Action: Conduct a thorough investigation to understand the root cause, extent of data compromise, and specific types of personal data affected. Assess the potential harm to Data Principals. Begin documenting all findings meticulously.

Key Questions: How did the breach occur? What is the full list of compromised data elements? What are the high-risk implications for Data Principals (e.g., financial fraud, identity theft)?
Required: Digital forensics expertise, legal counsel consultation, detailed incident log.
MBS Support: A DPDP Vendor Risk Assessment (covered in Full DPDP Consulting) could have identified third-party vulnerabilities.

✅ Pro Tip: Engage legal counsel early. Their advice on severity and notification requirements is crucial.

Hour 24-48: Notification Preparation & Internal Review

Action: Prepare the breach notification to the Data Protection Board of India (DPBI) and potentially affected Data Principals. Review the incident response with internal stakeholders and legal teams. Draft internal communications.

Key Questions: Who needs to be notified? What information must be included in the notification? What mitigation steps are being taken?
Required: Draft notification templates, legal review, internal communication plan.
Cost Relevance: This phase relies heavily on processes and documentation established during a DPDP Readiness Audit (₹2L – ₹6L) or DPDP Workshop (₹5L – ₹10L). These services help define your notification criteria and process.

MBS Service	Relevant Support for Breach Response	Price Range
DPDP Readiness Audit	Establishing breach reporting procedures, identifying critical data.	₹2L – ₹6L
DPDP Workshop	Developing a full incident response plan, including notification templates and stakeholder communication strategy.	₹5L – ₹10L
Full DPDP Consulting	Comprehensive incident response plan development, DPO training on breach handling, ongoing legal support integration.	₹7L – ₹12L

Hour 48-72: Notification & Remediation Plan

Action: Submit the formal breach notification to the DPBI. Notify affected Data Principals if the breach is likely to result in significant harm. Implement immediate remediation steps and develop a long-term plan to prevent recurrence.

Key Questions: Has the DPBI received the notification? Are Data Principals clearly informed of the breach and their rights? What permanent security enhancements are required?
Required: Finalized notifications, secure communication channels for Data Principals, updated security protocols.
Cost Relevance: Implementing the remediation plan may involve technology investments or process changes that build on recommendations from a Full DPDP Consulting (₹7L – ₹12L) engagement, which includes implementation support.

💡 Key Insight: The DPDP Act requires Data Fiduciaries to notify the DPBI and, in some cases, the Data Principals, "in such form and manner as may be prescribed" without undue delay. While a specific hour count isn't legislated for notification to the Board, 72 hours is a widely accepted benchmark for serious incidents based on international best practices.

Common Mistakes in DPDP Breach Response

Delay in Detection: Not having robust monitoring systems to detect breaches quickly.
Lack of Preparedness: No pre-defined incident response plan, roles, or communication strategy.
Incomplete Investigation: Failing to identify the full scope or root cause, leading to recurring vulnerabilities.
Insufficient Documentation: Not logging every step, decision, and communication, which can hinder regulatory inquiries.
Failure to Notify: Missing the notification window for the DPBI or affected Data Principals.
Ignoring Remediation: Not implementing lessons learned to prevent future breaches.

Next Steps: Proactive DPDP Readiness

Don't wait for a breach to happen. Sushant Pasamurty emphasizes that preparedness is your best defense. Meridian Bridge Strategy offers structured services to build your DPDP resilience.

Use our free calculator to understand your DPDP compliance costs. Our DPDP Readiness Audit or a comprehensive DPDP Workshop can help you establish clear breach response protocols, identify data flows, and mitigate risks before they escalate.

Frequently Asked Questions

What is the specific DPDP notification timeline for the Data Protection Board of India (DPBI) after a breach?

The DPDP Act requires notification to the Data Protection Board of India (DPBI) "in such form and manner as may be prescribed," without specifying an exact hour count. However, international best practices and expectations for similar regulations often suggest notification within 72 hours of becoming aware of a breach, especially for incidents likely to cause significant harm. Sushant Pasamurty advises preparing for this 72-hour benchmark.

When do I need to notify affected Data Principals of a DPDP breach?

You must notify affected Data Principals if the personal data breach is likely to result in significant harm to them. This assessment of harm is critical and should be part of your Hour 24-48 investigation phase. The notification should clearly explain the nature of the breach, the potential risks, and the steps Data Principals can take to protect themselves.

How can Meridian Bridge Strategy help my business prepare for a DPDP data breach?

Meridian Bridge Strategy helps businesses prepare through our structured DPDP services. Our DPDP Readiness Audit (₹2L – ₹6L) helps identify critical data and gaps in your current response. The DPDP Workshop (₹5L – ₹10L) develops a full incident response plan, including notification templates and communication strategies. For comprehensive support, our Full DPDP Consulting (₹7L – ₹12L) includes implementation support and DPO training on breach handling.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →