Definition
A Personal Data Breach is any unauthorised processing of personal data — or any accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to it — that compromises its confidentiality, integrity, or availability. It's defined under Section 2(u) of the DPDPA, 2023. In plain terms: a hacked database, a stolen laptop, an employee emailing customer records to the wrong person, or ransomware locking your files all count. Critically, the definition doesn't distinguish between malicious attacks and honest mistakes — and unlike GDPR, DPDPA requires you to notify every breach, regardless of how minor the risk seems.
How this matters in practice
A personal data breach triggers a dual clock: CERT-In within 6 hours and a detailed Board report within 72 hours — impossible without a pre-built playbook. Privigo prepares your breach-response plan, notification templates for affected users and the Board, and the security-safeguard documentation that reduces penalty exposure. Our free gap analysis flags your weakest points first. Fully remote delivery, anywhere in India.
Frequently asked questions
Who must I notify after a data breach, and how fast?
Both the affected Data Principals and the Data Protection Board (Section 8(6)), plus CERT-In. Dual-clock: notify CERT-In within 6 hours of becoming aware, and submit a detailed report to the Board within 72 hours covering the breach's nature, cause, mitigation steps, and remedial measures. Inform affected individuals without delay under the DPDP Rules, 2025.
Do I have to report even small breaches with no real harm?
Yes. DPDPA has no risk-based threshold — unlike GDPR, which exempts breaches unlikely to harm individuals, the Indian law requires notifying every personal data breach to affected users and the Board. This makes detection capability and a ready notification process essential even for small businesses.
What are the penalties related to data breaches?
Two separate exposures under the Act's Schedule: up to ₹250 crore for failing to maintain reasonable security safeguards that would have prevented the breach, and up to ₹200 crore for failing to notify the Board or affected individuals. Prompt notification and documented safeguards are also mitigating factors under Section 33.
Build a breach playbook before you need one
Book a 30-minute call to map notification timelines, templates, and security evidence so CERT-In's 6-hour and the Board's 72-hour clocks are achievable.
Book a demo
Free Gap Analysis
Disclaimer: Privigo is not a law firm. This page provides operational compliance guidance only. For institution-specific obligations, work with qualified Indian legal counsel.