72-Hour Breach Notification Guide
Liability Check
72 hours. That's your deadline. Miss it, and for every personal data breach – from a cyberattack exposing customer credit card details to an employee's laptop with sensitive PII going missing from a Bengaluru tech park – your business faces penalties up to ₹250 Crore.
Why 72-Hour Breach Notification Guide is at Risk
Under the DPDP Act, a **personal data breach** is more than just a security incident; it's a strict liability event. Whether it's a ransomware attack crippling your e-commerce platform, an accidental exposure of employee salary data on an unsecure server, or a phishing scam compromising customer KYC details, swift action and mandatory notification are non-negotiable. The Data Protection Board (DPB) will scrutinize your response, looking for promptness, thoroughness, and effective mitigation. Failing to notify within **72 hours** isn't just a lapse; it's a direct violation with severe financial and reputational consequences for your brand in the Indian market.
Common Violations
- 1.Not having a clearly defined and tested **Incident Response Plan** to detect, contain, and assess data breaches immediately.
- 2.Failing to conduct a proper risk assessment to determine if the breach requires notification to all affected **Data Principals** (e.g., your customers, employees).
- 3.Delaying notification past the **72-hour window** because you were 'still investigating' or tried to 'contain the PR fallout' before informing the DPB and affected parties.
The Immediate Fix
Implement and regularly test a robust **Data Breach Response Plan** that clearly outlines roles, responsibilities, and step-by-step procedures for detection, containment, risk assessment, and mandatory notification within the 72-hour window. This plan should cover all types of personal data.
Projected Compliance Deadline: Immediate