Detect and classify
- Detect breaches early via alerts on sensitive data and access anomalies
- Classify severity and scope — what data, whose data, how much
- Open an incident record the moment a breach is suspected
Notify in the prescribed form and time
The DPDP Rules require intimation to affected Data Principals and to the Data Protection Board, with further detail to the Board within the prescribed window. Configure your notification templates and timers to the Rules as prescribed, rather than relying on ad-hoc email.
- Notify affected individuals without undue delay
- Provide the Board the required particulars within the prescribed period
- Keep templates configurable as the Rules are refined
Keep an immutable breach register
- Record root cause, impact assessment and remedial actions
- Make the register tamper-evident for auditors and the Board
- Track the timeline from detection to closure
Learn and close the loop
Every breach should feed back into controls — tighter access, better retention, new alerts — so the same gap does not recur. A breach register that drives remediation is worth far more than one that just logs events.
This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.