Data PrivacyScrutinizing Data Breach Management Under DPDPA

INTRODUCTION

In the contemporary era, which is marked by unparalleled and extraordinary digital advancements, data breaches are one of the most persistent challenges faced by various organizations around the globe. It is an unauthorized access or disclosure that not only affects the privacy of an individual but also leads to various fiscal, operational as well as reputational harm to corporations in various sectors. Recognizing the need and necessity of a rapidly advancing digital period, India has formulated and enacted a legislative framework that places the data breach management system at the forefront of organizational accountability.

In India, the primary legislation that govern data breach management systems is the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDPA”) and the Draft Digital Personal Data Protection Rules of 2025 (hereinafter referred to as “Draft Rules”). The DPDPA encompasses various aspects of a data breach and this broad conceptualization attempt ensures that every organization also addresses other prominent failures that might lead to compromise in data protection and security, while addressing cyberattacks.

The primary focus of the DPDPA is on the concept of Data Fiduciary accountability. This concept mandates that, the entities or organizations collecting, storing,  and processing personal data must implement breach management frameworks. Additionally, the Draft Rules also put forth stern and rigorous data breach management protocols, which in turn provide aid to combat data breaches in India effectively. Apart from this, in an attempt to combat data breaches, the legislature not only formulated and enacted protective measures but also put forth several punishments for failure to implement reasonable security measures.

UNDERSTANDING DATA BREACH AND RECENT TRENDS

In the era of digitalization, data breaches remain one of the major and alarming concerns. Recently, the scale and frequency of data breach incidents in India have increased significantly. As per the reports and statistics of the Internet Freedom Foundation, in the past several years, around 500 million Indian citizens’ records have been leaked and exposed. This trend of data breaches continues to grow with each passing year and, therefore, severely impacted healthcare, financial, service and other e-commerce sectors. Moreover, in the year 2023, an Indian Council of Medical Research data breach incident took place, which compromised both the medical as well as personal data of approximately 82 crore individuals. These incidents and occurrences expose individuals to a blend of financial loss and the gruelling process of securing their identities.

Furthermore, the potential effect of a data breach is not only on individuals alone but also has equivalent consequences for an organization. The incidents of data breaches in an organization in the contemporary period have a significant impact on its reputation, consumer confidence as well as finances. For instance, the Big Basket data breach in 2020 led to the exposure of data of over 20 million users which led to a loss of public trust in the security mechanisms of the corporation.

LEGISLATIVE FRAMEWORK FOR DATA BREACH MANAGEMENT

In the Indian panorama, the primary legislative framework that governs and handles data breaches is DPDPA as well as Draft Rules. These frameworks provide comprehensive provisions related to data breach management, and they also provide mandatory specific obligations for Data Fiduciaries in order to ensure that personal data is protected. The DPDPA, along with the Draft Rules, places significant accountability on Data fiduciaries through various provisions, aiming to safeguard personal data and ensure effective and efficient responses to data breaches.

Moreover, the DPDPA also mandates that the Data Fiduciaries must formulate and execute robust safety and security measures. In addition to this, the provisions also put an obligation to promptly inform and notify the Data Protection Board (DPB) and affected persons in the event of a breach. Additionally, the DPDPA also provides for penalties in case of non-compliance, with fines reaching up to Rs. 250 crores if the Data Fiduciaries fail to achieve or maintain proper and adequate security measures.

Moving forward, the government has also put forth the Draft Rules, which also contain comprehensive measures for proper management of such events. The Draft Rules also align properly with global standards that require technical safeguards such as encryption and access controls, along with organizational measures including regular audits, vulnerability assessments, incident response protocols, and contractual protections.

The Draft Rules provide for several obligations for the Data Fiduciaries in case of a breach of data. As per Rule 7 of the Draft Rules, it is the obligation and duty of the Data Fiduciary to inform both the DPB and the affected Data Principal about the event of personal data breach without any kind of delay. It is further provided that the Data Fiduciaries are required to submit a detailed report within the stipulated time period of 72 hours of the personal data breach. The reports must contain the following details:

1. Facts and circumstances that led to the data breach
2. Measures implemented to mitigate the risk
3. Findings related to the person who is responsible for the breach
4. Details of report which is submitted to the affected Data Principle.

Moreover, Section 33 of the DPDPA allocates the authority to DPB to examine and inspect the matter of data breaches, assess and evaluate compliance mechanisms and levy administrative fines. The provision also allows DPB to levy penalty and other fines on data fiduciaries for inadequacy, delayed reporting of the data breach event or negligent and poor handling of personal data. While deciding the penalty on Data Fiduciaries, the DPB may take into consideration the efforts of mitigating harm, cooperation with authorities, as well as sensitivity of compromised or leaked data.

In addition to DPB, the Data Protection Officer also plays a vital role in data breach management through the implementation of a proper and comprehensive Incident Response Plan, conducting impact assessment regularly, adapting different strategies for data minimization and regular training of employees. Therefore, in India, there are comprehensive measures provided for proper and efficient management in case of breach of any kind of data.

AMLEGALS REMARKS

The enactment of DPDPA and the release of the Draft Rules was one of the most significant steps towards the protection and safeguarding of personal data in India, as it provides a regulatory framework for both safeguarding data and implementing a robust security measure for breach management and other compliances.

However, the Draft Rules of 2025 do not set a threshold value for reporting incidents of breach to Data Principles and this measure, and this unnecessarily increases the compliance burden on Data Fiduciaries. Therefore, a proper threshold limit can be introduced in the Draft Rules, as already provided under data breach management practice of laws in different jurisdictions.

– Team AMLEGALS assisted by Mr. Aditya Raj Pandey (Intern)

For any further queries or feedback, feel free to reach out to rohit.lalwani@amlegals.com or mridusha.guha@amlegals.com