Sign in
Schedule A Demo

Obligations of Data Fiduciary upon Becoming Aware of a Personal Data Breach

The Digital Personal Data Protection (DPDP) Act and its accompanying Rules prescribe stringent obligations on Data Fiduciaries once they become aware of a personal data breach. These obligations are designed to ensure transparency, timely communication, and immediate mitigation to protect the rights and interests of Data Principals and to maintain regulatory oversight. The provisions impose dual reporting responsibilities: (a) notification to affected Data Principals, and (b) reporting to the Data Protection Board.

  1. Immediate Notification to Affected Data Principals

Once a Data Fiduciary becomes aware of a personal data breach, it must promptly notify each affected Data Principal. This is a mandatory requirement and is central to ensuring that individuals can take timely protective actions.

1.1 Mode of Communication

    • Notification must be issued without delay.
    • Communication should be through:
      • The Data Principal’s user account, or
      • Any registered mode of communication such as email, SMS, mobile app notification, or other channels maintained with the Data Fiduciary.

1.2 Mandatory Contents of Notification

The communication must be concise, clear, and plain, covering the following:

(a) Description of the Breach

    • Nature of the breach (e.g., unauthorized access, accidental loss, data leak).
    • Extent of data compromised (categories, volume, sensitivity).
    • Timing of occurrence and discovery.

(b) Relevant Consequences

    • Any likely harm that may arise:
      • Identity theft, fraud, financial risk
      • Unauthorized profiling
      • Potential misuse of personal or sensitive information

(c) Mitigation Measures by the Data Fiduciary

    • Immediate containment actions taken.
    • Steps implemented to minimize risk (e.g., blocking accounts, resetting credentials, disabling affected systems).
    • Long-term measures already initiated, if any.

(d) Safety Measures for Data Principals

    • Recommendations to protect themselves such as:
      • Changing passwords
      • Monitoring accounts
      • Enabling additional authentication
      • Reporting suspicious activity

(e) Contact Information

    • Business contact details of a responsible person.
    • This must enable two-way communication where Data Principals can raise queries and seek clarifications.

This ensures that Data Principals are fully informed and empowered to safeguard their personal interests.

  1. Mandatory Reporting to the Data Protection Board

Alongside notifying Data Principals, the Data Fiduciary must inform the Data Protection Board promptly after becoming aware of the breach. This ensures regulatory visibility and supervision.

2.1 Initial Intimation Without Delay

The first intimation must include:

    • Nature and extent of the breach
    • Timing and location of occurrence
    • Likely impact on individuals and systems

This enables the Board to assess the severity and initiate oversight.

  1. Detailed Follow-Up Report within 72 Hours

Within 72 hours of becoming aware of the breach, the Data Fiduciary must submit an expanded report to the Board.
A longer period may be allowed, but only upon a written request and approval.

The detailed report must contain:

(i) Updated and Detailed Description

    • Complete and revised information, including results of internal investigation.

(ii) Broad Facts and Circumstances

    • Events leading to the breach
    • System failures, incorrect configurations, human errors, malicious attacks
    • Identification of gaps in controls or vulnerabilities

(iii) Mitigation Measures

    • Actions implemented immediately after detection
    • Longer-term system improvements under consideration
    • Any third-party involvement such as cybersecurity audits

(iv) Responsible Person(s) Identification

    • Findings regarding individuals or entities who caused the breach (internal or external).
    • Whether the breach resulted from negligence, intentional misconduct, or third-party compromise.

(v) Remedial Measures to Prevent Recurrence

    • Improvements to access controls, encryption, monitoring
    • Policy changes
    • Deployment of additional security layers
    • Staff training or disciplinary measures

(vi) Confirmation of Notifications to Data Principals

    • Status and method of communication
    • Proof that affected individuals have been informed
    • Summary of content shared with them

This 72-hour reporting requirement ensures accountability and permits the Board to monitor corrective actions and impose directions where necessary.

  1. Compliance Significance

These obligations are central to the DPDP Act’s emphasis on transparency, accountability, and protection of personal data. Key compliance points include:

    • Timeliness: Both Data Principals and the Board must be informed without delay; the detailed report must follow within 72 hours.
    • Accuracy: Initial information is based on “best knowledge,” but updates must reflect thorough investigation.
    • Documentation: All actions, communications, and investigations must be properly recorded.
    • Governance: Data Fiduciaries must maintain an internal incident management framework aligned with the Act.
  1. Practical Implications for Data Fiduciaries

To remain compliant, Data Fiduciaries must implement:

    • A robust incident detection and response mechanism
    • A breach notification SOP
    • A communication template for Data Principals
    • A regulatory reporting template for the Board
    • Logging and audit trail mechanisms
    • Periodic risk assessments and security testing
    • Internal accountability frameworks
    • Escalation matrices and designated points of contact

Failure to comply may expose the Data Fiduciary to enforcement actions, penalties, and directions from the Board.

To stay updated Subscribe to our newsletter today

Explore other Legal updates on the 1-Comply and follow us on LinkedIn to stay updated 

Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article. 

Post Views: 19

Stay Connected

X-twitter Linkedin Youtube

Stay Connected

X-twitter Linkedin Youtube

Subscribe Newsletter

Quick Links

Explore Links

Contact info

  • Head Office:
    9, Dwarikapuri, Jamnalal Bajaj Marg,
    C-Scheme, Jaipur
  • Branches: Anand,Vadodara
  • +91 63778 80064
  • hello@1-comply.com
© 2024,  Compezz Solutions Pvt. Ltd. All Rights Reserved.

Schedule A Demo