What is the DPDP breach notification timeline?
After confirming a personal data breach, Data Fiduciaries must notify the Data Protection Board of India without undue delay; operational practice and draft DPDP Rules use a 72-hour target for Board notification, with a separate 6-hour CERT-In reporting window for many operators.
Section 8 and the 2025 Rules framework expect prompt assessment, containment, and notification without undue delay.
Maintain an incident runbook, forensic logging, and templates before an event occurs.
See the full 72-hour + CERT-In playbook in our breach guide and glossary entry.
Related Act sections
Tools & resources
Back to Complete DPDP Guide | All DPDP FAQs
DPDP implementation support
- Gap assessment & remediation roadmap (INR 49,999+)
- Breach runbook & DPBI templates
- SDF / DPO / DPIA programs