Skip to content
checkDPDP

DPDP Tools · Free

DPDP Breach Notification Builder

Build a Rule 7 compliant two-phase breach report for the Data Protection Board in under 30 minutes. Covers all Rule 7(2)(a)-(e) mandatory items plus parallel Data Principal notification and CERT-In 6-hour notice.

In active build · early Q3 2026

Two-phase Rule 7 breach builder is coming

Phase 1 (within hours of awareness): the lightweight Data Protection Board notification. Phase 2 (within 72 hours): the full Rule 7(2)(a)–(e) report, Board-ready and downloadable. Plus the parallel Data Principal notification and the CERT-In 6-hour cyber-incident notice.

Phase 1 · DPB

“Without delay” notice with the bare facts.

Phase 2 · DPB

72-hour detailed Rule 7(2)(a)–(e) report.

Data Principals + CERT-In

Parallel notice and 6-hour cyber filing.

Get incident-response artefacts now →Run a Section 8 gap analysis →

Why this matters

The 72-hour clock is the most expensive deadline in the Act

₹200 cr Schedule 1 cap

Failure to notify under Section 8(6) sits in the ₹200 cr band — second highest after Section 8 security. The cost of a clean playbook is two weeks of work.

Section 33(2) cooperation factor

Self-reporting within 72 hours is an explicit mitigating factor when the Board calculates the penalty. The realistic difference between a 24-hour and a 4-day filing can be tens of crores.

Common questions

FAQ

How fast must I notify the Data Protection Board?

Phase 1 notification is "without delay" upon becoming aware — typically within hours, not days. Phase 2 (the detailed report covering Rule 7(2)(a)-(e)) must be filed within 72 hours.

Do I have to notify the affected Data Principals too?

Yes. Rule 7 requires notifying affected Data Principals with enough information to take protective action (e.g. change passwords, monitor accounts). Include guardian notification if minors are affected.

What if I am not 100% sure it is a breach?

If you are aware of a likely breach, start the clock. The Act treats delayed acknowledgement as aggravating under Section 33(2). It is safer to file Phase 1 and supplement with Phase 2 than to delay both.

CERT-In also wants notification — what about that?

CERT-In requires notification within 6 hours for cyber incidents under the 2022 directions. Run both notifications in parallel — same incident commander, two filings.