HomeGuidesPrivacy & Data Protection › PDP-13
PDP-13 Privacy & Data Protection 6% of OML score

Does the business know when personal data incidents must be reported?

Your business needs to have a clear, written rule about when and how to tell the government and affected customers if their personal information has been stolen or misused. This isn't optional—there are legal timelines and specific authorities you must notify, and not knowing them puts your business at serious risk.

Why This Matters to Your Business

Under Indian law (DPDP Act 2023), you must report data breaches to the Data Protection Board within 72 hours or face penalties up to ₹50 crore. Without knowing this deadline, you might report late and be fined heavily. For example, a Delhi-based e-commerce startup suffered a customer database breach in 2022 but reported it after 6 months, resulting in a ₹2 crore penalty and complete loss of customer trust. If you don't have this knowledge documented, auditors and customers will fail you in their security assessments, and you won't be able to bid on large contracts.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no idea who to contact or when to report a data incident if it happens. No one in your team has read the relevant laws, and there's no process document anywhere.

Level 1
Initial

Someone on your team has read the DPDP Act once and knows a breach must be reported, but there's no written process and no one else in the business knows the rules or timeline.

Level 2
Developing

You have a one-page incident response document that lists the DPDP Board contact and mentions the 72-hour timeline, but it doesn't say what counts as a reportable incident or who decides when to report.

Level 3
Defined

You have a formal incident response plan that defines what personal data incidents are reportable, includes the 72-hour timeline, and lists all authorities to notify (DPDP Board, CERT-In if critical, state police). Your senior manager has approved it, but staff training is informal.

Level 4
Managed

Your incident response plan is detailed, regularly updated, covers all applicable Indian laws, includes decision trees for determining if an incident is reportable, and every team member involved in data handling has been trained and tested on it within the last year.

Level 5
Optimised

You conduct annual tabletop drills simulating data breach scenarios, track compliance with reporting timelines in past incidents, update your plan based on regulatory changes and lessons learned, and have third-party audits confirming your incident reporting knowledge is current and effective.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Download and read the DPDP Act 2023 (specifically Section 6 on data breaches) and the CERT-In 2022 disclosure directions; write a one-page summary of reporting timelines and authorities. Business owner or IT manager 1 day
1 → 2 Create a written incident response template that lists: what counts as a personal data incident, the 72-hour DPDP Board notification timeline, contact details for DPDP Board and relevant state authorities, and immediate actions to take. IT manager or compliance officer 3-5 days
2 → 3 Expand the incident response plan to include decision flowcharts for determining if an incident is reportable, define roles (who investigates, who decides, who notifies), and get it formally approved by management in writing. Compliance officer with IT manager input 2-3 weeks
3 → 4 Conduct formal training for all staff who handle customer data; create a signed acknowledgment form; set up a simple log to track who has been trained and when; review the plan quarterly for regulatory changes. HR manager and IT manager 4-6 weeks
4 → 5 Run a simulated breach scenario twice per year where teams actually practice the notification process; collect feedback and update the plan; document all incidents and your actual response timelines to show compliance; arrange external audit or assessment. Compliance officer with cross-functional team Ongoing (quarterly reviews and annual drills)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Signed incident response policy or plan document dated and approved by management, clearly stating DPDP Act Section 6 compliance and 72-hour reporting timeline
  • Documented list of reportable personal data incidents with definitions (e.g., unauthorized access, data theft, loss, alteration) relevant to your business
  • Contact registry showing phone, email, and portal details for DPDP Board, CERT-In, relevant state police cyber cell, and any customer notification contacts
  • Training records (attendance sheets, certificates, or signed acknowledgments) showing all data-handling staff have been trained on incident reporting obligations within the last 12 months
  • Incident log or register documenting any past data incidents your business has experienced, including discovery date, reporting date to authorities, and timeline compliance confirmation
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me your written policy on when and how you report personal data incidents to the DPDP Board? What is the timeline, and who is responsible?"
  • "Walk me through what you would do in the first 24 hours after discovering a customer database has been breached. Who do you call, and in what order?"
  • "Do you know that you must report within 72 hours under DPDP Act Section 6? Can you show me evidence that your team has been trained on this?"
  • "Have you ever experienced a data incident? If yes, can you show me proof that you reported it within the required timeline?"
  • "What happens if your business discovers that personal data of a government employee or minor was compromised? Do you have a separate process for critical incidents?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Incident ticket logging and timeline tracking to document when breaches occurred and when notifications were sent Google Forms (basic incident report form) or Jotform, plus a Google Sheet to maintain the incident log Freshdesk or Zoho Desk (₹50–100 per month for basic incident tracking)
Document repository to store and version your incident response plan and keep regulatory references up to date Google Drive or GitHub (free for private repositories) Notion Team Plan (₹10,000/year) or Confluence (₹5,000–10,000/year)
Incident notification communication tool to send alerts to authorities and customers quickly and with proof of delivery Gmail with read receipts, or use registered email with notification tracking Cisco WebEx or Microsoft Teams (if you have subscriptions; otherwise approx ₹5,000–20,000/year for messaging/alert platforms)
🛡
How This Makes You More Resilient
When your team knows exactly when and how to report data incidents, you can respond quickly (within the legal 72-hour window), avoid massive regulatory fines, and preserve customer trust by being transparent. Delayed or missed notifications often result in penalties many times larger than the breach itself, and once that happens, your reputation and ability to bid for contracts suffers for years.
⚠️
Common Pitfalls in India
  • Believing that only a complete data theft requires reporting—in reality, even unauthorized access, accidental data exposure, or loss of encrypted backup drives may be reportable under DPDP Act Section 6 if there is a reasonable likelihood of harm.
  • Assuming the 72-hour timeline starts from when IT discovers the breach, not realizing that the clock may start from when the business first becomes aware of the incident, even if discovered by a customer complaint or news report.
  • Delaying notification because you want to 'investigate fully first'—the law requires you to report within 72 hours even if your investigation is incomplete; you can provide additional details in follow-up communications.
  • Only notifying the DPDP Board and forgetting to notify affected customers, state authorities, or CERT-In (if the incident involves critical sectors); each authority has its own requirements and timelines in Indian law.
  • Not documenting your incident response process in writing and relying on verbal instructions or one person's knowledge, which means if that person is absent or leaves, no one else knows how to respond correctly.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (Data Breach) mandates reporting of personal data breaches to the Data Protection Board within 72 hours of discovery; also requires data fiduciaries to assess if there is a reasonable likelihood of harm.
CERT-In 2022 Indian Computer Emergency Response Team disclosure directions require certain critical infrastructure and sensitive sector incidents to be reported to CERT-In; timeline and scope may override or complement DPDP Act reporting.
ISO 27001:2022 Annex A, Control A.17.1 (Organization of information security incident management) and A.17.2 (Assessment and decision on information security events).
NIST CSF 2.0 Detect (DE) and Respond (RS) functions; specifically DE.CM-1 (detection processes) and RS.CO-2 (incident response activation) require organizations to identify and communicate security incidents.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →