In September 2024, a hacker using the alias “xenZen” made the personal data of approximately 31 million Star Health policyholders accessible through Telegram chatbots, as reported by Reuters. Medical reports, insurance claims, ID cards and tax details were being distributed freely. Affected individuals found out when journalists showed them their own records. Star Health had not notified them.
Under India’s DPDP Rules, 2025, that silence now carries a penalty of up to ₹200 crore. Data breach notification under DPDPA is a structured legal obligation with two recipients, defined timelines and no threshold below which reporting is not required. Every personal data breach, regardless of scale or severity, triggers the same dual obligation: notify the Data Protection Board of India (DPB) and notify affected individuals.
This blog breaks down exactly what Rule 7 requires, what each notification must contain and what your team needs to build before enforcement begins.
What is a personal data breach under DPDPA?
Section 2 of the DPDP Act defines a personal data breach as any unauthorised processing or accidental disclosure, alteration, loss or destruction of personal data that compromises its confidentiality, integrity or availability.
The scope is broad. A misconfigured cloud storage bucket, a ransomware attack encrypting customer records or a phishing compromise exposing employee data – all of these qualify. Deliberate attacks and accidental exposure are treated equally. There is no distinction based on how the breach occurred.
How Rule 7 structures the data breach notification India obligation
Rule 7 of the DPDP Rules, 2025 divides your notification process into two parallel streams: one directed at the DPB, and one directed at affected Data Principals (individuals whose personal data was breached). The five steps below capture the full operational flow for completing data breach notification under DPDPA.
Detect and confirm the breach
Identify the nature, scope and affected systems as quickly as possible. Record the exact detection timestamp. This is the moment the regulatory clock starts for all downstream obligations.
Send initial intimation to the DPB/Notify the DPB
Notify the Data Protection Board without delay upon confirmation. This is a preliminary report, not a full investigation output. It must include a description of the breach, the categories and approximate number of affected Data Principals, likely consequences and the initial steps taken to contain the incident.
Notify affected Data Principals
Without any delay, inform each affected individual through their registered communication channel – email, SMS or in-app notification. The notice must be written in plain language. It must describe what happened, which data was involved and what protective steps the individual should take immediately.
Submit the 72-hour detailed report to the DPB
Within 72 hours of becoming aware of the breach, submit a complete report to the DPB. This expands on the initial intimation and must include root cause, affected systems, data categories involved, detection timeline, volume of records, remediation actions taken and steps to prevent recurrence.
Update the DPB as the investigation develops
If new facts emerge, additional affected records, revised timelines or newly identified responsible parties, the filed report must be updated to reflect current findings.
Why no materiality threshold changes your compliance posture
Most global frameworks, including GDPR – require breach notification only when an incident is likely to pose risk to individuals. DPDPA removes that filter entirely.
Every unauthorised or accidental personal data exposure is reportable under the Act. A single-record incident carries the same notification obligation as a large-scale exfiltration. This shifts the operational question from “is this significant enough to report?” to “how fast can we detect, assess and notify?”
Continuous detection capability becomes the foundation of any data breach notification framework and not just a reactive breach response capability activated after the damage is done.
Penalties for failing to notify
The DPDP Act Schedule sets the penalty for non-compliance with Section 8(6) at up to ₹200 crore per incident. This covers both the failure to notify the DPB and the failure to notify affected Data Principals.
Unjustified delays may be treated as non-compliance and attract regulatory action. Incomplete or inaccurate notifications attract additional regulatory scrutiny from the DPB. The penalty framework applies regardless of whether the failure was deliberate or not – there is no intent-based defence.
Conclusion
The Star Health incident showed what a notification gap looks like in practice: millions of individuals whose most sensitive data was circulating publicly and who had no idea. Under DPDPA, that gap is now a defined legal violation with a ₹200 crore penalty attached.
Data breach notification under DPDPA requires immediate DPB intimation, parallel Data Principal notification and a full detailed report within 72 hours – for every breach, at every scale. Meeting the data breach reporting requirements under this framework requires detection infrastructure, documentation workflows and notification readiness built well ahead of May 13, 2027.
At CyberNX, our DPDPA consulting team helps organisations design and operationalise end-to-end breach response frameworks – from detection architecture and SIEM configuration to DPB submission workflows and Data Principal notification systems. Connect with our experts to build your data breach notification under DPDPA programme before enforcement begins.
Data breach notification under DPDPA FAQs
Does every breach need to be reported under DPDPA, even minor ones?
Yes. The DPDP Act carries no materiality threshold. Every personal data breach-regardless of the number of individuals affected or the severity of the exposure – triggers the full dual notification obligation under Rule 7. You must notify the DPB and affected Data Principals for every qualifying incident without exception.
What is the timeline for data breach notification under DPDPA?
Rule 7 requires an initial intimation to the DPB without delay upon detection. A detailed report must follow within 72 hours. Affected data principals must be notified without undue delay, in parallel with the DPB process. There is no fixed hour count for Data Principal notification, but any delay is subject to regulatory scrutiny.
What are the penalties for failing to meet data breach reporting requirements India mandates under DPDPA?
Under Section 8(6) of the DPDP Act, failure to notify the Data Protection Board or affected Data Principals can attract a penalty of up to ₹200 crore per incident. Delay and incomplete notifications are treated as non-compliance and attract direct scrutiny from the DPB.
