Rule 7 of DPDP Rules 2025

Intimation of personal data breach


(1) On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary,—
(a) a description of the breach, including its nature, extent and the timing and location of its occurrence;
(b) the consequences relevant to her, that are likely to arise from the breach;
(c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may take to protect her interests; and
(e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.

(2) On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board,—
(a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b) within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,—
  (i) updated and detailed information in respect of such description;
  (ii) the broad facts related to the events, circumstances and reasons leading to the breach;
  (iii) measures implemented or proposed, if any, to mitigate risk;
  (iv) any findings regarding the person who caused the breach;
  (v) remedial measures taken to prevent recurrence of such breach; and
  (vi) a report regarding the intimations given to affected Data Principals.

(3) In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.

Rule 8 →
DPDPA
Table of contents


Report error

Legal Interpretation: Intimation of Personal Data Breach

In the digital age, personal data breaches can have a profound impact on individuals and organizations alike. Rule 7 of the Digital Personal Data Protection Act mandates robust protocols for notifying affected parties and the Board, ensuring transparency, accountability, and a swift response to mitigate risks. Let’s unpack the obligations outlined in this rule.

1. The Core Obligation: Immediate Intimation

At the heart of Rule 7 lies a simple principle: timely and clear communication is essential in the event of a personal data breach. When a breach occurs, the Data Fiduciary is obligated to notify both the affected Data Principals and the Board. This dual approach ensures that:

  • Individuals can take proactive steps to safeguard their interests.
  • Regulatory authorities are informed and can assess the broader implications.

Think of it as raising an alarm during a fire—both the occupants and the fire department must be alerted to minimize damage and ensure swift resolution.

2. Notification to Affected Data Principals

Upon becoming aware of a breach, the Data Fiduciary must notify the affected individuals without delay. This notification must be concise, clear, and in plain language, ensuring it is accessible to all. Here’s what it must include:

  • (a) Description of the Breach: The nature, extent, timing, and location of the breach should be detailed. This transparency helps individuals understand the gravity of the situation.
  • (b) Likely Consequences: The notification should outline the potential risks or consequences the breach poses to the individual. For example, if financial data was compromised, the person should be aware of the possibility of fraud or identity theft.
  • (c) Mitigation Measures: The steps already taken or being implemented by the Data Fiduciary to address the breach should be communicated. This reassurance builds trust and demonstrates accountability.
  • (d) Safety Measures for Individuals: Recommendations for actions the individual can take to protect themselves, such as changing passwords or monitoring financial transactions, must be included.
  • (e) Contact Information: A point of contact within the organization must be provided to address any questions or concerns the individual may have.

This approach ensures that individuals are not left in the dark, empowering them to respond effectively to the situation.

3. Reporting to the Board

In addition to notifying the affected individuals, the Data Fiduciary must also report the breach to the Board. This two-step reporting process is crucial for regulatory oversight and systemic risk assessment.

  • Initial Notification: The Board must be informed without delay, detailing the nature, extent, timing, and location of the breach, as well as its likely impact. This immediate alert enables the Board to initiate any necessary interventions.
  • Comprehensive Follow-Up: Within 72 hours, or a longer period if permitted by the Board, the Data Fiduciary must submit a detailed report that includes:
    • Broad facts about the breach and its causes.
    • Measures taken or proposed to mitigate risks.
    • Findings regarding the individuals or entities responsible for the breach.
    • Steps implemented to prevent recurrence.
    • A summary of notifications issued to affected Data Principals.

4. Definition of "User Account"

The rule defines a "user account" as any online account registered by the Data Principal with the Data Fiduciary. This includes profiles, handles, email addresses, or phone numbers used to access the services of the Fiduciary. This broad definition ensures that all potential channels of communication are covered, making it easier to reach affected individuals promptly.

5. Practical Implications for Data Fiduciaries

For Data Fiduciaries, the rule necessitates:

  • Proactive Preparedness: Establishing systems to detect breaches swiftly and assess their impact.
  • Effective Communication Channels: Ensuring mechanisms like email, SMS, or app notifications are in place for timely outreach.
  • Compliance with Timelines: Meeting the strict deadlines for notifying the Board and affected individuals.
  • Comprehensive Documentation: Maintaining records of breaches and the corresponding responses for audits and potential investigations.

6. Broader Implications for Trust and Accountability

This rule underscores the importance of transparency and accountability in managing personal data. By mandating prompt and clear notifications, it seeks to:

  • Empower Individuals: Giving them the tools and information to protect themselves in the wake of a breach.
  • Enhance Regulatory Oversight: Allowing the Board to monitor patterns and take corrective actions to strengthen data protection frameworks.
  • Build Organizational Trust: Demonstrating that organizations prioritize the privacy and security of their users.

Conclusion

Rule 7 reflects a well-rounded approach to managing personal data breaches. By emphasizing immediate intimation to affected individuals and the Board, it strikes a balance between transparency and accountability. For Data Fiduciaries, compliance isn’t just about ticking boxes—it’s about fostering trust and demonstrating a genuine commitment to safeguarding personal data. In the ever-evolving digital landscape, this rule serves as a cornerstone for responsible data stewardship.

© 2024 Advocate (Dr.) Prashant Mali