A CERT-In Empanelled Auditing Organization
Home/Blog/DPDPA
DPDPA

Building a data breach response plan for the DPDPA

Under the DPDPA, a personal-data breach is not just a security problem to be quietly cleaned up — it triggers reporting obligations to the Data Protection Board and to the individuals affected. When that day comes, and for most organisations it eventually does, an untested plan is worth very little. The organisations that come through a breach well are, almost without exception, the ones that decided in advance exactly who does what. This is what a genuinely useful plan contains.

The obligation, in short

Data Fiduciaries must intimate affected Data Principals and report to the Board when a personal-data breach occurs, within the timelines the framework sets. The heavy emphasis on speed is what makes this demanding: your ability to detect and assess a breach quickly is every bit as important as the report itself. A plan that quietly assumes you will calmly discover a breach with plenty of time to spare is not a plan that will survive contact with a real incident, where information is incomplete, systems may be down, and the clock is already running.

What a response plan needs

The roles matter as much as the steps

A plan is only ever as good as the clarity of its ownership. In the intense pressure of a real incident, ambiguity is the enemy: who decides that this is a reportable breach, who talks to the regulator, who briefs leadership, who communicates with affected individuals, who leads the technical response. Name these roles explicitly in advance, with named deputies for when the primary person is unreachable, so that no critical decision has to wait while someone tries to work out who is supposed to make it. A breach discovered at two in the morning is emphatically not the moment to be reverse-engineering your own org chart.

Rehearse it

The single most valuable thing you can do — more valuable than any amount of additional documentation — is to run a tabletop exercise: walk a realistic scenario through the plan with the actual people who would be involved. It converts a document into a practised routine, builds the muscle memory that genuine speed requires, and reliably reveals the gaps — the unclear handoff, the missing contact, the assumption that does not hold — while you can still fix them calmly and cheaply. Every organisation that runs its first tabletop finds something important it had missed, which is precisely the point.

Breach-notification timelines start whether or not you are ready. The organisations that cope are the ones that decided, in advance, exactly who does what — and then actually practised it before they needed it.

The takeaway

A DPDPA breach response plan is not a document you write to satisfy an auditor and then file away; it is a capability you build to protect the business and its customers when something inevitably goes wrong. Cover the full arc from detection through to learning, name the roles and their deputies, and rehearse the whole thing under realistic conditions — and you turn what could be a chaotic, damaging crisis into a managed, defensible response that protects both the people affected and the organisation’s standing.

DPDPABreach ResponseIncident ResponsePrivacy
Share

Keep reading

Related insights

DPDPA

DPDP Rules 2025 are here: your countdown to 13 May 2027

The Rules that operationalise the DPDP Act are notified and the clock is ticking to 13 May 2027. Here is the phased timeline - and what to do in 2026.

6 min read
DPDPA

DPDPA 2023: what Indian businesses must do now

Who the Act applies to, the obligations that matter, the penalties at stake, and a practical six-step plan to get ready.

5 min read
DPDPA

Consent Managers under the DPDPA: what they are and how to prepare

The DPDP framework introduces a new intermediary - the Consent Manager. Here is what it is, who can be one, and how to get your systems ready.

4 min read

Have a question this raised?

Our team turns guidance like this into working compliance and security programmes. Tell us where you are — we’ll help you plan the next step.