What is current status of Data Protection in India?
Your sensitive financial details, medical history, and even your Aadhaar number are available to hackers at the click of a button. Hackers don’t need sophisticated tools—they can get to your data faster than you can hit ‘submit’ on a Google form. India is sitting on a ticking time bomb of personal data breaches, with more than 100 million records leaked over just a few years. This isn’t some dystopian sci-fi; it’s India's digital reality.
And it’s no laughing matter…
Your personal data is a goldmine, and businesses and hackers alike are digging in with zero regard to user consent. The DPDP Act with its strict laws and steep penalties is the farthest our country has come in its efforts to protect data privacy.
Why should businesses care?
The DPDP Act takes data breaches very seriously and the stakes are monumental. The Act mandates that organizations take comprehensive measures to prevent, and if necessary, respond to data breaches effectively. Data breaches can precipitate massive financial losses, inflict irreparable damage to your brand's reputation, and can now attract penalties as steep as ₹250 Crores.
What constitutes a Personal Data Breach?
As per the Digital Personal Data Protection (DPDP) Act of 2023, a data breach occurs when personal data that should have remained secure and confidential gets exposed—whether through hacking, accidental release, or careless handling. The definition is fairly broad - any unauthorized or accidental disclosure, alteration, loss, or access that compromises the confidentiality, integrity, or availability of personal data.

Let us break down these terms:
Unauthorized Access: This occurs when data is accessed without permission, often through hacking or security oversight, exposing personal data to individuals or entities without the right to view it.
Accidental Disclosure: This can happen when personal data is mistakenly sent to the wrong recipient, published online without proper safeguards, or otherwise exposed through some kind of human error.
Data Loss: Often a result of technical failures or disasters (like fires or floods), data loss happens when data is destroyed without backups available. It can also happen in cyber attacks like ransomware where your access to your data is revoked and it can be deleted or permanently lost.
Alteration: When data is changed without authorization, altering its original state and potentially leading to misinformation or misuse.
Why are Personal Data Breaches such a big deal?
According to Internet Freedom Foundation (IFF), India has seen an alarming number of data breaches over the past few years. IFF reported that between 2018 and 2021, over 500 million records containing personal data of Indian citizens were exposed in various breaches. This number continues to rise, underscoring the urgency of implementing stringent data protection mechanisms in India
IFF also noted that specific sectors, such as healthcare, financial services, and e-commerce, are frequent targets for breaches. For instance, the financial sector witnessed multiple breaches involving banks and digital payment platforms which store vast amounts of sensitive personal and financial data.
People suffer: Data breaches can have a profound impact on users. Victims may face financial losses, such as fraudulent charges or the costs associated with securing their credit and identity. Data breaches also erode trust in the affected institutions.
Just last year, the Indian Council of Medical Research (ICMR) suffered a massive leak that compromised the personal data of 81.5 crore individuals, potentially making it one of the largest breaches in India’s history. The stolen data included Aadhaar numbers, passport details, home addresses, and possibly sensitive medical records related to COVID-19 testing. The breach exposed millions of people to the risk of identity theft and financial fraud, as their Aadhaar numbers could be exploited to access banking services or government schemes. The compromised medical records also caused serious privacy violations with personal health data being exposed.
You can use websites like Have I Been Pwned (HIBP) and Firefox Monitor to check if your email addresses or phone numbers have been compromised in a data breach. These services collect information from publicly disclosed breaches and provide notifications if your data appears in their databases. Additionally, Google’s Dark Web Report feature (available through Google One) can help you monitor if your personal information, like email addresses and phone numbers, has surfaced on the dark web.
Financial Implications: Data breaches can lead to direct financial losses through fraud or the necessity of remedial actions, such as legal fees and compensations. Indirect costs include potential fines imposed for non-compliance with data protection laws, which under the DPDP Act can reach up to ₹250 Crores.
Personal data breaches attract the highest slab of penalties under the DPDP Act.

Reports indicate a significant rise in data breaches affecting Indian users. According to a study by IBM referenced in IFF’s work, the average data breach cost in India was ₹14 crore, marking an increase of 9.4% since 2014. Additionally, the per-record data cost went up by 10%, indicating that data breaches are not only frequent but also increasingly expensive to manage. The average time to both detect and contain a breach has also increased, taking approximately 230 days to detect and 83 days to contain.
Zomato experienced this first hand in 2021 when data of 17 million users was stolen and put up for sale. Zomato faced significant market valuation drops due to loss of consumer trust and potential fines. It further bore heavy direct costs of securing the breach, legal fees, and compensation to users.
Legal Consequences: Beyond financial penalties, failing to manage data securely can lead to legal actions and regulatory directives that significantly impact a business. Such directives can disrupt operations, increase scrutiny and operational costs, erode trust with partners, damage market reputation, and necessitate costly upgrades for compliance.
This year, the Reserve Bank of India (RBI) imposed a ban on Kotak Mahindra Bank, barring it from onboarding new customers through online and mobile channels and from issuing new credit cards. This action was taken due to serious deficiencies identified in the bank’s IT systems, including shortcomings in IT inventory management, patch and change management, user access management, vendor risk management, and data security. The bank was required to conduct a comprehensive external audit, approved by the RBI, to address these deficiencies.
Reputational Damage: In the digital age, news of data breaches spreads quickly leading to a faster decline in business reputation. Individuals may become wary of digital transactions, potentially withdrawing from online activities that they previously engaged in without concern. This hesitancy can alter consumer behavior and impact digital commerce ecosystems. Moreover, the tedious process of securing one's identity and the potential of personal information being misused or sold can lead to long-term vigilance, further embedding the breach's impact into everyday life. Rebuilding the lost trust requires significant investment in both time and resources to enhance security measures and transparent communication efforts
Erosion of trust in your brand can lead to customer attrition, as clients seek more secure alternatives, and may deter potential partnerships, affecting market competitiveness
Take the example of BigBasket, which experienced a significant data breach in 2020 which compromised the personal information of over 20 million users, including names, email addresses, and hashed passwords. The incident was widely publicized, leading to heightened consumer apprehension and distrust. The breach sparked immediate public relations challenges and had long-lasting effects on customer loyalty and brand perception. In the aftermath, BigBasket had to invest heavily in security enhancements and transparent communication to rebuild trust and assure their customers of enhanced data protection measures.
What is the DPDP Law on Personal Data Breaches
The Digital Personal Data Protection Act lays down a detailed framework aimed at preventing and responding to personal data breaches. This framework emphasizes proactive measures and timely responses, placing significant responsibilities on Data Fiduciaries (businesses deciding the how and why of using personal data) to ensure data security and compliance. The fiduciaries are also responsible for preventing and responding to personal data breaches through data processors (third parties or vendors employed by the fiduciary) who process data on behalf of the fiduciary.
What are Data Breach Prevention Obligations?
Data Fiduciaries are mandated to implement ‘Reasonable Security Safeguards’ to prevent data breaches. This standard was not defined in the Act, however, with the recently published Digital Personal Data Protection Rules 2025, we now have much greater clarity on what Reasonable Security Safeguards mean. At the minimum, Data Fiduciaries will be required to implement the following security safeguards at the minimum:
- Encryption and Obfuscation: Secure personal data through encryption, obfuscation, masking, or virtual tokens to prevent unauthorized access.
- Access Control: Implement stringent measures to control access to computer resources used by both the Data Fiduciary and Data Processors. This includes role-based access permissions, multi-factor authentication, and regular access reviews.
- Monitoring and Logs: Maintain visibility into data access through appropriate logs and monitoring.
- Backup and Recovery: Ensure processing continuity through secure backups, especially in cases where the integrity, confidentiality, or availability of data is compromised.
- Retention of Logs and Data for Breach Detection: Retain logs and relevant personal data for at least one year, unless a longer duration is mandated by applicable laws (covered in our Data Retention Guide). This helps detect breaches, investigate incidents, and take preventive actions against recurrence.
- Contractual Obligations for Data Processors: Data Processors must be contractually obligated to undertake reasonable security safeguards.
- Organisational and Technical Measures: Establish and enforce technical and organizational measures to ensure the effective observance of security safeguards. Examples include regular training for employees, deployment of intrusion detection systems, and periodic policy reviews.
A certain class of ‘Significant Data Fiduciaries’ under the DPDP Act are tasked with additional obligations to prevent breach: they must conduct regular risk assessments to identify vulnerabilities within their data processing systems and infrastructures.
The penalty for failing to undertake reasonable security safeguards to prevent personal data breach is ₹250 Crores per instance of breach. This is the highest penalty envisaged in the DPDP Act. We have covered DPDP Penalties in greater detail in another consent blog.
What are the Data Breach Notification Obligations?
Immediate Notice: Upon discovering a data breach, Data Fiduciaries must immediately notify the Data Protection Board (DPB) AND the affected Data Principals (users). The notification to the DPB and affected Data Principals must be crafted and delivered in the manner specified in the DPDP Rules:
Notice to the Data Principles: The DPDP Rules require the Data Fiduciary to send the Data Principal a notification without delay through the user’s registered account or other communication methods registered with the Data Fiduciary (e.g., email, SMS, or in-app notifications). The notification must include:
- Description of breach (nature, timing, and location)
- Likely consequences for the affected Data Principal;
- Risk mitigation measures undertaken by the Data Fiduciary;
- Safety measures that the Data Principal can take; and
- Contact details of the Data Protection Officer or other person responsible for replying to queries.
Notice and detailed report of the breach to the Data Protection Board: The DPB must be notified without delay, with a preliminary description of the breach and its potential impact.
Within 72 hours of becoming aware the of breach, the Data Fiduciary must also share an updated detailed report containing:
- Broad facts and circumstances of the breach, circumstances and reasons leading to the breach;
- Measures implemented or proposed to mitigate risks;
- Findings on the person responsible for the breach;
- Remedial measures to prevent recurrence; and
- Status of intimations sent to affected users.

The penalty for failing to notify the user or the DPB about a personal data breach is ₹200 Crores per instance. This is the second-highest penalty envisaged under the DPDP Act.
What are the Sectoral Laws Mandating Data Breach Notification?

- RBI - has issued the Master Direction on Outsourcing of Information Technology Services, effective October 1, 2023. This directive applies to various RBI-regulated entities including commercial banks, small finance banks, payments banks, and non-banking financial companies, among others. The Directions include the obligation of immediate notification of any cyber incidents to the regulated entities, which in turn must report these incidents to the RBI within six hours of detection. The RBI has also issued the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices, effective April 1, 2024. The Direction mandates regulated entities to establish robust data security protocols. Crucially, the directive also requires these entities to have a cyber incident response mechanism in place and to report such incidents promptly to both the RBI and the CERT-IN, ensuring alignment with broader cyber security regulations.
- CERT - In - The Indian government has designated CERT-In to oversee the collection, analysis, and dissemination of information related to cyber incidents. As outlined in the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, and supplemented by the Cyber Security Directions, service providers, intermediaries, data centers, and corporate entities must promptly notify CERT-In about incidents such as targeted scanning or probing of critical networks/systems, compromise of critical systems or information, unauthorized access to IT systems or data, and defacement of websites, among others, must be promptly reported to CERT-In.
- IRDAI - has published the Guidelines on Information and Cyber Security for Insurers in April 2023. This comprehensive directive applies to a wide range of entities within the insurance sector, including brokers, corporate agents, TPAs, and more. The guidelines stipulate that all specified insurance entities must adopt a Board-approved cyber security policy and undergo an independent assurance audit annually. Additionally, any information security incidents must be promptly reported to various stakeholders, including the IRDAI and CERT-In, within six hours of detection, as well as to law enforcement and affected customers.
- SEBI - in its notification dated June 14, 2023, inserted Regulation 27(2)(ba) into the Listing Regulations. This mandates that listed entities disclose details of cyber security incidents or breaches or loss of data or documents in their quarterly Corporate Governance report. Subsequently the stock exchanges released a format for the disclosure of cyber security incidents in the quarterly governance report. This format requires entities to confirm any instances of cyber security incidents or breaches or loss of data or documents during the quarter; provide the date of the event; and give brief details of the event.
What are some preventive measures to avoid Data Breaches?
The saying “prevention is better than cure” applies squarely to personal data breach compliances under the DPDP Act.. Here are the measures Data Fiduciaries can implement to protect themselves against data breaches, in alignment with the mandates of the Digital Personal Data Protection Act 2023 :
- Data Minimization: Adopt a policy of collecting only the data that is necessary for the specific purposes defined by your organization. This reduces the risk of exposing unnecessary personal data in the event of a breach.
- Storage Limitation: Limit the retention of personal data to a predefined period that aligns with the purpose for which the data was collected. After this period, ensure that the data is securely deleted to prevent unauthorized access. Refer to our industry specific Guide to Data Retention for further guidance.
- Encryption: Use strong encryption to protect data at rest and in transit. This makes it harder for unauthorized individuals to access or decipher the data even if they manage to bypass other security measures.
- Security Protocols: Implement robust security protocols such as secure socket layers (SSL), firewalls, and intrusion detection systems to monitor and protect network traffic and prevent unauthorized access to data systems.
- Data Governance Policies: Establish clear data governance policies that outline how data is handled, who has access to it, and the procedures for data processing and storage. These policies should be regularly updated to reflect new security challenges and regulatory requirements.
- Regular Risk Assessments and Audits: Conduct regular risk assessments to identify potential vulnerabilities in your data handling and storage processes. Follow these assessments with comprehensive audits to ensure that all systems comply with your data governance policies and any regulatory requirements.
- Third Party Oversight: Ensure that all data processors operating on behalf of your organization are bound by contractual agreements that mandate adherence to the same security standards and practices as the data fiduciaries. Include your third party vendors/data processors within your assessment audits to ensure compliance across the board.
- Regular Training Programs: Develop ongoing education and training programs for all employees on the importance of data security and the specific practices they must follow to protect sensitive information. Include training on recognizing phishing attempts and other common cyber threats.
- Awareness Campaigns: Regularly update staff on new security protocols and potential threats. Make data security awareness a part of the company culture to ensure everyone understands their role in protecting personal data.
What are the effective Breach Response Strategies to adopt?
Even with all these measures, sometimes a breach may occur. Below is step by step roadmap for managing breaches:
Step 1: Immediate Action - Detect, Contain, and Secure
As soon as a breach is identified:
- Detect the source and scope of the breach.
- Contain it by disabling compromised accounts, blocking unauthorised access, and isolating affected systems.
- Secure systems to prevent further data loss.
Step 2: Intimation - Notify Users and the Data Protection Board
Once containment begins:
- Notify affected Data Principals without delay, using registered communication channels.
- Inform the Data Protection Board of India immediately, followed by detailed updates within 72 hours.
Step 3: Assess Impact and Fix the Root Cause
After immediate reporting:
- Assess what data was affected and the potential impact on individuals.
- Identify the root cause of the breach.
- Implement remedial measures to fix vulnerabilities and prevent recurrence.
Step 4: Document everything
Throughout the process:
- Retain logs, access records, forensic evidence, user notifications, and breach reports.
- Ensure records are preserved for audits, investigations, and future reference.
Step 5: Review, Learn, and Strengthen
Once the incident is closed:
- Review how the breach occurred and how effectively it was handled.
- Update breach response plans, internal processes, and security controls.
- Train teams based on lessons learned.

What are the next steps?
To deepen your understanding of data protection and ensure your organization remains compliant with the DPDP Act, you can explore more resources on our Consent Blog or refer to our DPDP Compliance Checklist.
If you have questions about how to implement these strategies in your organization or need professional advice tailored to your specific needs, please reach out by filling the form below.
Want to outsource your DPDP compliance to experts so you focus on your core business? Sign up for a free demo of Consent Infrastructure made specifically for the DPDP Act.
.avif)


.avif)
.avif)