This guide is written for practical orientation. The correct legal response depends on the documents, transaction trail, police station, complaint stage, devices involved and the specific allegations.
Breach-response priorities
- Identify affected systems, data categories and timeline
- Preserve logs, access records and forensic artefacts
- Assess whether personal data was accessed, disclosed, altered or lost
- Review processor, vendor and customer contractual obligations
- Prepare legally reviewed notifications and remedial records where required
Documents to prepare
- Incident chronology and evidence register
- Data inventory and affected-data assessment
- Processor and vendor communications
- Security remediation record
- Internal approvals and board-level notes where appropriate
Legal considerations
- DPDP Act role assessment: Data Fiduciary, processor or both
- Consent, notice and lawful processing records
- Grievance handling and data principal communication
- CERT-In and sectoral reporting interactions
- Regulatory defence and penalty-mitigation documentation
Frequently asked questions
What is a data breach under DPDP Act context?
A breach generally involves compromise of digital personal data, including unauthorised access, disclosure, alteration, loss or similar compromise depending on the facts.
Does every cyber incident become a DPDP issue?
No. The incident must be assessed for whether digital personal data is involved and whether statutory obligations are triggered.
What should a company do before notifying customers?
Confirm facts, identify impacted data, preserve evidence, assess legal duties and avoid speculative or inaccurate communication.
Can vendor breaches create liability for the company?
Yes, depending on the company’s role, contract, processor arrangement, security controls and legal obligations.