A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Data Breach Notification Compliance

How to handle a data breach under India's DPDP Act 2023 β€” notification timelines, who to inform, and. Talk to our experts.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Data Breach Notification Compliance, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Do I need to notify the Board if the leaked data was encrypted?

Yes, DPDP requires notification for any personal data breach regardless of technical safeguards. The Board will consider the encryption strength when determining if the breach likely caused harm to individuals.

Can I use my CERT-In incident report for DPDP compliance?

No, because CERT-In focuses on the technical nature of the cyberattack. A DPDP notification must specifically list the categories of personal data affected and the steps you are taking to protect the impacted individuals.

Who should I notify first: the Board or the affected users?

You must notify both the Board and the affected individuals. In practice, notifying the Board first creates an official record of your compliance before a public announcement or user-facing notification goes live.

Real-World Examples Companies struggling with this issue

Government

Aadhaar (UIDAI)

55

Aadhaar is unique β€” it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

⚠️ DPDP Section 17 exempts government from some provisions but not all
⚠️ Biometric data (fingerprints, iris scans) security adequacy questions remain
+4 more gaps detected
Feb 2026 View Report
Banking

Bank of Baroda

28

Bank of Baroda's privacy policy is a generic, pre-DPDP document lacking specific compliance with the new Act. Its reliance on implied consent, vague security, and complete silence on critical user rights and data retention creates substantial regulatory risk for India's third-largest public sector bank.

⚠️ No explicit DPDP Act 2023 reference; based on older frameworks
⚠️ Consent is implied and bundled, not specific or freely given
+5 more gaps detected
Mar 2026 View Report
E-commerce

Country Delight

42

Country Delight’s policy covers the basics of data collection but fails the 'Notice' and 'Control' tests of the DPDP Act. Its reliance on 'all-or-nothing' consent and lack of specific deletion timelines creates significant compliance risks for a company handling daily household location data.

⚠️ Bundled consent at signup lacks the granularity required by Section 6
⚠️ No mention of the Data Protection Board for grievance escalation
+4 more gaps detected
Apr 2026 View Report
Book clarity call