BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) OBLIGATIONS

Rule 7

Security Safeguards and Breach Notification

Practical Note

Rule 7 is the breach notification rule. The notification must go to the DPBI AND to all affected Data Principals. No timeline is specified in the Rules — the DPBI will issue standards. Businesses should prepare breach response protocols NOW, before the 2027 deadline. The description requirement (nature of breach, types of data affected, likely consequences, remedial steps) mirrors GDPR Article 33/34 content requirements.

THE STATUTE

Original Text

(1) A Data Fiduciary shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach. (2) Upon a personal data breach, the Data Fiduciary shall — (a) notify the Board of the personal data breach in such form and manner and within such period as the Board may specify; (b) notify each Data Principal whose personal data is affected by the personal data breach, of such breach and such other information as the Board may specify. (3) The notification referred to in sub-rule (2) shall include — (a) the nature of the personal data that is the subject of the personal data breach; (b) the number of Data Principals affected by the personal data breach; (c) the possible impact of the personal data breach on the Data Principals; (d) the action taken or proposed to be taken by the Data Fiduciary to address the personal data breach; (e) the contact details of the Data Fiduciary or its Data Protection Officer.

Analysis & Details

Rule 7 establishes the two-track breach notification obligation under DPDP. Unlike the IT Act's SPDI Rules (which required only best-practices for security, with no mandatory breach notification), Rule 7 creates a hard legal obligation to: (1) implement 'reasonable security safeguards' — the standard is not specified in the Rules but will be elaborated through DPBI guidelines and potentially through standards like ISO 27001 or CERT-In guidelines; and (2) notify both the DPBI and every affected Data Principal of any personal data breach. NOTIFICATION CONTENT: The breach notification must describe the nature of the data affected, the number of Data Principals impacted, the likely consequences of the breach on them, the remedial steps taken or planned, and contact details. This is substantively equivalent to GDPR Articles 33/34's breach notification content requirements. NOTIFICATION TIMELINE: The Rules do not specify a timeline — they delegate timeline specification to the DPBI. Given global norms (GDPR's 72 hours to regulator; India's CERT-In 6-hour rule for cyber incidents), a 72-hour window to the DPBI is widely expected. The timeline for notifying individual Data Principals may be longer. TWO-TRACK NOTIFICATION: The dual notification requirement (to regulator AND to individuals) is more burdensome than some jurisdictions which allow regulator notification only unless risk to individuals is high. Under Rule 7, notification to individuals appears mandatory for all qualifying breaches — not limited to high-risk breaches.

GDPR Parallel

Articles 32–34 (Security + Breach Notification)

IT Act Impact

Rule 7 introduces the first mandatory breach notification obligation in Indian law for personal data breaches. The IT Act Section 43A (SPDI Rules) only required 'reasonable security practices' without breach notification. CERT-In's 6-hour incident reporting rule (2022) continues in parallel for qualifying cyber incidents — a single breach may trigger both CERT-In and DPBI notification obligations.

Common Queries

The DPDP Rules 2025 do not specify a fixed timeline — they delegate the timeline to the Data Protection Board of India to specify by notification. Based on global norms and India's existing CERT-In 6-hour cyber incident rule, a 72-hour reporting window to the DPBI is widely expected. Once the DPBI specifies timelines, businesses must comply. For now, businesses should build breach response protocols assuming a 72-hour DPBI notification window and a separate (potentially longer) window for notifying affected individuals.
Yes — Rule 7(2)(b) requires notification to 'each Data Principal whose personal data is affected'. Unlike GDPR Article 34 (which requires individual notification only where the breach is 'likely to result in a high risk' to individuals), DPDP Rule 7 appears to require notification to all affected individuals without a risk threshold qualifier. This is a more stringent requirement. Final DPBI guidance may clarify whether a de minimis threshold applies.
Rule 7 requires 'reasonable security safeguards' but does not prescribe specific standards. The DPBI is expected to issue guidelines specifying acceptable security standards. In practice, compliance with ISO 27001 (information security management), CERT-In guidelines, RBI cybersecurity framework (for financial entities), and sector-specific standards is likely to constitute evidence of 'reasonable' security. Data Fiduciaries should maintain documentation of security measures implemented as evidence of compliance.

Key Rules & Provisions

First mandatory personal data breach notification obligation in India.

Dual track: notify DPBI AND every affected Data Principal.

Notification timeline to be specified by DPBI — expected 72 hours to DPBI.

No 'risk threshold' — all qualifying breaches must be notified (unlike GDPR's 'risk to individuals' trigger for individual notification).

Supersedes IT Act SPDI Rules' voluntary security best-practices for digital personal data.