General awareness
"72 hours" is the most misread number in DPDP breach reporting
Ask most teams about breach reporting under the DPDP Act and you get one sentence back. We have seventy two hours to tell the regulator.
That one sentence hides three mistakes.
Mistake one: treating 72 hours as a grace period
On becoming aware of a personal data breach, the Rules require intimation without delay. The seventy two hour mark is only the deadline for the detailed report to the Board: what happened, the circumstances, the mitigation, who caused it, and what you told the people affected. The starting gun is "without delay", not day three.
Mistake two: thinking there is one audience
There are two. Section 8(6) requires intimation to the Board and to each affected Data Principal. Telling the regulator is only half the duty. You must also tell the individuals whose data was involved, in clear and plain terms: what happened, the likely consequences for them, what you are doing about it, and what they can do to protect themselves.
Mistake three: assuming only a confirmed leak counts
The definition is far wider. A personal data breach is any unauthorised processing, or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access, that compromises the confidentiality, integrity or availability of personal data. Read the last word slowly. Availability. A ransomware lockout that exfiltrates nothing, an accidental deletion, a loss of access, each of these is a breach. And there is no severity threshold in the text. Unlike regimes that filter for risk of harm, the Act as it stands asks you to intimate a breach with no de minimis line drawn for you.
The mental model: two clocks, two audiences
DPDP breach reporting is two clocks and two audiences, not one deadline. The clocks are "without delay" and seventy two hours. The audiences are the Board and every affected person.
So the real consequence is that you cannot build this at the moment of the breach. Under pressure, without delay is unforgiving. You need detection that surfaces incidents quickly, a decision path for what qualifies, and drafted intimations for both audiences ready to complete, not written from scratch at hour seventy. The organisations that stumble are rarely the ones that miss by an hour. They are the ones that spend the first two days deciding whether the incident counts at all.
Before you treat seventy two hours as your breach plan, ask a different question.
If an availability only incident hit us tomorrow, would we recognise it as a reportable breach, and could we intimate both the Board and every affected person without delay, not on day three?
Where do you expect the real difficulty to sit: recognising that an incident is a reportable breach in the first place, or executing the dual intimation fast enough once you have?