DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ Loopholes in the law

Loopholes in the law

Company ka sabse favourite bahana: system down tha

Surya got a notification early one morning. His fintech app, the one holding his entire salary account, PAN, and KYC data, had been down all night. The app opened to a banner: "We are restoring our systems. Your data is safe."

Two days later, it came out that during that "downtime," some users' data had actually been exposed. Surya's dashboard briefly showed someone else's account, and someone else's showed his. He emailed the company. The reply: "This was a technical outage, not a hack, so the breach provisions do not really apply here."

That single sentence is where most companies get it wrong.

A breach is not only a hack

Under the DPDP Act, a breach is not only a hacker breaking in. If a system crash exposes data, locks it up, or destroys it, that is still legally a personal data breach, whether or not anyone hacked anything.

Think of it like a fire in a shop. The insurance company does not say "there was no theft, so your claim does not count." Damage is damage, regardless of the cause.

Once a breach happens, the clock starts

And once a breach happens, a clock starts that nothing pauses. Under Rule 7, the company must inform the Data Protection Board immediately, without delay, and then submit a full detailed report within 72 hours. Affected individuals must also be told without delay, in plain language, in a language they understand, about what happened, what risk they face, and what to do next.

The real twist: no backup is no excuse

Here is the real twist. If a company's defence is "our system was down, so we could not even verify our users," that excuse itself becomes evidence for the Board that the company never had proper backups or safeguards in place. Under Rule 6, companies are required to maintain independent, tested backups built for exactly this kind of crash. Saying "we had no way to check" is admitting the safety net was missing.

A reality check on timing

This entire 72 hour notification obligation, and the penalty hanging over it of up to Rs 200 crore, is not fully enforceable yet. This compliance heavy part of the DPDP Rules only becomes fully operational on 13 May 2027. Right now, in mid 2026, the Board has the structure in place, but not yet the full hammer.

But the companies that start building this mindset today, that a system outage is not a legal shield, will be the ones ahead of the curve in 2027. And the ones still saying "we were not hacked, so we are safe" are the ones due for a wake up call.

So here is the question worth sitting with. If your systems go down tomorrow, does your company have an answer, or just an excuse?

#DPDP #DataProtection #DataBreach #BusinessContinuity #CyberSecurity #PrivacyCompliance #India

An infographic on why a system outage is still a personal data breach under DPDP: system down, data exposed, the company replies that it was not a hack, and that reason is wrong. A breach is not just a hack; if data is exposed, locked or destroyed for any reason it is still a breach, like a fire in a shop where damage is damage. Rule 7 starts the clock: inform the Data Protection Board immediately, submit the full detailed report within 72 hours, and inform affected individuals without delay in plain language. Rule 6 requires independent tested backups, so no backup is no excuse. The obligations and penalties of up to Rs 200 crore become fully enforceable on 13 May 2027.
An outage is not a legal shield. Tap to enlarge.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.