DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ Loopholes in the law

Loopholes in the law

When does a data breach officially begin?

The DPDP Rules 2025 create important obligations around personal data protection, breach notification, retention, governance, and accountability.

Like any regulatory framework, however, their practical impact depends not only on what is written, but also on what is left open to interpretation. Over the coming posts, I will examine several areas where the Rules are silent, ambiguous, or leave room for different interpretations in practice.

The first relates to a deceptively simple question. When does a data breach officially begin?

What does "discovers" actually mean?

At first glance the answer seems obvious. A breach begins when a company discovers it. But what does "discovers" actually mean? Imagine this scenario:

  • Monday. A security analyst notices unusual activity.
  • Tuesday. The incident response team starts investigating.
  • Wednesday. Internal discussions suggest customer data may be affected.
  • Thursday. Evidence becomes stronger.
  • Friday. Senior management formally confirms a breach.

So when did awareness begin? Monday? Wednesday? Or Friday?

Why the timing matters

This question matters because the DPDP Rules require a Data Fiduciary to act once it becomes aware of a personal data breach. Yet neither the Rules nor the Act clearly define what constitutes awareness.

That creates an interesting challenge. One organisation may treat the first internal alert as awareness. Another may wait until technical confirmation. A third may wait until management approval. All three could face the same incident and still start the reporting clock at different times.

For threat actors, every additional day can mean more data copied, more accounts compromised, and more harm to affected individuals. For organisations, uncertainty creates a different risk. If regulators, investigators, or affected individuals later disagree about when awareness actually began, the organisation may find itself defending not only the breach itself, but also the timing of its response.

One possible approach

One possible solution would be to define awareness as the first documented internal alert that indicates a credible possibility of a personal data breach. Such an approach would create an auditable record and reduce disputes about when obligations were triggered.

The broader question is worth discussing: should breach awareness begin when suspicion first arises, or only after formal confirmation?

#DPDP #DPDPRules2025 #DataProtection #BreachNotification #IncidentResponse #PrivacyLaw #Compliance

An infographic on the DPDP Rules 2025 and data retention, asking whether a successful login should reset the retention clock and whether organisations should distinguish genuine account activity from unusual or automated access.
Where the DPDP Rules 2025 leave room for interpretation. Tap to enlarge.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.