Breach Notification Requirements India Global Data Privacy and Cybersecurity Handbook Baker McKenzie Resource Hub

pLast review date 22 December 2023ppYesppPer DPDP Act a personal data breach includes any unauthorized processing of personal data or accidental disclosure acquisition sharing use alteration destruction of or loss of access to personal data that compromises the confidentiality integrity or availability of personal data The DPDP Act requires a data fiduciary and data processor to inform each affected data principal as well as the DPBI in case of a personal data breach The DPDP Act prescribes reporting for all types of personal data breaches regardless of the sensitivity of the breach or its impact on a data principal The form and manner of reporting materiality threshold and timeline for reporting is yet to be prescribed ppFurther the Cyber Security Directions require entities to mandatorily report cyber security incidents to India Computer Emergency Response Team CERTIn within six hours of noting such incidents or being notified of such incidents The Cyber Security Directions have listed certain cyber security incidents including unauthorized access of IT systems or data that must be mandatorily reported by entities to the CERTInppTherefore once the implementation of the DPDP Act is clarified all entities would be required to follow dual reporting in the event of a personal data breach both to the CERTIn and the Data Protection Board of IndiappLast review date 22 December 2023ppâ        data protection authoritiesppâ        cybersecurity authoritiesppâ        affected individualsppâ        otherppPlease refer to our response to Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches and Are there any additional sectorspecific or nonpersonal data security breach notification requirementsppLast updated 22 December 2023ppâ        controller ownerppâ        data protection authoritiesppâ        cybersecurity authoritiesppâ        affected individualsppâ        othersppPlease refer to our response to Are there any additional sectorspecific or nonpersonal data security breach notification requirementsp