Companies must inform the Data Protection Board of the likely impact of a data breach and its description, including its nature, extent, timing, and location of occurrence, without delay, as per the Digital Personal Data Protection Rules 2025 (DPDP Rules, 2025). This is the only change in the measures pertaining to data breaches from the draft version of the rules released in January this year.
Within 72 hours of the breach, they have to give the Board an updated description of the breach, the circumstances leading up to it, the remedial and mitigation measures the company has implemented, and findings regarding the person who caused the breach. Companies affected by data breaches also have to inform the board of the notifications they sent to affected parties within 72 hours. The Data Protection Board may allow a company to take longer than 72 hours to submit this additional information if the company sends in a written request asking for an extension.
The rules seek to operationalise the Digital Personal Data Protection Act (DPDPA, 2023). Under the Act, “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data” would constitute a data breach.
In the event of a breach, companies have to inform the Data Protection Board and the affected parties. If a company fails to report a breach, it could face a fine of up to Rs. 200 crore. The Board can also fine companies that don’t put in place “reasonable” security safeguards to protect personal data up to Rs. 250 crore. Measures regulating data breaches go into effect 18 months from now.
Requirements to keep data secure under the finalised rules:
Companies use data security measures such as encryption, obfuscation, masking, or virtual tokens mapped to personal data to protect user data from breaches. Similar to the draft version of the rules, which the government released earlier this year, companies have to enforce effective access controls to their computer resources and keep tabs on who is accessing personal data through logs. This, the rules suggest, will help the company detect unauthorised access, its investigation, and remediation to prevent recurrence.
Companies also have to maintain logs and personal data storage for a year to detect unauthorised access; the only exception to this is if a specific law prevents them from maintaining the said data. They have to ensure that they have reasonable means (through data backups) to continue data processing in the event of a breach. Further, companies must implement appropriate technical and organisational measures to ensure that they effectively observe security safeguards.
How do the platforms inform the affected parties?
Companies have to intimate their affected customers in a “concise, clear and plain manner” and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
