DPDP Rules 2025: Data Breach Must Be Reported In 72 Hours

If an app or company that holds your personal data is hacked or leaks your information, it must tell you without delay and report the breach to the Data Protection Board within 72 hours. This is Rule 7 of the Digital Personal Data Protection Rules 2025, notified by the Government on 13 November 2025 vide G.S.R. 846 E.

Short on time? Jump to “Your rights as the affected user” below to see exactly what the company must tell you.

An app you use every day announces that hackers got in and user data leaked. Your name, email, phone number and maybe your Aadhaar or payment details may be out. You are worried. What is the company legally required to tell you, and when?

Under the DPDP Rules 2025, the answer is now written into law. The company holding your data is called the “Data Fiduciary”. You are the “Data Principal”. The moment that company becomes aware of a personal data breach, two clocks start: one to inform you, and one to inform the regulator.

A breach is not only a hacker attack. It includes any unauthorised access, loss, or sharing of your personal data that risks your privacy. So a misconfigured database, a leaked spreadsheet, or a lost laptop can all count.

Rule 7 is titled “Intimation of personal data breach”. It sets a clear order of steps once the company learns of a breach.

1. Inform you without delay. The Data Fiduciary must tell each affected user “in a concise, clear and plain manner and without delay”. This goes through your registered account or contact channel.
2. Inform the Board without delay. At the same time, the company must give the Data Protection Board an initial description of the breach: its nature, extent, timing and likely impact.
3. File a detailed report within 72 hours. The rule says the company must, “within seventy-two hours of becoming aware of the breach, or within such longer period as the Board may allow on a request made in writing”, give the Board the full picture.

The detailed 72-hour report to the Board must include:

• Updated and detailed information about the breach.
• The broad facts, circumstances and reasons that led to it.
• Steps taken or proposed to reduce the harm.
• Any findings about who caused the breach.
• Remedial measures to stop it happening again.
• A report on what was told to affected users.

Note: the 72-hour deadline is for the detailed report to the Board. The duty to inform you, the affected user, is “without delay” and does not wait for the 72 hours to run.

When the company informs you under Rule 7, it must give you specific information, not a vague apology. You are entitled to:

• A description of the breach, including its nature, extent and when it happened.
• The consequences that are likely to affect you personally.
• The measures the company has taken or is taking to reduce the risk.
• The safety steps you can take to protect yourself (for example, changing passwords or watching for fraud).
• Business contact information so you can reach the company with questions.

This is your legal floor. A notice that hides the cause or skips the consequences does not meet Rule 7.

Be aware of the timing. The DPDP Rules 2025 come into force in stages. Rule 7, the breach intimation rule, sits in the group of rules (Rules 3 and 5 to 16) that come into force 18 months after publication. Counting from 13 November 2025, that points to around mid-May 2027.

So the binding 72-hour duty becomes fully operative on that date. Many responsible companies are expected to follow the standard early. But if a breach happens before the rule is live, your strongest tool is to escalate and complain rather than rely on a fixed legal deadline. Verify the current commencement status before acting on a live breach.

For the wider picture, see our complete guide to the DPDP Act 2023 and your right to erasure and correction of personal data. For RTI tactics to extract records from public bodies, keep The RTI Playbook handy.

• Read the breach notice carefully and save a copy with the date and time.
• Change the password for that app and any account where you reused it.
• Turn on two-factor authentication wherever you can.
• Watch your bank and UPI statements for any unknown activity.
• Note the company's contact details from the notice and ask what data of yours leaked.

Rule 7 of the DPDP Rules 2025 says a company that holds your personal data must report a data breach to the Data Protection Board with detailed information within 72 hours of becoming aware of it. The Board can allow a longer period only if the company asks in writing. The separate duty to inform you, the affected user, is “without delay”, not 72 hours.

Yes. Rule 7 requires the Data Fiduciary to intimate each affected user “without delay” through your registered account or contact channel. It cannot just inform the regulator and stay silent towards you. The notice must describe the breach, its likely consequences for you, the steps being taken, and what you can do to protect yourself.

Rule 7 falls in the group of DPDP Rules (Rules 3 and 5 to 16) that come into force 18 months after the Rules were published on 13 November 2025. That points to around mid-2027. Before that date, the 72-hour duty is not yet a fixed legal deadline, so escalate and complain if a breach affects you in the meantime. Verify the live status before relying on it.

Once the rule is operative, you can complain to the Data Protection Board of India, which can inquire and impose penalties on the Data Fiduciary. Keep evidence: screenshots, emails, transaction records and the date you noticed any misuse. If the data leak involves a public authority, you can also file an RTI application to ask what records were exposed and what action was taken.

Yes. The “seventy-two hours” figure and Rule 7 appear in the Digital Personal Data Protection Rules 2025, notified vide G.S.R. 846 E dated 13 November 2025 under Section 40 of the DPDP Act 2023. The rule requires the detailed report to the Board within seventy-two hours of the company becoming aware of the breach.

Reviewed by Dr. Shrawan Kumar Pathak. This guide explains the law in plain terms and is not a substitute for legal advice on a specific breach.

• Digital Personal Data Protection Rules 2025, Rule 7 (Intimation of personal data breach), notified vide G.S.R. 846 E dated 13 November 2025, under Section 40 of the DPDP Act 2023.
• Digital Personal Data Protection Act 2023, Section 8(6) and Section 40.