Awareness, Classification, and Clock Anchoring
Awareness event logged with timestamp; “awareness” defined per Rule 7 as the moment at which the data fiduciary becomes aware of a personal data breach, not the moment the breach occurred
Awareness logged by named role and named individual; backup escalation if primary unreachable
Severity classification completed against the institution's documented classification scheme; classification done within an operationally defined target window (e.g. 1 hour)
Personal-data-breach determination made: was personal data involved; if no, Rule 7 does not apply but other obligations may
Incident commander assigned; in Indian BFSI joint command between DPO and CISO is the working norm — DPO owns DPB and data-principal tracks, CISO owns CERT-In and sectoral
Parallel regulatory clocks identified and anchored to the awareness timestamp: DPB (72-hour comprehensive), CERT-In (6-hour), RBI / SEBI / IRDAI as the entity's sector dictates
Internal communication protocol locked: no public statements, no customer-facing acknowledgements, no social-media response before the Section 8(6) notifications have been issued
Legal counsel engaged for privilege and statement-control coordination
Without-Delay Notification Preparation
Affected data principals identified by scope; identification done from logs, not from assumption — under-notification risks regulatory action, over-notification risks panic
Scope split documented: data principals whose data was confirmed affected, data principals whose data was potentially affected pending forensic confirmation
Initial notification to the DPB prepared per Rule 7(1) with: nature of the breach, apparent extent, timing, location, likely impact on affected data principals
Initial notification to affected data principals prepared with: plain-language description of the breach, the personal data exposed, the protective steps the data principal can take, the data fiduciary's contact details for queries
Notification text drafted in English plus every Eighth Schedule language relevant to the affected base; translation accuracy verified
Notification channel matched to the data principal's primary contact (email, SMS, in-app, postal where required)
Notifications sent to the DPB and to affected data principals without delay — the two recipients are not sequenced; both clocks start at the same awareness moment
Delivery of notifications evidenced; bounces and undelivered notifications tracked for follow-up
CERT-In 6-Hour Parallel Track
CERT-In incident report submitted within 6 hours of awareness through the CERT-In incident portal, in the format prescribed by the CERT-In Directions
CERT-In submission cross-referenced to the DPB notification; the same factual base used; differences in format reconciled
CERT-In confirmation of receipt obtained and filed
For detailed CERT-In execution see: CERT-In Incident Reporting Checklist — this is the CISO function's playbook; the DPO ensures cross-reference, not the execution
Sectoral Regulator Parallel Tracks
RBI incident reporting initiated for regulated banking entities within the RBI-prescribed timeline; format and content per RBI Cyber Security Framework
SEBI incident reporting initiated for SEBI-regulated entities (intermediaries, MIIs, KRAs) within the SEBI CSCRF-prescribed timeline; format and content per the relevant CSCRF circular
IRDAI incident reporting initiated for insurance entities within the IRDAI-prescribed 6-hour timeline; format per IRDAI Cybersecurity Guidelines 2023
Sectoral notifications cross-referenced to DPB and CERT-In notifications; consistency of facts across all tracks verified before sign-off
72-Hour Comprehensive DPB Report under Rule 7(2)
Broad facts about the breach assembled: when, where, how, what systems, what data categories, what volume
Root cause established or stated as pending; pending root cause is acceptable for the 72-hour report if forensic analysis is ongoing — the report does not have to be final
Mitigation measures already taken documented: containment, system isolation, credential reset, vendor cutover, data-recovery, customer-support surge
Mitigation measures proposed documented: ongoing remediation, hardening, monitoring, structural changes
Findings on the person or entity responsible for the breach documented, or stated as under investigation
Recurrence-prevention steps documented: control changes, process changes, training, vendor management changes
Summary of notifications issued to affected data principals: count, channels used, timing relative to awareness
Comprehensive report submitted to the DPB within 72 hours of awareness, or an extension request filed with reasoning if more time is required (Rule 7 permits extension on written request)
Submission delivery to the DPB evidenced; acknowledgement filed
Internal stakeholders briefed on the submission: board, CRO, CFO, head of legal, communications lead
Data Principal Grievance Surge Management
Grievance and rights-request volume monitored daily following data-principal notification
Grievance Officer surge plan activated; additional capacity provisioned if volumes warrant
Common questions tracked; FAQ published in plain language across affected channels
Rights requests triggered by the breach (access, erasure, complaint) handled within Rule 14's 7-day SLA without exception
Refusal of any breach-triggered request reviewed for lawful basis with elevated scrutiny; refusals during a breach window are high-risk for regulatory action
Patterns in grievances analysed for indicators of harm not previously identified; new harm categories fed back to the DPB if material
Post-72-Hour and Post-Incident
Internal lessons-learned review completed within 14 days; review includes detection lag, containment delay, communication friction, regulatory-coordination friction
Lessons-learned outcomes fed into security safeguards under Rule 6 and into the next DPIA cycle for affected processing activities
Vendor processor notification completed where the breach originated in the supply chain; vendor DPA breach-notification clause invoked
Sectoral regulator follow-up communications closed; status reports filed at the cadence each regulator requires
All breach records retained per Rule 6 for minimum 1 year and longer where the institution's policy or sectoral rules require
Breach entered into the audit-period log for inclusion in the next Rule 13 cycle's evidence package
Board-level after-action review held; board-level decisions on structural changes, accountability, and capability investment recorded
DPDP Assurance Platform
Operationalise this checklist on the DPDP Assurance platform — purpose-built for Indian DPOs managing the full DPDP Act lifecycle.
Operationalise this →
Operationalise this →