By Mandar Patil, Founding Member and SVP – Global Sales and Customer Success, Cyble
India’s Digital Personal Data Protection (DPDP) Act, 2023, is not just another law—it’s the culmination of years of intensive debate, deliberation, and expert inputs shaping India’s privacy future. As the law finally passed Parliament in August 2023, it ushered in a new era of accountability in handling personal data for over 1.4 billion users.
At Cyble, we were uniquely positioned from early on. In 2020, we were invited by the Parliamentary Committee to provide practitioner insights into the evolving data protection bill—an honor that gave us a firsthand seat at the table shaping India’s data privacy landscape. This early engagement meant we understood the law not just from theoretical standpoint, but from the frontlines, bridging what regulators expect with what India’s businesses must deliver to protect data and comply effectively.
For Indian CISOs and business leaders, the DPDP Act is simultaneously a challenge and an opportunity. It means complying with tougher obligations, avoid penalties of up to ₹250 crore per instance, and build durable trust in a massive digital market. Our deep understanding, honed through Parliament feedback and daily dark web monitoring, puts us ahead of the curve—ready to help organizations detect breaches early and meet the demanding timelines set by Indian law.
High Stakes: Penalties and the Critical Importance of Timely Breach Reporting
The DPDP framework enforces compliance with teeth. Appeals from DPB orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), offering clarity on dispute resolution.
DPDP further raise the bar for breach notification standards. Indian law requires violators to notify the DPB and affected individuals “without delay.” CERT-In directions, effective since April 2022, impose a strict 6-hour reporting window for cyber incidents, including data breaches. Organizations must designate points of contact and keep detailed logs for 180 days.
Under the Digital Personal Data Protection (DPDP) Act and its draft rules, Data Fiduciaries (DFs) must notify the Data Protection Board (DPB) both “without delay” and within 72 hours of becoming aware of a breach, with the initial notification containing preliminary details and the 72-hour timeframe for a more comprehensive report containing information on the nature, extent, potential consequences, and mitigation measures being take.
This staged approach acknowledges that initial breach details are often uncertain, allowing for a preliminary notification without delay and a comprehensive report later.
Why the dual approach? This requirement is in place to ensure that data principals (the individuals whose data has been breached) and the DPB are informed quickly, but also that DFs have enough time to gather more detailed information and implement corrective actions before submitting a full report.
Hence, CISOs have two ticking clocks: 6 hours to report to CERT-In and immediate notification obligations to the DPB and users. This double-clock dynamic demands readiness and speed.
In case of non-compliance the DPDP Act also has provisions to impose hefty penalties in the denominations of a few hundred crores.
| Violation | Penalty (Up to) |
| Failure to prevent data breach | ₹250 crore |
| Failure to appoint DPO (for SDFs) | ₹150 crore |
| Non-compliance with children’s data rules | ₹100 crore |
| Consent violations | ₹50 crore |
| Failure to report breaches | ₹25 crore |
These penalties are not just financial, they also come with reputational fallout, customer distrust, and potential operational restrictions.
Also read: DPDP Rules Week: The Clock Starts Ticking, as India’s Privacy Regime Shapes-Up
Why Real-Time Detection, Especially on the Dark Web, Is Non-Negotiable
From our frontline perspective at Cyble, the first signals of breach incidents often emerge outside traditional perimeters—in dark web forums, illicit marketplaces, breach paste sites, or encrypted messaging channels—sometimes hours or even days before ransom demands or customer complaints surface. Early warning signals may not offer instant certainty, but they create valuable time margins to triage risks, contain damages, preserve evidence, and trigger required notifications within legal deadlines.
Real-time leak detection combined with breach intelligence tightly compresses “time-to-notice” and “time-to-evidence,” exactly what Indian law demands. Organizations without early dark web visibility struggle to meet the aggressive reporting standards. We expect the DPB to start operations as soon as the DPDP Rules are notified, likely by the end of September 2025, making early detection capability even more critical.
The Cyble Playbook for Helping CISOs Manage DPDP Reality from Day One
From a practical viewpoint, Cyble’s role is to save time and reduce regulatory exposure by delivering early warning, actionable intelligence, and coordinated response playbooks aligned with DPDP demands. Here’s how:
- Early-Signal Coverage: Continuous 24/7 monitoring of dark web markets, closed forums, breach-paste sites, and credential dumps tailored to each organization’s brands, executives, and partners. This cuts down the time to first alert, helping meet CERT-In’s six-hour and DPB’s “without delay” notifications.
- Breach Triage & Evidence Collection: Expert validation, scope bounding, and evidence packaging that meet Indian law’s evidentiary standards, aiding regulator notifications and customer communications. Logs retention and incident categorization align with CERT-In Annexure I mandates.
- Data Breach Notification Choreography: Tailored templates and timelines for prompt reporting to CERT-In, DPB, affected individuals, and internal stakeholders to build trust and reduce friction. Early coordinated disclosures mitigate reputational damage.
- Incident Response Drills: Custom “Hour Zero” playbooks define roles and artifact collection. Tabletop exercises simulate the challenging two-clock reality, driving readiness metrics like mean time to detect and time to evidence.
- Architecture & Integrations: Cyble’s platform integrates with SIEM, SOAR, and case management tools for seamless alert actionability and chain-of-custody documentation—critical for audits and appeals.
- Governance & Lifecycle Controls: Guidance on encryption, access controls, monitoring, storage limitation, deletion discipline, and cross-border flow compliance are mapped tightly to DPDP’s reasonable security safeguards.
- Sectoral Liaison: Lawful coordination with sectoral CERTs and national channels for smooth escalations, with legal posture managed by counsel and documentation structured to withstand DPB and TDSAT scrutiny.
A Quick Primer of How to Report a Breach Under DPDP
- Initiate incident response the moment a breach is noticed. Assign logs preservation and begin incident logging immediately.
- Report to CERT-In within 6 hours via email, phone, or fax using Annexure I incident categories. Maintain logs for 180 days.
- Notify the DPB and affected individuals “without delay,” including breach nature, consequences, mitigations, and contact info.
- Coordinate legal and PR teams early for accurate, transparent disclosure—this is now best practice in India.
What CISOs Must Prioritize
- Extend monitoring beyond enterprise networks to dark web and closed channels.
- Build and rehearse an “Hour Zero” incident response runbook.
- Pre-approve regulator reporting and user notification templates linked to SOAR workflows.
- Conduct tabletop exercises simulating CERT-In’s 6-hour and DPB’s immediate as well as 72-hour notifications.
- Track and report relevant KPIs quarterly to the board, like time-to-notice and time-to-evidence.
- Prepare for Significant Data Fiduciary obligations once the DPDP Rules finalize.
Why Choose Cyble—And Why Act Now
At Cyble, we specialize in giving organizations more time—the most precious resource in breach response. Our continuous dark-web monitoring prepares you for timely detection. We package strong, legally admissible evidence and choreograph notifications, so clients meet India’s uniquely tough timelines and have an Incident Response Playbook handy in times of crisis. We advocate a strong disclosure culture that not only neutralizes breaches but also collectively reduces hacking incentives.
Cyble services several federal bodies and CERTs across the globe. This gives us a unique edge in meeting the regulatory demands of DPDP Act which are similar to the GDPR and HIPPA requirements in the Europe and U.S. markets.
As Beenu Arora, our CEO, says, “Personal data protection is essential to fully capitalise on the benefits of India’s digital revolution.” The DPDP Act raises the compliance bar, and our mission is to make clearing that bar repeatable and achievable for every Indian CISO.
