At a glance
When a personal data breach hits, the DPDP Rules require two notifications without delay: a plain-language notice to each affected person, and an initial intimation to the Data Protection Board — followed by a detailed report to the Board within 72 hours. This page is both notifications as ready-to-fill templates, plus the checklist of what the 72-hour report must add. Fill them in during calm weather and park them in your breach-response plan — a breach is the worst possible time to start writing.
Educational resource only. This provides templates for the breach-notification requirements under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice — in a live breach, engage counsel alongside these notifications, not instead of them.
The situation
A breach compresses everything: systems are down, facts are half-known, and two legally required notifications are due without delay — not within 72 hours, which is the deadline for the fuller Board report, but now. Teams that draft these messages mid-incident send them late and say them badly. The fix is boring and effective: have both notifications pre-written with brackets, so the incident only has to supply facts.
What these templates are (and when the clock starts)
Two audiences, two messages, one trigger — and the trigger is becoming aware, not finishing the investigation. On becoming aware of a personal data breach, the Rules require you to inform each affected person, concisely and plainly, through their account or registered contact channel — and to give the Data Protection Board an initial intimation of the breach’s nature, extent, timing, location and likely impact. Both run “without delay.” The detailed report to the Board follows within 72 hours (extendable only on written request the Board grants). A cyber-incident may also start CERT-In’s separate 6-hour clock under the IT Act — a parallel track these templates don’t discharge.
Template 1 — notice to affected people
Send through the person’s account or registered channel. Plain language is a legal requirement here, not a style choice — every bracket should be filled in words the person can act on.
Subject: Important: a data security incident affecting your [account / data] with [Business Name]
Dear [name],
We are writing to inform you of a data security incident at [Business Name] that affects your personal data.
What happened: On [date/time], [plain description of the breach — what occurred, and its extent].
What of yours is involved: [the specific data categories affected for this person].
What this could mean for you: [the consequences relevant to them].
What we are doing: [the mitigation and remedial measures underway].
What you can do: [specific safety steps].
Reach us: [named contact / channel] for any questions or concerns about this incident.
We will update you if the facts materially change. We apologise for this incident and are treating it with the seriousness it deserves.
[Business Name] — [date]
Template 2 — initial intimation to the Data Protection Board
File through the Board’s prescribed channel, without delay on becoming aware.
Subject: Initial intimation of personal data breach — [Business Name]
From: [Business Name], [registration/contact details], Grievance Officer: [name, contact].
1. Nature of the breach: [what occurred]. 2. Extent: [systems and data categories affected; approximate number of Data Principals]. 3. Timing: [when it occurred, if known, and when we became aware]. 4. Location: [systems/premises affected]. 5. Likely impact: [assessment of consequences for affected Data Principals]. 6. Status: Affected Data Principals [have been / are being] notified. A detailed report will follow within 72 hours.
[Authorised signatory, designation, date/time]
The 72-hour detailed report — checklist
The follow-up report to the Board must add what the intimation couldn’t yet know. Within 72 hours of becoming aware (unless the Board grants longer on written request), it covers:
- Updated and broad facts, and the circumstances that led to the breach;
- The remedial and mitigation measures implemented;
- Findings on the person who caused the breach, where established;
- Confirmation and account of the notifications sent to affected Data Principals;
- Any changes to the initial intimation’s facts (extent, numbers, impact).
How to fill it in
Pre-fill the constants now; the incident supplies only the facts.
- [Business Name], contacts, Grievance Officer — fill these today; they don’t change in an incident.
- [what occurred] — nature of the breach (Template 2)
- What it means: The category of incident, in plain terms — this is the classification the Board’s intimation needs first.
- Examples: Unauthorised access, accidental disclosure, ransomware.
- [plain description] / [data categories]
- What it means: Say what happened and what’s exposed in ordinary words — “a file containing customer names and PANs was accessed by an unauthorised party,” not “a security event impacted certain systems.”
- [consequences] / [safety steps]
- What it means: The pairing that makes the notice useful — what could go wrong for them, matched to what they can do about it. Scam-awareness lines matter most: breached data’s first use is usually a convincing call.
- Examples: “Calls quoting this data may sound genuine — don’t act on them”; “reset your password and any reuse of it”; “watch your bank statements.”
- Send-channel — the person’s account or registered contact channel, per the Rules; a public blog post alone doesn’t discharge the duty to notify each affected person.
What these templates don’t cover
Notification is one lane of breach response — these templates don’t run the others. They don’t contain the incident (isolation, forensics, recovery), don’t discharge CERT-In’s 6-hour reporting under the IT Act or sectoral duties (RBI, IRDAI) where those apply, and don’t decide legal strategy — penalties for notification failure reach ₹200 crore, so counsel belongs in the loop from hour one. They also assume you can tell who is affected and what was exposed — which is your processing records doing their job; without that map, no template fills itself.
FAQ
Do I notify people before I’ve finished investigating?
Yes — the duty to inform affected people and the Board runs “without delay” on becoming aware, with the fuller facts following in the 72-hour report. Notify with what you know, labelled as current understanding, and update as facts firm up.
Do I have to notify every affected person individually?
Each affected Data Principal must be informed through their account or registered contact channel, in plain language. A press statement or website banner alone doesn’t meet that.
What if 72 hours isn’t enough for the detailed report?
The Rules allow the Board to grant a longer period on a written, justified request — it’s an exception to ask for, not a default. The initial intimation still goes without delay regardless.
Does telling the Board cover my CERT-In duty too?
No — CERT-In’s 6-hour incident reporting under the IT Act is a separate, parallel obligation with its own recipient and content. A cyber-incident breach typically triggers both.