← Back to blog
SOC as a Service Jun 26, 2026 8 min read Updated Jul 3, 2026

DPDP Act Breach Notification: The 72-Hour Rule, and What Your SOC Actually Has to Do

Reading mode

For years, India’s data protection rules lived mostly on paper. That changed on 13 November 2025, when the government notified the Digital Personal Data Protection (DPDP) Rules, 2025. These rules put the DPDP Act, 2023 into practice.

For security teams, one duty stands out. When a personal data breach happens, you must tell the Data Protection Board of India and every affected person, and you must file a detailed report within 72 hours of becoming aware of it.

If that sounds familiar, it should. It sits right next to CERT-In’s 6-hour rule. And here is the part most businesses miss. A single breach can start both clocks at once. This guide covers what the DPDP breach rule asks for, how data residency really works in India, and what SOC providers in India need to do to keep you inside both windows.

What the DPDP breach rule asks for

The DPDP framework rolls out in stages. The Data Protection Board was set up as soon as the rules were notified. Consent manager rules follow around November 2026. The day-to-day duties, including breach notification, become fully enforceable by 13 May 2027. So 2026 is a build year, not a wait year.

For a personal data breach, the rules set out two steps:

  • First, an early notice, without delay. The moment your team confirms a breach, you send a short notice to the Data Protection Board. This is not a finished report. It just puts the Board on notice that something happened.
  • Then, a detailed report within 72 hours. Within 72 hours of becoming aware, you file the full report. It covers the nature and size of the breach, the types of data affected, the rough number of people involved, the likely impact, and what you have done or plan to do.

You must also tell every affected person in plain language: what happened, what it means for them, and what they should do to protect themselves. There is no minimum size. A breach affecting one person carries the same duty as one affecting a million.

Two things make this hard. First, like CERT-In, the clock starts when you become aware, not when your investigation ends, and it runs through nights, weekends and holidays. Second, the penalties are steep. Failure to report can attract fines of up to 200 crore rupees, and failure to keep reasonable safeguards up to 250 crore rupees.

Two clocks, one breach: DPDP and CERT-In together

This is the point worth remembering. The DPDP 72-hour rule does not replace your CERT-In duties. It sits on top of them.

Most real breaches count as both a personal data breach (DPDP) and a cyber incident (CERT-In). When that happens, two separate clocks start the moment you become aware:

  • 6 hours to report to CERT-In, under the 2022 directions.
  • 72 hours to file the detailed report with the Data Protection Board, under the DPDP rules.

They go to different bodies, use different formats, and have very different deadlines. But they start from the same trigger. An incident plan that only handles one of them will fail the other. If you have not mapped the CERT-In side yet, start with our guide to CERT-In’s 6-hour reporting rule.

How data residency actually works in India

“Keep the data in India” gets repeated so often that it is worth being clear, because the DPDP Act is more nuanced than people think.

The DPDP Act uses a “negative list” for moving data abroad. Personal data can generally go outside India unless the government names a specific country or place it cannot go to. So the Act is not a blanket data-storage-in-India law.

But data residency in India is a patchwork, and other rules do force India storage in some cases:

  • CERT-In requires logs of all IT systems to be kept for a rolling 180 days, inside India.
  • RBI requires payment system data to be stored only in India.
  • Sector regulators and enterprise customers often add their own residency demands through contracts and audits.

So the honest answer to “where does our data need to live?” is: it depends on your sector and your data types, and it needs to be designed on purpose, not assumed. A good SOC engagement confirms the exact setup up front, based on your SIEM, cloud and rules.

What SOC providers in India need to do

Meeting a 72-hour deadline, while also meeting a 6-hour one, is an operations problem before it is a legal one. Here is what SOC providers in India need to deliver.

1. Detection fast enough to start the clock honestly

You cannot report a breach you have not detected. Watching endpoints, cloud, identity and application logs around the clock is what turns a quiet compromise into a clear, timestamped alert. That alert is the moment of awareness both clocks depend on.

2. Quick scoping of what data was hit

DPDP reporting is not just “we were breached.” You have to state the types of personal data involved and the rough number of people affected. That needs a SOC that can quickly link the incident to the affected systems and data stores, which in turn needs to know where personal data lives.

3. Report templates for both regimes

The teams that come through a breach with their reputation intact are the ones that practised. That means ready-made templates for both the CERT-In report and the DPDP report, plus the notice to affected people. So at hour two you are filling in facts, not writing from scratch. A good SOC keeps these ready.

4. Evidence and a solid timeline

If the Board or CERT-In questions your timeline, your logs are your defence. That means the 180-day, India-based log trail, synced timestamps, and a record of when you detected, when you reported, and what you did.

5. One escalation path for both clocks

A single plan has to serve both rules. Name the owners for the 6-hour CERT-In notice and the 72-hour DPDP filing, with deputies for when people are on leave, and run quarterly drills that test the whole chain. Gaps you find in a drill are free. Gaps you find at hour 50 of a real breach are expensive.

What to check when picking a provider

Not every SOC is built for Indian rules. When you compare providers, look for:

  • Both clocks in the workflow. CERT-In (6 hours) and DPDP (72 hours), not just generic incident response.
  • India-based log storage built into the service.
  • Data-flow awareness so reporting on affected data types is possible, not a guess.
  • Practised escalation with named owners and drills.
  • IST-aligned analysts who are reachable while the clock runs.

A quick note on scope. Meeting these reporting duties is a SOC job. It is different from the periodic audits done by a CERT-In empanelled vendor. Empanelment covers audits and VAPT, not day-to-day monitoring. Most regulated businesses need both.

The bottom line

The DPDP rules turned data protection in India from a principle into a deadline. Between now and mid-2027, the businesses that get ahead are not the ones with the thickest policies. They are the ones whose SOC can detect a breach, work out the affected data, and file to two bodies on two different clocks without missing either. Build that ability before you need it, and a breach becomes a managed event instead of a crisis.


See how your breach response holds up

SOCroom runs analyst-led, 24/7 managed SOC operations from Bengaluru, built around CERT-In’s 6-hour window, DPDP-ready breach response, and India-based log storage. Book a free security assessment and we will show you where your two-clock response holds and where it breaks.


FAQ

What is the DPDP Act’s breach notification timeline? Under the DPDP Rules 2025, a Data Fiduciary must send an early notice to the Data Protection Board of India without delay, and a detailed report within 72 hours of becoming aware of a personal data breach. Affected people must also be told in plain language.

Does the DPDP 72-hour rule replace CERT-In’s 6-hour rule? No. They are separate duties that stack. A single breach can need a report to CERT-In within 6 hours and to the Data Protection Board within 72 hours, both measured from when you became aware.

When does the DPDP Act become fully enforceable? The DPDP rules were notified on 13 November 2025 and roll out in stages. The main duties, including breach notification, become fully enforceable by 13 May 2027. Most businesses are treating 2026 as their build year.

Does the DPDP Act require all data to be stored in India? No. The Act uses a negative-list approach to moving data abroad. Data can generally go outside India unless the government restricts a specific country. But CERT-In log rules, RBI payment-data storage, and sector or contract terms do require India storage in some cases.

What role does a SOC play in DPDP compliance? A SOC provides the ongoing detection, incident scoping, evidence and report templates needed to notify regulators inside the required windows. Meeting the 72-hour and 6-hour deadlines is an operations job a managed SOC is built to do.

Ready to secure your
operations?

Talk to a SOCroom expert today. We'll assess your environment, identify your biggest risks, and recommend the right solution - no commitment required.