/

The 72-Hour Breach Notification Rule: What HR Must Do When Something Goes Wrong

1 week ago

Under the DPDP Act, 2023, time matters more than intent.

When a personal data breach occurs, organisations are expected to act fast, decisively, and transparently. Delays don’t just increase risk – they increase liability.

This guide explains:

  • What the “72-hour rule” actually means
  • When HR must act
  • What HR should do in the first few hours after a breach

First: Is There Really a 72-Hour Rule Under DPDP?

DPDP does not copy-paste GDPR language, but the expectation is clear:

👉 Breach notifications must be made without undue delay
👉 Internal assessment and escalation should happen within hours, not days

For HR teams, this effectively means:

  • You cannot wait to “fully investigate”
  • You cannot delay because the breach was accidental
  • You cannot assume a vendor will handle it

The clock starts the moment the breach is discovered – not when it is confirmed.

When Does the 72-Hour Clock Start?

The clock starts when:

  • HR becomes aware of unauthorised access, disclosure, or loss of data
  • A vendor informs you of an incident
  • An internal employee flags a mistake involving personal data

Discovery = awareness, not proof.

The 72-Hour Breach Response Timeline (HR View)

TimeframeWhat HR Must Do
0–6 hoursContain exposure, revoke access, disable links, secure systems
6–24 hoursIdentify data involved, assess scale, escalate to Legal & IT
24–48 hoursAssess risk to individuals, document findings, prepare notification drafts
48–72 hoursDecide on notification, align with Legal, prepare communications
Beyond 72 hoursComplete remediation, vendor action, policy fixes, training

Key point:
Waiting for “full clarity” before escalation is a mistake. Early action matters more than perfect information.

What HR Must Do in the First 24 Hours

This is the most critical window.

Within hours, HR should:

  • Contain further exposure (revoke access, disable links)
  • Identify what data is involved (employee, candidate, sensitive data)
  • Inform Legal, IT, and leadership immediately
  • Demand incident details from vendors (if involved)

Waiting for “complete clarity” is a mistake.

What Happens Between 24–72 Hours

This is the assessment and preparation phase.

HR must work with Legal and Security to:

  • Assess potential harm to individuals
  • Decide whether notification is required
  • Prepare breach summaries and timelines
  • Draft employee or candidate communication (if needed)

If notification is required, it should not be delayed beyond this window.

When Is Breach Notification Required? (Simple Decision Flow)

Use this logic internally:

Step 1:
 Was there unauthorised access, disclosure, loss, or misuse of personal data?
→ If no, document and monitor
→ If yes, continue

Step 2:
Is there potential harm to individuals? (financial, identity, reputational, emotional)
→ If yes, notification is likely required

Step 3:
Is sensitive personal data involved or are many individuals affected?
→ If yes, notification should not be delayed

Important:
Not every incident needs notification – but every incident needs assessment and documentation.

Vendor Breaches Do Not Pause the Clock

If a vendor caused the breach:

  • The clock still applies to you
  • Waiting for the vendor’s internal report is risky
  • Escalation must happen immediately

Under DPDP, vendor delay is not a defence.

What HR Should Never Do

❌ Ignore “small” incidents
❌ Assume encryption automatically eliminates risk
❌ Wait for leadership approval before escalation
❌ Let vendors control timelines
❌ Fail to document early actions

Silence and delay worsen exposure more than the breach itself.

A Simple Rule HR Should Remember

If something feels wrong:

  • Escalate immediately
  • Document everything
  • Let Legal decide notification

Speed protects the organisation. Delay exposes it.

1-Page HR SOP: Breach Response Under DPDP

Use this as your internal standard operating procedure.

1. Detect & Flag

  • Any employee can report
  • HR logs the incident immediately

2. Contain

  • Revoke access
  • Disable links
  • Secure systems
  • Coordinate with vendors

3. Escalate

  • Inform Legal, IT, leadership
  • Share initial facts (even if incomplete)

4. Assess

  • Type of data
  • Scale of impact
  • Potential harm
  • Vendor involvement

5. Decide

  • Notification required or not
  • Legal sign-off

6. Notify (if required)

  • Authority
  • Affected individuals
  • Internal stakeholders

7. Fix

  • Process gaps
  • Access controls
  • Vendor contracts
  • Training

Final Thought

The 72-hour expectation under DPDP is not about panic – it’s about preparedness and discipline.

HR teams that act early, escalate fast, and document well are far better positioned to protect employees – and the organisation – when something goes wrong.

Tags:

You might be interested in

Khyati Ojha

Previous Story

What Counts as a Data Breach Under DPDP? Simple Scenarios For HR Teams 

Next Story

Significant Data Fiduciary (SDF): Who Qualifies & What Extra Rules Apply

AI-powered BGV popup