Under the Digital Personal Data Protection (DPDP) Act, 2023, a data breach is not just hacking.
For HR teams, many everyday mistakes already qualify as reportable breaches – even if no bad intent was involved.
This guide explains what actually counts as a data breach, using simple, real HR scenarios.
First, the Definition
A personal data breach under DPDP means:
Any unauthorised access, disclosure, alteration, loss or destruction of personal data.
If employee or candidate data is:
- Seen by the wrong person
- Shared without purpose
- Lost, leaked or misused
👉 It’s a data breach.
What Counts as a Data Breach: HR Scenarios
1. Email & Messaging Mistakes
✔ Sending salary sheets to the wrong employee
✔ Accidentally CC’ing candidates instead of BCC
✔ Sharing Aadhaar / PAN on WhatsApp without safeguards
Why this is a breach:
Unauthorised disclosure – intent doesn’t matter.
2. Vendor-Related Breaches
✔ BGV agency leaking candidate documents
✔ HRMS vendor retaining ex-employee data indefinitely
✔ Payroll vendor using data beyond contract purpose
Important:
Under DPDP, vendor mistakes come back to you.
3. Access Control Failures
✔ Former HR employee still has system access
✔ Interns accessing full employee databases
✔ Shared login credentials across the team
DPDP view:
“Trusted employees” ≠ authorised access.
4. Lost or Exposed Devices
✔ HR laptop stolen without encryption
✔ Excel files stored on personal devices
✔ Google Drive folders shared publicly by mistake
Loss of control = breach.
5. Improper Data Retention
✔ Keeping resumes “just in case”
✔ Storing medical records longer than required
✔ No deletion after exit or contract closure
Excess retention is also non-compliance.
6. Rights Request Failures
✔ Ignoring employee deletion requests
✔ Vendor unable to delete data on instruction
✔ No way to retrieve or correct personal data
Failure to honour rights can trigger breach obligations.
Breach vs Non-Breach: Common HR Scenarios Explained
| Scenario | Breach under DPDP? | Why |
| Salary slip sent to the wrong employee | ✅ Breach | Unauthorised disclosure of personal data |
| Candidate CV shared internally for a different role (without consent) | ✅ Breach | Purpose limitation violated |
| HR laptop stolen, but disk is encrypted and access revoked immediately | ❌ Usually not a breach | Data not accessible or exposed |
| Excel file with employee data uploaded to public Google Drive by mistake | ✅ Breach | Loss of access control |
| BGV vendor leaks candidate documents | ✅ Breach (HR still liable) | Vendor acts as data processor |
| Employee resigns but their data remains in HRMS beyond retention policy | ⚠️ Compliance risk | Excessive retention |
| Internal HR report accessed only by authorised HR members | ❌ Not a breach | Authorised access |
| Former HR employee still has system access | ✅ Breach risk | Unauthorised access |
| Encrypted backup lost, but encryption keys remain secure | ❌ Likely not a breach | Data not usable |
Rule of thumb for HR:
If you have to ask “Is this a breach?”, treat it as potential breach risk until assessed.
What Does NOT Matter Under DPDP
❌ Whether data was misused
❌ Whether damage occurred
❌ Whether it was accidental
Only one question matters:
Was personal data compromised or mishandled?
What HR Must Do When a Breach Happens
At a minimum, HR teams should:
- Identify what data was affected
- Contain further exposure
- Inform internal stakeholders immediately
- Coordinate with vendors (if involved)
- Prepare for notification if required
Silence or delay can worsen liability.
1-Page HR Data Breach Checklist (DPDP-Ready)
Use this immediately when something goes wrong.
Step 1: Identify
☐ What personal data was involved? (employee, candidate, vendor)
☐ How many individuals are affected?
☐ Was sensitive data involved? (Aadhaar, PAN, health, bank details)
☐ Who discovered the incident and when?
Step 2: Contain
☐ Stop further access or sharing
☐ Disable compromised accounts
☐ Revoke links / permissions
☐ Coordinate with vendor (if involved)
Step 3: Assess Risk
☐ Was data accessed by an unauthorised person?
☐ Can the data be misused?
☐ Is there potential harm to individuals?
☐ Does this meet DPDP breach notification thresholds?
Step 4: Document Everything
☐ Incident description
☐ Timeline of events
☐ Data categories affected
☐ Actions taken
☐ Vendor involvement (if any)
Documentation matters even if you don’t notify.
Step 5: Escalate Internally
☐ Inform Legal / Compliance
☐ Inform IT / Security
☐ Inform senior HR leadership
☐ Engage vendor formally if they caused the breach
Step 6: Prepare for Notification (If Required)
☐ Draft breach summary
☐ Identify affected individuals
☐ Prepare employee communication
☐ Align with legal advice
Step 7: Fix the Root Cause
☐ Update access controls
☐ Fix process gaps
☐ Update vendor controls / DPA clauses
☐ Train HR team on learnings
Final Thought for HR Teams
Under DPDP:
- Accidental disclosures still count
- Vendor failures still count
- Internal lapses still count
The difference between panic and control during a breach is preparation.
HR teams that understand breach scenarios and follow a clear checklist are far better positioned to protect both employees – and the organisation.
