Any unauthorised processing, accidental disclosure, acquisition, sharing, or loss of personal data.
A personal data breach under DPDPA means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. This covers both external attacks (hacking, ransomware) and internal incidents (accidental email to wrong recipient, lost laptop). The definition is deliberately broad to ensure comprehensive protection.
A data breach triggers a mandatory 72-hour notification to the Data Protection Board and affected Data Principals. Failure to notify attracts penalties up to Rs 200 crore, separate from the underlying breach penalty.
An Ahmedabad logistics startup discovers an engineer accidentally exposed a customer database via a misconfigured S3 bucket for 48 hours. Even if no malicious access is confirmed, this constitutes a breach requiring Board notification within 72 hours.
A breach does not require malicious intent or confirmed data theft. Accidental exposure — even for minutes — with no evidence of access still constitutes a notifiable breach under DPDPA.
DPDPA Shield automates Breach Management. See how →