ShieldSync
← Back to blog
ComplianceJul 8, 2026· 12 min

DPDP Rules Are Final: A CISO's Playbook for One Breach and Four Reporting Clocks

The DPDP Rules were gazetted on 13 November 2025 with a phased runway to May 2027 — and for anyone RBI- or SEBI-regulated, DPDP is your fourth breach regime, not your first. Here is the CISO view: the exact obligations, the four reporting clocks, where DPDP collides with RBI's data rules, and a 90-day plan.

DPDP Rules Are Final: A CISO's Playbook for One Breach and Four Reporting Clocks

On 13 November 2025 the Digital Personal Data Protection Rules, 2025 were notified in the Gazette (G.S.R. 846(E)), and the DPDP Act, 2023 began entering into force in phases the same day. That ended two years of 'wait for the rules' — the obligations, the deadlines and the penalty schedule are now law with dates attached. If you are the CISO of a bank, NBFC, fintech, broker or any company that already answers to RBI, SEBI or CERT-In, the strategic point is this: DPDP is not your first data-incident regime. It is your fourth. And its clocks do not replace the others — they stack on top of them.

Plenty has been written about DPDP for startups and SaaS teams (including on this blog). This piece is the regulated-entity view: what actually commences when, which obligations land on the security organisation rather than legal, how the reporting clocks interact, and where DPDP collides with the RBI rulebook you already live under.

Where DPDP actually stands (as of July 2026)

The Rules commence in three phases. Knowing which phase you are in decides whether you are building or already exposed.

  • In force since 13 November 2025: definitions and the Data Protection Board machinery (Rules 17–21). The Board — an all-digital adjudication body whose orders are appealable to TDSAT — is legally established. The enforcement engine exists; the substantive duties have not switched on yet.
  • 13 November 2026: Rule 4 and the First Schedule — registration and obligations of Consent Managers (India-incorporated, ₹2 crore minimum net worth, blind pass-through design, consent records kept at least 7 years).
  • 13 May 2027: everything that matters to you — Rules 3, 5–16, 22 and 23. Notice and consent, security safeguards, breach intimation, retention and erasure, children's data, Significant Data Fiduciary duties, data-principal rights, cross-border conditions.

Do not plan to May 2027. At a January 2026 stakeholder consultation MeitY proposed advancing the Significant Data Fiduciary obligations — including the localisation and cross-border rules — to November 2026. No amending notification has been gazetted yet, but the direction of travel is clear, and consent-manager infrastructure is being operationalised through mid-2026. Treat November 2026 as your internal readiness date.

The obligations that land on the CISO's desk

Section 8(5) of the Act requires 'reasonable security safeguards to prevent personal data breach'. Rule 6 turns that phrase into a concrete floor — and it reads like an audit checklist aimed directly at the security function:

  • Encryption, obfuscation, masking or virtual tokens for personal data
  • Access control over the computer resources that touch it
  • Visibility: logs, monitoring and review sufficient to detect and investigate unauthorised access
  • Continuity: backups that survive a confidentiality, integrity or availability compromise
  • Retention of logs and the personal data itself for one year, specifically to enable breach detection and investigation (unless another law says otherwise)
  • Contract clauses binding every Data Processor to equivalent safeguards
  • Appropriate technical and organisational measures overall

Breach notification under Rule 7 is dual-track, and the first track has no materiality threshold. Affected users must be informed 'without delay' — in plain language, through their account or registered contact — of the nature, extent and timing of the breach, its likely consequences for them, what you are doing about it, and whom to contact. In parallel, the Data Protection Board gets an initial intimation without delay, then a detailed report within 72 hours: circumstances and causes, mitigation implemented, findings on the person responsible, remediation to prevent recurrence, and a report of the user intimations you sent. Every breach, every affected user — there is no 'low-risk, skip the notice' carve-out like GDPR's.

Retention gets specific for large platforms. Under Rule 8 and the Third Schedule, e-commerce entities and social media intermediaries with 2 crore or more registered Indian users, and online gaming intermediaries with 50 lakh, must treat the purpose as spent three years after the user's last interaction — and erase. Users must be warned at least 48 hours before erasure. Separately, Section 6(10) puts the burden of proving notice and valid consent on you in any proceeding — which quietly makes consent and notice logging a security-engineering artifact, not a legal formality.

Finally, watch the Significant Data Fiduciary designation under Section 10. The Central Government notifies SDFs based on data volume and sensitivity, risk to individuals, and national-interest factors — no list exists yet, but large financial entities are obvious candidates. SDF status brings an India-based DPO answerable to the board, an independent data auditor, an annual DPIA plus audit with significant observations reported to the Data Protection Board, documented due diligence that your algorithmic systems do not endanger data-principal rights — and, under Rule 13(4), a hard localisation requirement for categories of personal and traffic data the government specifies.

One breach, four clocks

Picture a payment-adjacent fintech discovering customer data exfiltration at 09:00 on a Tuesday. Here is who is owed what, by when:

  • CERT-In — 6 hours from noticing. The April 2022 Directions (under s.70B IT Act) cover 20 incident types including 'data breach' and 'data leak' explicitly, regardless of severity. Supporting duties: 180-day rolling logs of all ICT systems, stored within India, and a designated point of contact. The fine for non-compliance was raised to ₹1 crore by the Jan Vishwas Act, 2023.
  • RBI — 2 to 6 hours for banks under the 2016 Cyber Security Framework's incident-reporting annex; and if the incident originates at your IT service provider, the 2023 Master Direction on IT Outsourcing requires the provider to tell you without undue delay and you to tell RBI within 6 hours of the provider's detection.
  • SEBI — for its regulated entities, the CSCRF (August 2024) requires CERT-In-category incidents to be notified to both SEBI and CERT-In within 6 hours, details filed on SEBI's incident portal within 24 hours, and a quarterly incident report within 15 days of quarter end.
  • Data Protection Board and your users — from full DPDP commencement: users without delay, Board initial intimation without delay, detailed Board report within 72 hours.

The operational answer is one intake, many outputs. Run a single incident-classification workflow whose output fans into pre-drafted, regulator-specific templates. The 6-hour clocks dictate your triage SLA — classification and first notifications must be achievable inside a quarter of a working day, around the clock. The 72-hour clock dictates your forensics depth — root cause, responsible party, remediation and proof of user notification, documented in three days.

Where DPDP collides with the RBI rulebook

DPDP's cross-border baseline is permissive: transfers are allowed to any country not on a government blacklist. But Section 16(2) explicitly preserves any sectoral law that is stricter — which means RBI's regime keeps governing. The April 2018 circular on Storage of Payment System Data (DPSS.CO.OD No.2785) still requires end-to-end payment data to be stored only in India; RBI's own FAQs add that domestic transactions follow a one-copy rule with no copies abroad, and that processing overseas is permitted only if the data is deleted from foreign systems and repatriated within one business day or 24 hours of processing, whichever is earlier. Rule 13(4) then adds a second localisation layer for whatever data categories get specified for SDFs. For a payments CISO, the stack reads: RBI localisation now, DPDP blacklist screening at commencement, SDF localisation if designated.

The second collision is third-party risk, and it is actually a convergence you can exploit. RBI's IT Outsourcing Master Direction already forces confidentiality clauses, breach liability, no-commingling in shared infrastructure, India-storage where applicable, audit rights, and secure data destruction on exit. DPDP Rule 6(1)(f) requires contractually binding every Data Processor to equivalent security safeguards. One well-drafted processor addendum — safeguards floor, breach-notification SLA feeding your 6-hour clocks, retention and destruction, audit rights — satisfies both regimes at once. The 2022 Digital Lending Guidelines complete the picture for lenders: need-based data collection with explicit consent, no storage of biometrics, and data held on servers located in India.

The penalty math

  • Up to ₹250 crore — failure of reasonable security safeguards (s.8(5))
  • Up to ₹200 crore — failure to notify the Board or affected users of a breach (s.8(6))
  • Up to ₹200 crore — children's-data violations (s.9)
  • Up to ₹150 crore — breach of Significant Data Fiduciary obligations (s.10)
  • Up to ₹50 crore — residual violations of the Act or Rules

These are per-provision and they stack: one incident with weak safeguards and a late notification is exposure under two heads — ₹450 crore of theoretical ceiling — before RBI supervisory action and CERT-In's ₹1 crore are counted. Two levers reduce it. Section 33(2) makes the Board weigh gravity, duration, mitigation and cooperation — meaning your evidence trail of controls, response speed and user notification is literally the mitigation. And Section 32 allows a voluntary undertaking that can bar proceedings — an option that only exists if you detect and move first.

Your next 90 days

  • Map the personal data estate: systems, flows, processors, and which entity in your group is the Data Fiduciary for each purpose. Without this, nothing downstream is credible.
  • Run a Rule 6 gap assessment mapped onto controls you already operate for ISO 27001 or RBI's cyber framework — most regulated entities find 60–70% coverage exists; the usual gaps are the one-year log-and-data retention and processor-contract clauses.
  • Build the unified breach runbook: one classification workflow, four output templates (CERT-In, RBI, SEBI where applicable, Board-plus-users), owners and comms channels named. Then tabletop it against the 6-hour clocks — including at 2 a.m.
  • Design consent and notice logging as an engineering requirement: immutable, queryable records of what was shown, what was consented, and when it was withdrawn. Section 6(10) makes this your evidence in any proceeding.
  • Reconcile retention: CERT-In wants 180-day logs in India, DPDP Rule 6 wants one year of logs and data for breach investigation — adopt the stricter clock once, everywhere.
  • Refresh processor contracts with a single addendum covering DPDP Rule 6(1)(f) and RBI outsourcing clauses together, including a breach-notification SLA short enough to protect your own 6-hour obligations.
  • Track the SDF acceleration: if the November 2026 advancement is gazetted, DPIA, independent audit and localisation readiness move from 'next year's budget' to 'this year's'. Inventory today which of your data flows would break under Rule 13(4) localisation.

The uncomfortable truth in most DPDP conversations: for a regulated entity this is not a privacy project bolted onto legal — it is an integration project on top of the security controls, incident machinery and contracts you already run for RBI, SEBI and CERT-In. Done right, one control set serves four regulators. ShieldSync runs exactly these readiness assessments — DPDP obligations mapped against your existing RBI and ISO 27001 control base, with the gap list and the breach-clock runbook as deliverables.

Learn it by doing

Pick your track and launch a hands-on lab in a real, isolated environment.

24 people viewing now