Did you know?
What is personal data breach framework under the Digital Personal Data Protection Act and Rules?
Key Definitions
Personal data breach is defined as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
Board means the Data Protection Board of India established by the Central Government.
Obligations for businesses
- To prevent data breach:
Protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
- On data breach:
Notifying the affected Individuals
(1) Promptly notify all affected individuals in a concise, clear and plain manner, through user account or any mode of communication registered-
- a description of the breach, including its nature, extent and the timing of its occurrence;
- the consequences that are likely to arise from the breach;
- the measures implemented and being implemented
- the safety measures that one may take; and
- business contact information of a person who can respond to the queries.
Notifying the Board
- Immediately: a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
- within 72 hours:
- updated and detailed information in respect of such description;
- the broad facts related to the events, circumstances and reasons leading to the breach;
- measures implemented or proposed, if any, to mitigate risk;
- any findings regarding the person who caused the breach;
- remedial measures taken to prevent recurrence of such breach; and
- a report regarding the intimations given to affected individuals.
Powers of the Board
- Direct remedial or mitigation measures
- Initiate inquiry
- Impose penalty up to 250 Crore
