As per the DPDPB, 2023, “personal data breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
The DPDPB, 2023 necessitates that the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
The data fiduciary and data processors
- must take reasonable security safeguards
- must notify the data protection board and concerned data principals
Penalty
- When there is a failure to take reasonable security safeguards to prevent personal data breach, financial penalties up to Rs. 250 crores can be imposed.
- Failure to notify the Board and affected data principals of a personal data breach can result in a penalty up to Rs. 200 crores.