As per the DPDPB, 2022, “personal data breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data
The DPDPB, 2019 necessitates reporting personal data breach by data fiduciary, likely to cause harm to any data principal.
The data fiduciary and data processors
- must take reasonable security safeguards
- must notify the data protection board and concerned data principals
Penalty
- When there is a failure to take reasonable security safeguards to prevent personal data breach, financial penalties up to Rs. 250 crores can be imposed.
- Failure to notify the Board and affected data principals of a personal data breach can result in a penalty up to Rs. 200 crores.