Reporting on Personal Data Breach

By Reina Legal

26th February, 2020

The PDPB, 2019 necessitates reporting personal data breach by data fiduciary, likely to cause harm to any data principal.

The data fiduciary

  • has to report the breach to DPA after accounting for the period that may be required to adopt urgent measures to remedy the breach or mitigate any immediate harm.
  • shall provide information required in notice to the DPA in phases without undue delay, where it is not possible to provide all the information at the same time.

Reporting breach incidents

Contents of notice

  1. nature of personal data which is the subject-matter of the breach;
  2. number of data principals affected by the breach;
  3. possible consequences of the breach; and
  4. action being taken by the data fiduciary to remedy the breach.

Penalty

Where the data fiduciary contravenes its obligation to take prompt and appropriate action in response to a data security breach it shall be liable to a penalty which may extend to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.