Skip to main content

Breach Management

Breach Management Module

The Breach Management Module (BMM) provides Data Fiduciaries (DFs) a unified system to record, assess, and report personal data breaches in compliance with the Digital Personal Data Protection Act (DPDPA), 2023. It automates incident intake, regulatory reporting, and Data Principal notifications while maintaining an auditable trail for compliance.

1. Objectives

  • Quickly record and classify data breaches or security incidents.
  • Generate DPBI-compliant reports and artefacts for manual submission (PDF) or future direct API integration.
  • Provide multi-language breach notifications to affected Data Principals.
  • Maintain comprehensive logs for audits and regulatory inquiries.
  • Enable DFs to show mitigative measures taken after breach disclosure.

2. DPDPA Compliance Context

Under the Act, a Data Fiduciary must notify:

  • The Data Protection Board of India (DPBI) of any personal data breach.
  • The affected Data Principals when their personal data has been compromised, along with remedial measures taken.

Breach notification is mandatory and must be done as soon as possible following discovery.

3. Core Features

FeatureDescription
Incident RecordingCreate an incident entry with breach type, severity, and scope.
DPBI Reporting PDFAutomatically generate a PDF report with all mandatory fields, ready for authorized signature and manual submission.
Future Direct IntegrationPrepare for API-based direct submissions to DPBI when available.
Data Principal NotificationSend breach notifications to affected individuals in 22 languages.
Breach Artefact GenerationProduce digitally signed “personal data breach artefact” with incident details, mitigative actions, and contact information.
Notification LogsMaintain immutable logs of notifications sent for compliance.
Templates & LocalizationPrebuilt templates for breach notices and mitigation advice across languages.
Audit Trail & ReportingTrack all actions taken from breach discovery to closure.

4. Workflow

  1. Create Incident – DF security/privacy officer enters incident details (type, systems affected, estimated impacted individuals).
  2. Assess & Classify – Determine severity, type (data disclosure, unauthorized access, accidental loss), and affected data elements.
  3. Generate DPBI Report – Module compiles details into a DPBI-compliant PDF.
  4. Submit to DPBI – Manually upload or send PDF now; API integration expected in future.
  5. Notify Data Principals – Once DPBI submission is complete and initial investigation done, send breach notifications to affected individuals.
  6. Track Mitigative Measures – Record steps taken to reduce harm, like forced password resets or identity protection services.
  7. Log & Audit – Keep records of all reports, notifications, and updates for compliance audits.

6. DPBI Reporting

Current Process

  • Generate PDF report with mandatory fields:

    • DF name and contact details.
    • Nature of the breach.
    • Categories and approximate number of Data Principals affected.
    • Measures taken or proposed to address the breach.
    • Any other relevant information as prescribed.

  • Authorized officer digitally signs and submits to DPBI manually or via email as mandated.

Future Direct Integration

  • Module prepared to send breach details via secure API to DPBI once integration specs are released.

7. Data Principal Notifications

  • Triggered After DPBI Reporting & Initial Investigation.

  • Notifications include:

    • Nature of breach.
    • Data involved.
    • Steps the Data Principal should take to protect themselves.
    • Mitigative measures DF has taken.
    • Contact point for further information.

  • 22 Languages Supported – Prebuilt translations and templates in English and all major Indian languages.

  • Delivery Channels: Web notification, mobile app notification, CMP Dashboard, Email or SMS notification as required.