According to an unreleased version of the draft Digital Personal Data Protection (DPDP) rules, any platform processing the personal data of users, whether a private or government entity, must immediately notify of any data breach to the Data Protection Board (DPB), an adjudicating body set up under the DPDP Act.
As per the draft rules, the details that a platform will need to communicate to the DPB, on a best-effort basis, should include a description of the breach, the date and time when the platform became aware of the breach, the location of the breach, its extent, and potential impact. These details are included in a version of the draft DPDP rules currently circulating internally among various sectors of industry and governance. The rules will define the DPDP Act’s parameters.
Further, within 72 hours of the data breach, a platform will also have to inform the DPB of more details regarding the incident, which includes broad facts related to the breach, circumstances and reasons which led to the security incident. These reporting mechanisms will be digital in nature, and a platform can submit such details through the DPB’s website.
The Ministry of Electronics and Information Technology (MeitY) recently held a consultation meeting with the industry on the draft DPDP rules. During the meeting, the government conveyed to the industry that it intends to release the rules soon and, after a brief consultation period, notify it by January 2024.
