Data breaches in India have historically been underreported. There was no law mandating disclosure, no standard for what constituted a notifiable breach, and limited incentive for companies to voluntarily surface incidents that carried reputational risk. The DPDPA 2023 changes this fundamentally. When a breach occurs, the data fiduciary is required to notify both the affected Data Principals and the Data Protection Board — and to do so promptly. The era of quiet remediation without disclosure is over.
The implications for large-scale platforms are significant. A fintech app with 50 million users, a telecom provider, a major e-commerce platform — if any of these suffer a breach affecting personal data, they must individually notify every affected individual. Not a generic announcement on their website. Actual notification to the people whose data was compromised, explaining what happened, what data was involved, and what they should do. At the scale most large Indian platforms operate, this is not a communications task — it is an engineering and operational infrastructure challenge that needs to be designed well in advance of any breach occurring.
The lesson for business leaders is that breach response planning is now a compliance requirement, not a crisis management option. Every data fiduciary needs a documented incident response protocol that covers detection, containment, Board notification, and individual communication — with clear ownership, timelines, and escalation paths. Companies that build this infrastructure proactively will be able to respond with speed and credibility when something goes wrong. Those that don’t will find themselves scrambling under legal obligation, which is the worst possible context in which to build a notification system for millions of people.
