Use case #0003

DPDP Act Breach Response: The DPO AI Incident Playbook

Under the DPDP Act 2023, a personal data breach must be reported to the Data Protection Board and to every affected data principal within 72 hours of the fiduciary becoming aware of it. For a lending institution managing hundreds of thousands of borrower records, a breach event — however it occurs — triggers a multi-system investigation, a legal assessment, a regulatory notification, and individual borrower communications simultaneously. The DPO AI runs the entire playbook from the moment a breach is detected.

What Constitutes a Reportable Breach Under the DPDP Act

The Act defines a personal data breach broadly: any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. For lenders, the breach scenarios that occur most frequently are not dramatic cyberattacks — they are operational incidents: a loan statement sent to the wrong email address, a collection agent sharing a borrower's account details with an unauthorised third party, a vendor data export containing unmasked PAN numbers, a CBS access control failure exposing records to the wrong user group.

Each of these events may or may not be reportable to the Data Protection Board depending on the severity, the nature of the data involved, and the number of individuals affected. Making that determination correctly — and quickly — is the first critical function of the DPO AI's incident playbook. Getting it wrong in either direction carries consequences: under-reporting is a regulatory violation; over-reporting creates operational disruption and reputational exposure for events that did not reach the reporting threshold.

"Under DPDP, 72 hours is not a deadline for deciding whether to report — it is the deadline for completing the notification if you are going to report. The decision itself must be made within the first 12 hours." — DPO AI Agent · Breach Response Module

Breach Severity Classification: The First 30 Minutes

The DPO AI classifies every detected or reported breach event across three severity tiers within 30 minutes of initial detection. This classification drives everything that follows — who is notified, what the investigation scope is, whether regulatory reporting is mandatory, and what the borrower communication approach is.

Severity 1 · Critical

Large-Scale Breach of Sensitive Personal Data — Mandatory Report

DPB notification: within 72hrs · Borrower notification: within 72hrs

Unauthorised access to financial data, identity documents, or health/biometric data affecting 100+ individuals. Ransomware or systematic exfiltration. Any breach involving Aadhaar, PAN, bank account details, or credit scores at scale.

Immediate CRO + CEO + Legal alert System isolation triggered DPB notification drafted Borrower communication initiated CERT-In notification assessed Board notified within 4 hours

Severity 2 · Significant

Targeted or Limited Breach — Reportability Assessment Required

DPO decision on reporting: within 12hrs · If reportable: 72hr clock runs

Wrongful disclosure of personal data to another borrower. Vendor data handling failure affecting <100 individuals. Unauthorised internal access to borrower records without evidence of exfiltration. Collection agent misconduct involving personal data.

Human DPO briefed within 1 hour Reportability assessment initiated Affected borrowers identified Vendor notified if applicable Internal audit looped in

Severity 3 · Contained

Minor Incident — Below Reporting Threshold, Remediation Required

Internal resolution: within 48hrs · Documented in breach register

Single misdirected communication containing non-sensitive data. Temporary access control misconfiguration corrected before exploitation. Isolated system error with no evidence of data access. All incidents logged regardless of severity.

Root cause investigation Remediation workflow triggered Breach register entry created Preventive action logged

The 72-Hour Incident Timeline: What Happens When

The 72-hour clock under the DPDP Act is the most operationally demanding compliance obligation a lender faces in a breach scenario. The DPO AI runs a parallel workstream architecture — investigation, legal assessment, regulatory notification, and borrower communication all proceed simultaneously, not sequentially.

Hour 0–1

Phase 1 · Containment

Detection, Classification & Immediate Containment

Breach detected (by SIEM alert, employee report, or third-party notification). DPO AI classifies severity in under 30 minutes. For Severity 1: system isolation actions triggered in coordination with IT security. CRO, CEO, Legal, and Board Chair notified simultaneously. 72-hour clock logged with start timestamp.

Hour 1–6

Phase 2 · Assessment

Scope Determination & Affected Borrower Identification

DPO AI queries all affected systems to determine the precise scope: which borrowers were affected, what categories of personal data were exposed, what the likely cause was, and what evidence of misuse exists. A breach impact assessment document is generated with all findings — this becomes the factual basis for both the regulatory notification and borrower communications.

Hour 6–24

Phase 3 · Notification Drafting

DPB Notification Draft & Borrower Communication Prepared

DPO AI drafts the Data Protection Board notification in the prescribed format: nature of the breach, categories and approximate number of data principals affected, likely consequences, measures taken. In parallel, individualised borrower notifications are generated — each specific to the data affected for that borrower, not a generic mass communication. Both are reviewed by human DPO and Legal before dispatch.

Hour 24–72

Phase 4 · Notification & Remediation

Regulatory Filing, Borrower Notification & Remediation Execution

DPB notification filed by Hour 48 to preserve buffer. Borrower notifications dispatched via registered channels with specific guidance on protective actions they should take. Remediation workflow — system patches, access control corrections, vendor termination if applicable — executed in parallel. Full incident report compiled for board and insurance notification.

The Playbook Checklist: Four Phases, Zero Gaps

Phase 1 · Contain

Breach classified by severity within 30 mins
72-hour clock started and logged
Affected systems identified and isolated
IT security, DPO, Legal, CRO notified
Evidence preservation initiated
Breach register entry opened

Phase 2 · Assess

Affected borrower list compiled from all systems
Data categories exposed enumerated
Misuse evidence assessed (dark web, fraud signals)
Reportability determination made by DPO
Impact assessment document finalised
Board notified with preliminary findings

Phase 3 · Notify

DPB notification drafted in prescribed format
Individual borrower notifications personalised
Legal & DPO review of all notification text
DPB filing completed by Hour 48
Borrower notifications dispatched with evidence
CERT-In notification filed if applicable

Phase 4 · Remediate

Root cause analysis completed
System patches and access controls corrected
Third-party processor remediation tracked
Preventive measures implemented & documented
Full incident report filed for board & insurer
Post-incident review scheduled at Day 30

The DPB Notification Document the AI Generates

The Data Protection Board notification is not a form — it is a structured legal document that must contain specific information in a prescribed format. The DPO AI generates the complete draft, populated with the findings from the breach assessment, within 12 hours of breach detection. This is not a template with blanks to fill — it is a fully drafted document based on the actual facts of the incident, ready for human DPO and Legal review before filing.

The notification document covers the nature and circumstances of the breach, the categories of personal data affected and the approximate number of data principals involved, the likely consequences of the breach for affected individuals, the technical and organisational measures taken or proposed to address it, and the contact details of the DPO. It is reviewed, signed, and filed — not assembled under deadline pressure from scratch.

For borrower notifications, the DPO AI generates an individual letter for each affected borrower that specifies precisely what data about them was involved in the breach, what the institution has done to contain it, what protective steps the borrower should consider, and how to contact the DPO if they have concerns. No affected borrower receives a generic mass mail. Each communication is specific, credible, and legally adequate.

30minSeverity classification — DPB notification decision framework activated

72hrsDPDP Act DPB notification deadline — DPO AI targets Hour 48

4Parallel workstreams: contain, assess, notify, remediate — simultaneous

IndividualEvery affected borrower notification personalised — no mass generic mail

The Breach Response That Protects the Institution Is the One That Runs on Time

The DPDP Act's breach notification regime is not punitive by default — regulators recognise that breaches occur even in well-governed institutions. What they penalise is the failure to respond appropriately. An institution that notifies the Data Protection Board within 48 hours with a complete, accurate, and well-structured notification — and simultaneously notifies every affected borrower with personalised guidance — has demonstrated exactly the standard of governance the Act is designed to reward. The DPO AI makes that standard achievable at any scale, for any breach, on any day.