Most organizations have a breach response plan somewhere. It is probably a PDF, it is probably from 2022, and it is probably never been tested. That is not a plan. That is a liability waiting to surface at the worst possible time.

This blog is about what a real breach response looks like under India's DPDP Act and Europe's GDPR. Not the theory. The actual steps, the actual roles, and the part nobody talks about: why your response is only as good as how well you know your own data.

Why Most Breach Plans Fall Apart on Day One

Walk into most organizations and you will find three things: a written policy, no assigned roles, and zero practice. The policy checks the compliance box. But when an actual incident hits, the team freezes because nobody has ever walked through it together.

The second failure is more technical. A breach response requires you to answer very specific questions very quickly. What data was exposed? Whose data was it? How many records? What categories? Organizations that cannot answer those questions in hours spend days guessing. And every hour of guessing adds to their regulatory exposure.

What DPDP and GDPR Require When a Breach Occurs

Both laws impose real deadlines. Under GDPR, organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a breach. Under India's DPDP Act, draft rules indicate a similar window for notifying the Data Protection Board. These clocks start the moment your organization becomes aware, not when your legal team is ready.

The notification cannot be vague. Regulators require the nature of the breach, the categories of personal data involved, the estimated number of individuals affected, the likely consequences, and the steps being taken. That level of specificity comes from preparation, not from scrambling under pressure.

One thing Indian companies with European customers often overlook: if your organization processes data of EU residents, GDPR applies to you alongside DPDP. That means two parallel notification processes within the same 72-hour window.

Five Phase Breach Response Framework That Holds Up Under Pressure

The First Hour Is About Clarity, Not Speed

The instinct in Phase 1 is to move fast. But moving fast without direction makes things worse. The first 60 minutes should be about getting the right people into a room, issuing an initial containment directive, and starting a timestamped incident log. Every action, every decision, every call made during a breach becomes part of your regulatory record.

Phase 2 Is Where Data Visibility Becomes Everything

Containment requires knowing what was on the compromised system. Notification requires knowing whose data was involved. You cannot produce either without having already done the work of mapping and classifying your sensitive data. Organizations that have done this work answer Phase 2 questions in hours. Organizations that have not spend days guessing and filing incomplete notifications.

The questions your team must answer in Phase 2 are straightforward on paper. What categories of personal data were stored in the affected system? Approximately how many individuals are affected? Was data encrypted? Is there evidence of actual exfiltration? If your data environment is uncharted, none of those questions have quick answers.

Notification Must Be Accurate, Not Just Fast

Both DPDP and GDPR require accurate notifications. An incomplete or misleading notification triggers additional scrutiny. In Phase 3 and 4, your legal and privacy teams should be drafting regulator notifications in parallel, not waiting for one to complete before starting the other. Individual notification under GDPR is required where the breach creates high risk to individuals. Under DPDP, similar obligations are expected in the final rules.

The Roles Every Response Plan Must Name in Advance