Navigating India’s Personal Data Breach Regime in the AI Age

India’s Digital Personal Data Protection Act, 2023 is set to revamp privacy practices in the region by May 2027. It reserves its highest penalties for personal data breaches: USD22 million for not reporting a breach to an affected person or the Data Protection Board of India; and USD28 million for not implementing “reasonable security safeguards” to prevent breaches. By enabling the board to adopt “techno-legal measures,” the DPDPA anticipates the use of automated tools to implement such requirements.

This session unpacks the DPDPA’s breach-related requirements and examines if their design will remain suited to a rapidly AI-driven environment. It will explore how AI is changing the scale, speed and entryways for personal data breaches; how global regulators and entities are, accordingly, adapting their existing reporting regimes; and what lessons this may hold for India’s Board and regulated entities building compliance systems in the region.

What you will learn:

• How new AI applications, such as generative AI tools and agentic AI systems, are re-shaping the nature and scale of personal data breaches.

• The DPDPA’s breach-related requirements and identifying practical compliance lessons based on insights from parallel regimes in Asia and Europe.

• How AI tools can improve breach detection and reporting, and if they can enable “techno-legal” measures to comply with the DPDPA’s breach regime.