✓ Link copied
DPDPA 2023 Compliance

DPDPA Section 4 Compliance: 7-Step Breach Notification Protocol for Trade Shows

Applies toTrade show organizers, exhibition companies, and event management firms handling attendee personal data in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-06
SourceDPDPAReady Compliance Team

When 500 Attendees’ Data Leaks at Your Trade Show: The Section 4 Reality

Your exhibition database is hacked. Email addresses, phone numbers, job titles—500 attendees’ personal data is exposed. Within hours, you’re facing India’s Data Protection Board and potential penalties exceeding ₹150 crore. Section 4 of the DPDPA 2023 leaves no room for delay: you have a fixed window to notify everyone, report to the regulator, and document every step. This is not optional. Exhibition organizers who miss the timeline face enforcement action regardless of company size.

This guide walks you through the exact seven steps to notify affected data subjects and the Data Protection Board when a personal data breach occurs at your trade show, exhibition, or event.

Section 4 of DPDPA: The Breach Notification Mandate

The relevant regulation states:

“In the case of a personal data breach, the fiduciary shall, in accordance with such rules as may be prescribed, provide notice to the data subjects and the Board. Such notice shall be provided without unreasonable delay and, in any case, not later than thirty days from the date on which the fiduciary has reasonable grounds to believe that a personal data breach has occurred.”

(DPDPA 2023, Section 4)

For trade shows, this means: the moment your team discovers (or has reason to suspect) that attendee records have been exposed, your 30-day countdown begins. The clock stops only when both affected attendees and the Data Protection Board receive formal written notification.

Seven-Step Breach Notification Protocol for Trade Show Organizers

Step 1: Detect the Breach and Document the Date

Action: The moment a breach is suspected or confirmed, record the exact date and time. This is your statutory baseline.

For trade shows:

  • Your IT team detects unauthorized access to the event registration database on July 5, 2026, at 14:32 IST.
  • A third party (security researcher, attendee, hosting provider) alerts you to exposed records on July 6.
  • Your backup system shows signs of tampering during routine audit.

Document:

  • Date and time of discovery (or when you should have discovered it, if the breach occurred earlier).
  • Method of discovery: internal monitoring, external report, law enforcement notification, etc.
  • Which personal data categories were exposed: names, emails, phone numbers, job titles, company affiliations, photographs?

Save this in a breach log file with date stamps. This becomes your evidence of timely reporting.

Step 2: Assess the Scope: Which Attendees Are Affected?

Action: Count exactly how many data subjects were affected and which personal data fields were exposed.

For trade shows:

  • Your exhibition had 12,000 registered attendees. Database logs show unauthorized access affected 4,250 records.
  • Exposed fields: full name, email, phone, employer, designation, city.
  • NOT exposed: payment details, passport data, or passwords (because they weren’t stored).

Document in a breach register:

  • Total number of affected data subjects (e.g., 4,250 attendees).
  • Specific personal data categories exposed.
  • Likely cause of the breach (ransomware, weak credentials, SQL injection, insider threat).
  • Whether the breach also affected third parties (e.g., if your events platform processes data for co-organizers).

This assessment determines the scale of notifications you must send. Undercount and you face enforcement action for incomplete notification.

Step 3: Notify Affected Attendees Within 30 Days

Action: Send written notice to every affected data subject in clear, simple language. This is a Section 4 requirement, not optional disclosure.

Notification must include:

  1. Your identity as the fiduciary (event organizer name, address, contact details).
  2. What personal data was exposed (list the specific fields: name, email, phone, etc.).
  3. When the breach was discovered (the date you became aware of it).
  4. Why it happened (ransomware attack, unpatched server, stolen API key, etc.).
  5. What you’re doing to fix it (security patches, password resets, monitoring, etc.).
  6. What attendees should do (monitor bank accounts, change passwords on other sites that use the same email, watch for phishing, etc.).
  7. Contact info for questions (dedicated breach response email or hotline).

Sample notification for trade shows:


Subject: Data Security Incident Notification – Your Information from [Trade Show Name]

Dear [Attendee Name],

On July 5, 2026, we discovered unauthorized access to our event registration database that affected some attendee records from [Trade Show Name], held in [month/year].

What Information Was Affected: Your full name, email address, phone number, current employer, and job title were exposed due to [brief reason: e.g., SQL injection attack on our registration servers].

What We’re Doing:

  • We have secured the affected servers.
  • We are notifying all affected attendees and the Data Protection Board within the 30-day statutory window.
  • We have engaged a cybersecurity firm to audit our systems and implement additional safeguards.

What You Should Do:

  • Change passwords on your email and any other accounts that use the same password.
  • Monitor your email and phone for phishing attempts.
  • Review your financial statements for unauthorized charges.
  • If you notice any suspicious activity, contact your bank immediately.

Questions? Email us at [breach-response@youreventcompany.com] or call [phone number].

Sincerely, [Your Company], Data Fiduciary


Delivery method:

  • Email to each affected attendee’s registered email address.
  • If email bounces, send SMS to registered phone number (if available).
  • Post a breach notice on your website and social media.
  • Keep proof of delivery (email logs, SMS receipts, screenshots).

Critical timeline: All notifications must be sent within 30 days of discovery.

Step 4: Report to the Data Protection Board

Action: File a formal breach report with the Data Protection Board within 30 days of discovery. This is separate from attendee notification and equally mandatory.

Report must include:

  1. Your organization details: Legal name, LLPIN (if registered), principal place of business in India.
  2. Incident details: Date of discovery, number of affected data subjects, personal data categories, cause of breach.
  3. Remedial measures: What you’ve done to contain the breach and prevent recurrence.
  4. Copies of notification: Attach the breach notification letter sent to attendees.

Filing procedure:

  • Visit the Data Protection Board portal (details published on India’s official government digital infrastructure).
  • Fill in the breach incident form.
  • Upload attachments: breach notification, incident log, remedial action plan.
  • Submit before day 30.

For trade shows:

  • You must file this report even if the breach is small (even 50 attendees).
  • You must file even if no sensitive categories like biometric data were exposed (names and emails alone trigger the requirement).

Step 5: Preserve Forensic Evidence and Investigation Records

Action: Document your investigation into the breach. This becomes your legal defense if enforcement action occurs.

Preserve:

  • Server logs showing unauthorized access timestamps.
  • System administrator notes on remediation steps.
  • Third-party forensic report (if you hired a cybersecurity firm).
  • Copies of all attendee notifications sent.
  • Calendar and email showing when you discovered the breach and when you reported it.

Why this matters: If the Data Protection Board later questions whether you met the 30-day deadline, your documented investigation timeline is your proof. Without it, you cannot credibly demonstrate compliance.

Step 6: Implement Remedial Measures and Document Them

Action: Fix the vulnerability that caused the breach. Document all fixes.

For trade shows, common fixes include:

  • Patch the web application vulnerability (SQL injection, cross-site scripting, etc.).
  • Enforce multi-factor authentication for admin access to registration systems.
  • Encrypt attendee databases at rest and in transit.
  • Conduct a third-party security audit or penetration test.
  • Update access control policies (e.g., only event managers can view attendee data, not junior staff).
  • Implement intrusion detection/prevention systems.
  • Conduct staff training on data security and phishing awareness.

Document in writing:

  • What was wrong (technical root cause).
  • What was fixed (specific patches, system changes).
  • When it was fixed (dates).
  • Who fixed it (internal IT or third-party vendor).
  • How you verified the fix worked (test results, re-audit findings).

The Data Protection Board will review these measures when deciding whether to issue a notice of non-compliance or enforcement orders.

Step 7: Review Your Data Handling Processes and Update Your Policy

Action: Strengthen your ongoing compliance to prevent future breaches. This is proactive risk management under Section 4 logic.

Audit:

  • Who has access to attendee data? (Should be limited to event managers, registrars, not all employees.)
  • How is data stored? (Should be encrypted, not in plain text on shared drives.)
  • How long do you retain attendee records after the event ends? (Consider whether you need to keep 3 years of past attendee lists.)
  • What is your current breach response plan? (Do you have a documented process, or is this your first breach?)
  • Do you have a Data Protection Officer (DPO) or designated breach response lead?

Update your privacy policy:

  • Add a clause explaining how you will notify attendees in case of a breach.
  • Clarify the 30-day timeline and the types of information you will disclose.
  • List the safeguards you use to protect attendee data.

This demonstrates good-faith compliance to regulators and gives attendees confidence in your event.

Common Pitfalls Trade Show Organizers Must Avoid

  1. Delaying notification: Even a day late is a violation. Start notifying on day 1 of discovery, not day 20.
  2. Under-counting affected attendees: If you report 1,000 affected attendees but the Board later finds 2,000 were exposed, it’s treated as incomplete notification.
  3. Vague breach descriptions: Do not write “data breach occurred”—specify what was exposed (names, emails, phone numbers).
  4. Notifying only some attendees: If 500 people were affected, all 500 must be notified individually. A generic website notice is insufficient.
  5. No remedial plan: Simply patching the hole is not enough. You must explain what architectural changes prevent the next breach.
  6. Missing the Board filing: Even if you notify all attendees, failing to file with the Data Protection Board is a Section 4 violation.

Frequently Asked Questions

Q: Do I have to report a breach to police or national cybercrime authorities?

A: No—Section 4 requires notification to affected attendees and the Data Protection Board only. However, if your trade show involves sensitive categories (biometric data, financial records, health data), you may want to notify law enforcement for investigation. Check with your legal counsel and your data protection officer.

Q: If my exhibition spans two countries—one in India and one abroad—do the 30-day rules apply to both?

A: Section 4 applies only to trade shows in India or events where Indian attendees’ data is processed in India. If you hold a parallel event in Singapore with separate databases, those rules don’t trigger Section 4. However, if Indian attendees’ data is transferred outside India, DPDPA rules still apply—consult your DPO before sharing cross-border.

Q: What if the breach is discovered 2 months after the event? Do I still have to report it?

A: Yes. The 30-day clock starts from when you discover the breach, not when it occurred. If you discover it 2 months later, you have 30 days from that discovery date. The Data Protection Board may still issue guidance on your delayed detection capability, but you must still file within 30 days of discovery.

Q: Is a breach notification letter required, or can I just call affected attendees?

A: Section 4 requires written notice. Email qualifies as written notice. A phone call is not sufficient on its own, though you can call first and follow up with an email. Keep records of both for evidence of compliance.

Q: If we outsource our registration system to a third-party event platform, are we still the fiduciary under Section 4?

A: Yes, the trade show organizer is the fiduciary. The third-party platform may be a processor. You are responsible for ensuring the processor has security measures in place and for notifying attendees in the event of a breach. Review your contract with the platform to clarify breach notification responsibilities and ensure the processor agrees to cooperate within the 30-day window.

DPDPA section 4 breach notification trade showsEvent organizer data breach compliance IndiaExhibition attendee data protection requirementsTrade show personal data breach reportingDPDPA breach notification timelineData protection board notification event managersTrade exhibition data security compliance
VERIFIED DPDPAReady Editorial Desk 19 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →