Last updated: April 29, 2026
It’s 2:47 AM on a Tuesday. Your PagerDuty wakes you up. A customer has tweeted a screenshot of what looks like your production database on a Telegram channel. Your heart rate spikes. You have approximately 72 hours before the Data Protection Board of India expects to hear from you.
This module is about what happens between that 2:47 AM page and the Board notification filed 65 hours later. It is the most operationally consequential module of the DPDP Practitioner path. By the end, you will have:
- A role-by-role map of who does what in the first 2 hours, 24 hours, and 72 hours
- The exact contents the Board will expect in your notification
- A tabletop scenario you can run with your team next week
- A checklist of the 12 pre-breach controls that reduce both the probability of a breach and the penalty range if one occurs
Why tabletop exercises matter
Every organisation has an incident-response plan on paper. Very few have tested it. The first time a team runs their plan for real — at 2:47 AM, with stakeholders panicking, with partial information, with evidence being destroyed in real-time — is the worst possible moment to discover that the plan has holes.
Tabletop exercises are the discipline of rehearsing the plan in a low-stakes setting: a conference room, a fictional scenario, a few hours, your actual team. They reliably surface three classes of gap:
- Gaps in the plan itself — steps that are under-specified, decisions without owners, escalation paths that dead-end
- Gaps in capabilities — “we’d need to pull X from Sentry” — but can we actually? Who has access? What if Sentry is down?
- Gaps in alignment — different team members have different assumptions about what “notify the Board” means, or who signs off on customer communication
A 3-hour tabletop surfaces gaps that would take weeks to discover during a real incident. For an SDF, regular tabletops are essentially required — for a smaller organisation, they are the single best investment in compliance readiness.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.