Reasonable Security Safeguards Under the DPDP Act, 2023 and DPDP Rules, 2025: Redefining Cybersecurity, Data Architecture, and Board Accountability

Posted On - 14 November, 2025 • By - Jidesh Kumar

Introduction

The DPDP Act, 2023 and the DPDP Rules, 2025 introduce a transformative legal framework for cybersecurity and data protection in India. While previous Indian regulations referenced “reasonable security practices” under frameworks like the IT Act and SPDI Rules, the DPDP regime elevates cybersecurity from an IT obligation to a statutory, enterprise-wide, board-level responsibility.

At the centre of this shift is Rule 6 of the DPDP Rules, which lays down the operational architecture for reasonable security safeguards. When read with Section 8 of the DPDP Act which obligates Data Fiduciaries to implement “reasonable security safeguards to prevent personal data breaches” the framework becomes a powerful, enforceable compliance mandate.

Unlike earlier legal requirements, the DPDP regime imposes:

  • explicit minimum security standards,
  • strict breach-prevention obligations,
  • mandatory log retention,
  • clear expectations for encryption, masking, monitoring, and access controls,
  • and significant liability for both Data Fiduciaries and Data Processors.

For Indian and multinational companies operating in India whether in fintech, telecom, healthtech, retail, manufacturing, SaaS, cloud, or digital platforms, Rule 6 is not merely a security guideline. It is a legally enforceable cybersecurity standard, backed by substantial penalties (up to ₹250 crore for breach-related failures) and extensive regulatory powers vested in the Data Protection Board (DPB).

Section 8(5) of the DPDP Act states that a Data Fiduciary must implement reasonable security safeguards to prevent personal data breaches.

This is supported by:

  • Section 8(6): obligation to notify the DPB and affected Data Principals in case of a breach.
  • Section 33 (penalty schedule): major financial penalties for failure to prevent breaches.
  • Section 36: Government’s power to demand information on compliance.

The combined effect is clear: cybersecurity is no longer discretionary or sector-specific. It is a uniform, cross-industry obligation, enforceable by law. The 13 November 2025 notification brings Section 8 into force in 18 months, giving companies a defined timeline to upgrade systems before full enforcement begins.

Rule 6: India’s New Statutory Cybersecurity Baseline

Rule 6 provides operational clarity on what “reasonable security safeguards” entail. Under Rule 6, every Data Fiduciary must implement the following minimum security measures:

1. Encryption of personal data: Data must be encrypted both in transit and at rest, reducing risk during transmission, storage, and processing.
2. Data masking and pseudonymisation: Sensitive identifiers must be masked, ensuring processors and internal teams do not have unnecessary access to clear-text personal data.
3. Access controls: Companies must restrict access to personal data strictly on a “need-to-know” and “role-based” basis.
4. Continuous monitoring and logging: Platforms must maintain logs tracking access, modifications, breaches, and suspicious activities.
5. Backup and recovery mechanisms: Companies must maintain secure, redundant backups for quick recovery in case of breach or system compromise.
6. Mandatory log retention for at least one year: Logs must be preserved to support investigations, forensics, and DPB inquiries even if a Data Principal requests deletion.
7. Processor accountability: Data Processors engaged by Fiduciaries must implement identical safeguards.
8. Contractual binding: Security obligations must be documented in contracts with processors and third-party vendors.

This establishes a technology-agnostic yet legally binding standard that all companies must meet.

How Rule 6 Intersects With Other DPDP Rules

Rule 7: Breach Notification

Even with safeguards, breaches may occur. Rule 7 mandates that organisations notify affected users, and the Data Protection Board without undue delay.

Rule 8: Data Retention and Deletion

Security safeguards must extend to data that is scheduled for deletion or archival. Companies must issue a 48-hour advance deletion notice and retain logs for at least a year.

Rule 15: Cross-Border Transfers

Security standards apply globally, including offshore processors. A breach in a foreign jurisdiction is still a breach under Indian law.

Rule 23: Government Access

The Government may demand information from companies; logs and audit trails are essential to comply. Together, these rules create a life-cycle governance system from collection and storage to breach response and regulatory reporting.

Who Must Comply? Every Entity in the Data Pipeline

The DPDP Act applies to:

  • Indian companies,
  • Multinational corporations processing Indian data,
  • Government bodies,
  • Government contractors,
  • Technology vendors,
  • Cloud service providers,
  • Data processors,
  • Social media intermediaries,
  • EdTech and gaming platforms,
  • Banks, insurers, NBFCs,
  • Hospitals and health systems.

Rule 6 is universally applicable. No entity collecting or processing personal data can escape the obligation to implement minimum safeguards.

Security Governance: What the DPDP Regime Expects From Boards

Under the DPDP Act and Rules, cybersecurity becomes a board-level accountability issue. Boards must ensure:

  • adequate budgets,
  • documented policies,
  • annual review of security practices,
  • approval of DPIAs (for Significant Data Fiduciaries),
  • oversight of incidents and regulatory inquiries,
  • vendor and cloud due diligence.

If a breach occurs due to inadequate safeguards, the DPB may consider:

  • whether the Board demonstrated oversight,
  • whether audits were conducted,
  • whether security lapses were systemic or negligent.
  • Thus, Rule 6 significantly elevates fiduciary duty for directors and CXOs.

Significant Data Fiduciaries (SDFs): A Higher Security Bar

Under Section 10 of the DPDP Act and Rule 13, SDFs face enhanced obligations:

  • Annual Data Protection Impact Assessments (DPIAs)
  • Annual independent security audits
  • Algorithmic risk assessments
  • Mandatory appointment of a Data Protection Officer (DPO)
  • Detailed compliance reporting to the DPB
  • Monitoring high-risk processing activities

SDF designation may apply to:

  • social media giants,
  • fintech and digital payment systems,
  • telecom and ISPs,
  • e-commerce majors,
  • gaming platforms with large user bases,
  • edtech platforms,
  • healthcare providers,
  • gig economy and mobility platforms.

For SDFs, Rule 6 becomes the minimum, not the ceiling.

India’s New Cybersecurity Standard Compared to Global Frameworks

Compared to GDPR

GDPR uses “appropriate technical and organisational measures (TOMs).” DPDP Rule 6 is more prescriptive, particularly regarding encryption, log retention, masking, and processor liability.

Compared to US state privacy laws (CPRA, VCDPA)

US laws emphasise risk assessments; the Indian regime requires specific security practices.

Compared to China’s PIPL

PIPL imposes strong localisation and security measures; India’s Rule 6 is less restrictive but equally rigorous in breach prevention.

India’s framework is now comparable to global best practices, but tailored to India’s digital ecosystem.

Technical Implementation Requirements Under Rule 6

1. Encryption

  • AES-256 for data-at-rest
  • TLS 1.2+ for data-in-transit
  • End-to-end encryption for messaging platforms
  • Hardware security modules (HSMs) for key management

2. Data Masking and Pseudonymisation

  • Tokenisation of sensitive identifiers
  • Masking of Aadhaar, PAN, financial numbers
  • Role-based masking in internal dashboards

3. Access Control

  • Zero-trust architecture
  • Multi-factor authentication (MFA)
  • SSAE-18 / SOC-2 aligned access governance

4. Monitoring and Logging

  • SIEM implementation
  • Real-time anomaly detection
  • Log integrity verification
  • Immutable logging for forensic readiness

5. Backups and Business Continuity

  • Multi-zone or multi-region storage
  • Air-gapped backups
  • Quarterly disaster recovery drills

6. Vendor and Processor Security

  • Mandatory DPDP-aligned contractual terms
  • Pen-testing and security evaluations
  • Audit rights and compliance certifications

Rule 6 therefore requires a holistic cybersecurity posture, not check-box compliance.

Integrated Breach Response Framework (Rule 7 + Rule 6)

A personal data breach triggers an immediate obligation to notify:

  1. The Data Protection Board, and
  2. The affected Data Principals.

To comply, companies must design:

  • a 24/7 incident response team,
  • forensic investigation capabilities,
  • user notifications templates,
  • regulatory reporting workflows,
  • evidence preservation procedures,
  • containment playbooks,
  • third-party breach escalation protocols.

Failure to notify or late disclosure can increase penalties significantly.

Compliance for Multinational Companies

MNCs face unique challenges because Indian data is often processed globally. Under Rule 6, multinational groups must:

  • extend security standards to all offshore processors,
  • ensure cloud regions meet Indian encryption and monitoring standards,
  • implement cross-border incident reporting within Indian timelines,
  • update global DPAs and intra-group data transfer agreements,
  • maintain audit trails for Indian regulators.

A breach in the US, Singapore, or Europe can trigger Indian penalties if Indian personal data is involved.

Sector-Specific Implications

1. Financial Services: Banks, NBFCs, insurers, and fintechs must integrate:

  • RBI cybersecurity frameworks,
  • DPDP Rule 6 standards,
  • UIDAI security controls (if Aadhaar is used).

2. Healthcare

Hospitals, healthtech apps, and pharma companies must secure sensitive personal data with enhanced encryption and access control.

3. Telecom & Internet

High-volume processing makes telecom operators likely SDFs with enhanced security audits.

4. E-Commerce & Retail

Large user bases + high transaction volumes = high breach risk + increased DPB scrutiny.

5. SaaS & IT-BPM

India’s global IT industry must align client contracts with DPDP obligations.

Penalties for Non-Compliance: A High-Stakes Regime

The DPDP Act prescribes penalties of up to:

  • ₹250 crore for failure to adopt reasonable security safeguards,
  • ₹200 crore for violating children’s data obligations,
  • ₹50 crore for other general violations.

The DPB may also:

  • issue directions,
  • mandate remediation,
  • order systems strengthening,
  • recommend blocking of platforms (Section 37).

Thus, cybersecurity lapses can become enterprise-threatening events.

Governance Recommendations for Businesses

1. Board-Level Oversight

Boards must formally approve cybersecurity policies, DPIAs, audit reports, and risk registers.

2. Appoint a Strong DPO

For SDFs, a DPO must have independence, expertise, and direct reporting access to the Board.

3. Adopt a Comprehensive Information Security Program

Aligned with DPDP Rule 6, NIST CSF, ISO 27001, RBI frameworks, and CERT-In guidelines.

4. Conduct Regular Audits

External and internal audits must document compliance.

5. Build a DPDP-Aligned Vendor Risk Program

Third-party risk is now a statutory liability.

6. Maintain Documentation for DPB Inspections

Including access logs, breach investigation reports, and security testing results.

Preparing for the 18-Month Enforcement Window

Given the 13 November 2025 notification, companies have 18 months before Section 8 and Rule 6 become fully enforceable. A strategic implementation roadmap:

Months 1–6: Assessment Phase

  • Data mapping
  • Vendor audit
  • Gap analysis
  • Architectural review
  • Board briefings

Months 6–12: Remediation Phase

  • Implement encryption, masking, logging
  • Re-architecture of sensitive systems
  • Contract updates
  • SOC / SIEM integration

Months 12–18: Operationalisation Phase

  • Testing & drills
  • Documentation
  • DPIAs (for SDFs)
  • Incident response simulation
  • Team training

This three-stage model ensures readiness before enforcement begins.

Conclusion

The DPDP Act and DPDP Rules together create a modern, forward-looking, and enforceable cybersecurity regime. Rule 6 transforms what used to be a best practice into a legal obligation, backed by substantial penalties, stringent reporting requirements, and board-level accountability.

For Indian and multinational companies, cybersecurity must now evolve into an enterprise-wide compliance discipline. Those that proactively modernise their data architecture, strengthen governance, and embed DPDP-driven safeguards will not only avoid regulatory and financial pitfalls they will gain a strategic advantage in an increasingly privacy-conscious marketplace.

Contributed by – Aurelia Menezes