In today’s digital age, personal data has emerged as a new currency of power. It drives innovation, shapes consumer experiences, powers industries and shapes digital economies. Yet, with great power comes great responsibility. The misuse or mishandling of such data can have far-reaching consequences, including imposition of penalties and loss of user trust. Acknowledging the critical need for data protection, India enacted the Digital Personal Data Protection Act, 2023 (DPDPA). Recently, the  Digital Personal Data Protection Rules, 2025 were released for public consultation. Both the DPDPA and the DPDP Rules provide a comprehensive framework for data protection in India.  

What is Data Security? 

Data security essentially refers to the process of protecting data from unauthorised access, theft, loss, unauthorised alteration or corruption. It generally involves a combination of technical and organisational measures as well as regulatory compliance to ensure that the confidentiality, integrity and availability of data is maintained. What this looks like, however, varies by industry and organisation size. In finance, strong encryption and fraud detection are necessary because of high-value transactions, whereas in healthcare, accuracy and accessibility of patient records matter just as much as privacy. Large corporations can afford layered protections like SOCs, SIEM tools, and zero-trust systems, while SMEs often rely on leaner, cloud-based security and strict access controls. Start-ups, meanwhile, benefit most from embedding security by design early on. 

Reasonable Security Measures under the DPDP Framework 

Section 8(5) of the DPDPA imposes an obligation on Data Fiduciaries to protect personal data that is in their possession or under their control. Data Fiduciaries are obligated to adopt reasonable security safeguards to prevent the breach of personal data. The DPDPA, under Section 8(4), also requires a Data Fiduciary to take appropriate technical and organisational measures to ensure the security of data as well as compliance with the provisions of the Act and Rules. Data Fiduciaries are expected to take reasonable safeguards in respect of personal data processing, even if the same is done by a Data Processor on their behalf. 

Rule 6 of the DPDP Rules further clarifies the requirement for reasonable security measures and lays down certain key security safeguard requirements that must be fulfilled by any Data Fiduciary, including: 

• Data Security Measures: Data fiduciaries must implement or adopt appropriate security measures, like: 

• Encryption:  A method that converts data into an unreadable form to prevent unauthorised access. 

• Obfuscation or Masking: Certain elements of the data are hidden for added security. 

• Virtual tokens: Using virtual tokens that are mapped to the relevant personal data. 

• Access Control: Strict measures must be implemented to ensure that access to computer resources used by the data fiduciary or processor is controlled or limited as required. 

• Monitoring for Data Access Visibility: The Data Fiduciary is also required to continuously monitor, review and maintain logs of access to data. This allows the data fiduciary to detect unauthorised access, investigate it and remedy it. 

• Logging: The  DPDP Rules mandate the maintenance and retention of logs and personal data for a period of one year to facilitate detection, investigation, remediation and further prevention of data breaches or unauthorised access unless compliance with any law for the time being in force requires otherwise. 

• Contract with Data Processors: Under the DPDP framework, obligations and duties are imposed directly on data fiduciaries. Therefore, the  DPDP Rules require the Data Fiduciary to have a clear contract with data processors containing contractual provisions related to taking reasonable security safeguards. 

• Data backups and continuity: Back up data and have plans to recover in case of data loss, corruption, or unavailability because of any breach or disaster, ensuring ongoing processing when possible. 

• Retention of logs and data: Retain both access logs and personal data for at least one year (unless another law requires a different period), specifically to detect and respond to unauthorized access or breaches. 

The failure on the part of the data fiduciary to take reasonable security measures as mandated under Section 8(5) may lead to a fine that extends up to Rs. 250 Crores. 

Practical Implications 

Complying with the data security requirements under the DPDP Framework is not an option; it is mandatory. However, it is not just a legal requirement but also the core of responsible data handling. The practical benefits of complying with the security requirements include: 

• Protection of sensitive information and ensuring that confidentiality and integrity of data are maintained. 

• Minimises the risk of monetary penalties, legal costs, liabilities and costs associated with handling a data breach. 

• Ensures regulatory compliance and reduces the likelihood of penalties and liabilities. 

• By showcasing the business’s commitment to protecting data, customer trust can be strengthened. 

• Minimises operational disruptions and ensures that services are continued smoothly, and downtime is mitigated. 

Best practices 

To comply with the data security requirements outlined above, it is essential for businesses to adopt a proactive approach, integrating technical measures, organisational policies and leveraging technology. Some practices that can fortify your data security strategy include: 

Technical Safeguards: 

• Tokenisation: The use of tokenisation to completely replace sensitive data like credit card numbers with non-sensitive substitutes or tokens that are generally random elements with no actual value is beneficial in protecting the confidentiality of data. 

• SIEM Tools: Security Information and Event Management tools can be used for real-time monitoring to detect, respond and manage threats immediately. 

• Log management tools: Maintain tamper-proof logs, test their accessibility and integrity, and align retention with the  DPDP Rules for audit readiness. 

Access Control and Authentication 

• Zero trust policy: Zero trust policy is based on the assumption that no person should be trusted by default. This system verifies each access request (even privileged users) and only allows access to the resources that are necessary for fulfilling duties. 

• Multi-factor authentication: Multi-factor authentication adds an extra layer of security or protection by requiring multiple verification methods for access, such as separate codes, OTPs, and Authenticator applications. 

• Review and update of access:  While putting access control measures in place, it is also necessary to regularly review and audit the accesses to ensure that there is no unauthorised or unrequired access (e.g., access by an ex-employee) 

Assessments, standards and due diligence 

• Data protection clauses in data processing agreements: As already established in the  DPDP Rules, it is important for businesses to proactively include comprehensive data protection and security clauses in any agreement that is drawn up with data processors or third parties for processing data. 

• Due diligence: It is essential for data fiduciaries to conduct sufficient due diligence and ensure that third-party vendors and processors follow security standards, and also to identify potential risks. Vendor risk management tools can be used for this purpose. 

• Mandate adherence to standards: Data Fiduciaries can take steps to mandate or ensure that processors or vendors follow global security standards (e.g. ISO 27001 for Information Security Management Systems), regulatory requirements and best practices. 

• Risk assessment and mitigation measures: Regular risk and vulnerability assessments must be conducted to identify vulnerabilities and develop strategies to mitigate cybersecurity risks. 

Business Continuity 

• Strong data backup strategies: Implement robust and reliable redundant systems to ensure data availability in case of any incident. It is recommended to store these redundancies in geographically dispersed locations to mitigate the effect of any incident that takes place in one location. 

• Disaster recovery and business continuity plan: It is essential for businesses to prepare disaster recovery plans and business continuity plans to ensure that the operations of the business continue smoothly even after a breach. It is important to implement strategies to mitigate the effects of a data breach and maintain business operations. 

Conclusion 

In an era where data is central to decision-making and innovation, it is crucial to secure personal data. Compliance with the prescribed security standards and practices provided by the DPDPA and  DPDP Rules enhances data protection, strengthens trust and ensures smooth operations. 

By implementing robust technical measures such as encryption, data masking, and SIEM tools, coupled with stringent access control mechanisms and continuous risk assessments, organisations can establish a comprehensive framework for data security. Additionally, embedding data protection clauses in contracts and adhering to global standards are critical.  

Ultimately, it is important to note that implementing strong security safeguards is not just a legal requirement but also an ethical responsibility of businesses to uphold the highest standards of confidentiality, integrity and trust.