Fortifying Data: A Guide to Security Safeguards under the DPDPA and Draft DPDP Rules

Today, personal data has become one of the most valuable resources, powering industries and shaping digital economies. However, the misuse or mishandling of such data can have far-reaching consequences, including imposition of penalties and loss of user trust. Recognizing the critical need for robust data protection, India enacted the Digital Personal Data Protection Act, 2023 (DPDPA). Recently, the Draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules,) were released for public consultation. Both the DPDPA and the Draft DPDP Rules provide a comprehensive framework for data protection in India. 

What is Data Security?

Data security essentially refers to the process of protecting data from unauthorised access, theft, loss, unauthorised alteration or corruption. It generally involves a combination of technical and organisational measures as well as regulatory compliance to ensure that the confidentiality, integrity and availability of data is maintained. Some commonly known data security measures include encryption, access control, incident management, risk mitigation, device management etc.

Reasonable Security Measures under the DPDP Framework

Section 8(5) of the DPDPA imposes an obligation on Data Fiduciaries to protect personal data that is in their possession or under their control. Data Fiduciaries are obligated to adopt reasonable security safeguards to prevent the breach of personal data. The DPDPA, under Section 8(4) also requires a Data Fiduciary to take appropriate technical and organisational measures to ensure the security of data as well as compliance with the provisions of the Act and Rules. Data Fiduciaries are expected to take reasonable safeguards in respect of personal data processing even if the same is done by a Data Processor on its behalf.

Rule 6 of the Draft DPDP Rules further clarifies the requirement for reasonable security measures and lays down certain key security safeguard requirements that must be fulfilled by any Data Fiduciary including:

• Data Security Measures: Data fiduciaries must implement or adopt appropriate security measures like:
  • Encryption:  A method that converts data into an unreadable form to prevent unauthorised access.
  • Obfuscation or Masking: Certain elements of the data are hidden for added security.
  • Virtual tokens: Using virtual tokens that are mapped to the relevant personal data.
• Access Control: Strict measures must be implemented to ensure that access to computer resources used by the data fiduciary or processor is controlled or limited as required.

• Monitoring for Data Access Visibility: The Data Fiduciary is also required to continuously monitor, review and maintain logs of access to data. This allows the data fiduciary to detect unauthorised access, investigate it and remedy it.

• Measures for Continuity of Processing: In case personal data is breached or compromised, it is necessary for the Data Fiduciary to have measures in place to counter the effects of the breach and ensure the continuity processing of the data to prevent further loss. One such method is by maintaining secure data backups.

• Logging: The Draft DPDP Rules mandate the maintaining and retaining of logs and personal data for a period of one year to facilitate detection, investigation, remediation and further prevention of data breaches or unauthorised access.

• Contract with Data Processors: Under the DPDP framework, obligations and duties are imposed directly on data fiduciaries. Therefore, the Draft DPDP Rules require the Data Fiduciary to have a clear contract with data processors containing contractual provisions related to taking reasonable security safeguards.

The failure on the part of the data fiduciary to take reasonable security measures as mandated under Section 8(5) may lead to a fine that extends up to Rs. 250 Crores.

Practical Implications

Complying with the data security requirements under the DPDP Framework is not an option, it is mandatory. However, it is not just a legal requirement but also the core of responsible data handling.The practical benefits of complying with the security requirements include:

• Protection of sensitive information and ensuring that confidentiality and integrity of data are maintained.
• Minimises the risk of monetary penalties, legal costs, liabilities and costs associated with handling a data breach.
• Ensures regulatory compliance and reduces the likelihood of penalties and liabilities.
• By showcasing the business’s commitment to protecting data, customer trust can be strengthened.
• Minimises operational disruptions and ensures that services are continued smoothly, and downtime is mitigated.

Best practices

To comply with the data security requirements outlined above, it is essential for businesses to adopt a proactive approach, integrating technical measures, organisational policies and leveraging technology. Some practices that can fortify your data security strategy include:

• Technical Safeguards:

• Encryption Algorithms: Data that is stored or transmitted can be protected through encryption, i.e., converting readable data into unreadable formats. The use of advanced encryption tools or methods like encryption are highly beneficial for ensuring that data is protected.

• Data masking Tools: Sensitive parts of data can be effectively hidden using data masking tools and practices such as Anonymization in a manner that maintains security while ensuring that the data is still usable for carrying out processes.

• Tokenization: The use of tokenization to completely replace sensitive data like credit card numbers with non-sensitive substitutes or tokens that are generally random elements with no actual value is beneficial in protecting the confidentiality of data.

• SEIM Tools: Security Information and Event Management tools can be used for real-time monitoring to detect, respond and manage threats immediately.

• Log management tools: Tamper-proof systems and log management tools can be used to maintain logs and log retention in line with the Draft DPDP Rules. This also includes the need to implement mechanisms for regular testing of the security, accessibility and integrity of stored or retained logs to ensure compliance and audit readiness.

Access Control and Authentication

• Role-based access control: RBAC assigns tools/application/documentation access on the basis of the person’s roles and responsibilities in the organisation. This ensures that each person only has access to information or data that is required for fulfilling their role.

• Zero trust policy: Zero trust policy is based on the assumption that no person should be trusted by default. This system verifies each access request (even privileged users) and only allows access to the resources that are necessary for fulfilling duties. This practice mandates checkpoints on each access points, ports as well as on every step of the infrastructure to ensure proper audit trails throughout the environment.

• Multi-factor authentication: Multi-factor authentication adds an extra layer of security or protection by requiring multiple verification methods for access such as separate codes, OTPs, Authenticator applications.

• Review and update of access:  While putting access control measures in place, it is also necessary to regularly review and audit the accesses to ensure that there is no unauthorised or unrequired access (e.g.: access by an ex-employee)

Assessments, standards and due diligence

• Data protection clauses in data processing agreements: As already established in the Draft DPDP Rules, it is important for businesses to proactively include comprehensive data protection and security clauses in any agreement that is drawn up with data processors or third parties for processing data.

• Due diligence: It is essential for data fiduciaries to conduct sufficient due diligence and ensure that third-party vendors and processors follow security standards and also to identify potential risks. Vendor risk management tools can be used for this purpose.

• Mandate adherence to standards: Data Fiduciaries can take steps to mandate or ensure that processors or vendors follow global security standards (e.g. ISO 27001 for Information Security Management Systems), regulatory requirements and best practices.

• Risk assessment and mitigation measures: Regular risk and vulnerability assessments must be conducted to identify vulnerabilities and develop strategies to mitigate cybersecurity risks.
• Business Continuity

• Robust data backup strategies: Implement robust and reliable redundant systems to ensure data availability in case of any incident. It is recommended to store these redundancies in geographically dispersed locations to mitigate the effect of any incident that takes place in one location.

• Disaster recovery and business continuity plan: It is essential for businesses to prepare disaster recovery plans and business continuity plans to ensure that operations of the business continue smoothly even after a breach. It is important to implement strategies to mitigate the effects of a data breach and maintain business operations.

Conclusion

In an era where data is central to decision-making and innovation, it is crucial to secure personal data. Compliance with the prescribed security standards and practices provided by the DPDPA and Draft DPDP Rules enhances data protection, strengthens trust and ensures smooth operations.

By implementing robust technical measures such as encryption, data masking, and SIEM tools, coupled with stringent access control mechanisms and continuous risk assessments, organizations can establish a comprehensive framework for data security. Additionally, embedding data protection clauses in contracts and adhering to global standards are critical. 

Ultimately, it is important to note that implementing strong security safeguards is not just a legal requirement but also an ethical responsibility on businesses to uphold the highest standards of confidentiality, integrity and trust.

Learn more about the DPDP Act, 2023 and the Draft DPDP Rules, 2025 by clicking on the links below- 

• Consent Notice
• Consent Manager
• Processing of Children’s Data
• Data Retention
• Data Principal Rights