Security of personal data is one of the most critical obligations under the Digital Personal Data Protection (DPDP) Act, 2023. Rule 6 of the DPDP Rules establishes a robust baseline for “reasonable security safeguards” that every Data Fiduciary must implement to ensure the confidentiality, integrity, and availability of personal data. These safeguards apply not only to the Data Fiduciary but also extend to all Data Processors acting on its behalf.
This rule forms the operational backbone of India’s data protection framework, ensuring that organisations adopt strong, proactive, and auditable security measures to prevent personal data breaches and minimise harm to Data Principals.
Rule 6 requires Data Fiduciaries to protect all personal data in their possession or under their control, whether processed internally or by a Data Processor. This imposes a non-delegable responsibility: even when a third-party processor is engaged, the Data Fiduciary remains accountable for ensuring compliance with security safeguards.
The overarching objective is to prevent personal data breaches, unauthorised access, accidental loss, destruction, or misuse of personal information.
To fulfil their legal duty, Data Fiduciaries must implement the following minimum safeguards:
A. Encryption, Obfuscation, Masking, and Tokenisation
The rule mandates the use of modern data security techniques such as:
These measures ensure that even if data is intercepted or accessed improperly, it remains unreadable and unusable without decryption keys.
B. Access Control Mechanisms
The Data Fiduciary must restrict access to personal data through:
These controls prevent unauthorised employees, systems, or third parties from accessing personal data.
C. Logging, Monitoring, and Review
Visibility into data access is mandatory. Organisations must maintain:
These mechanisms enable early detection of unauthorised access and support forensic investigation and remediation.
Rule 3 emphasises that Data Principals must have simple, consistent, and easily accessible mechanisms to:
The ease of withdrawing consent must be comparable to the ease with which consent was initially given. This prevents the creation of friction or obstacles that discourage users from withdrawing consent.
To facilitate these rights, the Notice must provide:
This ensures that the Data Principal does not have to search for contact information or navigate complex processes.
Accidents, cyberattacks, system failures, or disasters can compromise the availability or integrity of personal data. Rule 6 requires Data Fiduciaries to implement business continuity and disaster recovery capabilities, including:
Such measures ensure that personal data can be restored and processing can continue even if data is damaged, lost, or corrupted.
To enable comprehensive investigation and remediation of security incidents, the rule mandates:
This retention period is crucial for audits, breach notification processes, forensic analysis, and regulatory inquiries.
A key obligation under Rule 6 is embedding security expectations into contracts with Data Processors. Every Data Fiduciary must ensure that its Data Processor contracts include:
This ensures that security obligations are enforceable across the entire data processing chain.
Beyond technical controls, Data Fiduciaries must deploy strong organisational measures, including:
These measures ensure that security is embedded into organisational culture and operations, not limited to IT controls alone.
Implementing Rule 6 safeguards is not merely a statutory duty but a strategic requirement. Organisations that fail to implement these safeguards risk:
Adopting a proactive, well-documented security posture aligns organisations with global best practices such as ISO 27001, NIST CSF, and SOC 2.
Conclusion
Rule 6 of the DPDP Rules places a high bar for security readiness and operational resilience. By mandating encryption, access controls, monitoring, continuity measures, and enforceable processor contracts, the rule ensures a strong security infrastructure across the data lifecycle. These safeguards are integral to preventing breaches, ensuring accountability, and strengthening the trust of Data Principals in India’s digital ecosystem.
Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article.