A. Security Safeguards (Rule 6)
Legal framework- DPDP Act Section 8(5) and DPDP Rules, Rule 6
Every Data Fiduciary must use "reasonable security safeguards
|
Technical Requirement |
Practical Controls (What to do) |
Remark |
|
Data Security Measures |
Encryption: Scramble data at rest and in transit. Masking/Obfuscation: Hide parts of the data (like showing only the last 4 digits of a card number). |
Must hide the data so unauthorized people cannot read it. |
|
Access Control |
Use strong passwords and Multi-Factor Authentication (MFA). Grant access only to employees who need it for their job. |
Only the right people should be able to touch the computer systems. |
|
Visibility & Logs |
Turn on system logs. Review these logs regularly to see if anyone is accessing data they shouldn't. |
Must keep a record of who looked at the data to spot hackers. |
|
Business Continuity |
Backups: Keep copies of data in a safe, separate location. Test your backups to make sure they work. |
If data is lost or destroyed, you must be able to get it back. |
|
Log Retention |
Store access logs and security logs for at least one year. |
Must keep security logs for a specific time. |
B. Breach notification requirements (structure, timelines)
Legal Framework- DPDP Act Section 8(6) and DPDP Rules Rule 7
If a "personal data breach" happens such as hack or accidental leak, you must follow this strict workflow.
A. Notification Workflow
Step 1: Intimate To Data Principal (The User)
- Time limit: "Without delay".
- Method: Email, in-app notification, or any other registered communication mode.
What to tell them:
- What happened (nature and timing).
- How it affects them (consequences).
- What you are doing to fix it.
- What they can do to stay safe.
- Contact details of a person they can talk to.
Step 2: Intimate to the Data Protection Board of India.
- Initial Report: Send a description "without delay".
Detailed Report: Send full details within 72 hours of knowing about the breach.
- Content: Facts, causes, remedial measures, and proof that you told the users
C. Data retention rules, including deletion after inactivity.
Legal Framework- DPDP Act Section 8(7); DPDP Rules, Rule 8; Third Schedule
The organisation cannot keep data forever. You must delete it when it is no longer needed.
General Rule
You must erase personal data when:
- The user withdraws consent.
- The purpose for collecting it is finished.
The "Inactivity" Rule (Automatic Deletion)
For specific types of companies (E-commerce, Online Gaming, Social Media), if a user does not use their account for a certain time, you must treat the purpose as "finished" and delete the data.
- Time Limit: 3 Years of inactivity.
- Exceptions: Do not delete if the law requires you to keep it (like banking logs).
Deletion Workflow
- Warning: 48 hours before deleting the data, send a message to the user saying, "We are about to delete your data unless you log in".
- Log Retention: Even after deleting the user's personal data, you must keep the logs of the deletion process for one year.
D. DPIA requirement and Audit requirements
Legal Framework- DPDP Act Section 10; DPDP Rules, 2025, Rule 13
Significant Data Fiduciary- big and data involvement have extra technical duties.
|
Requirement |
Timeline |
Description |
|
Data Protection Impact Assessment (DPIA) |
Once every 12 months. |
A check to see if your software or processing risks the rights of users. Organization must report findings to the Board |
|
Audit requirements |
Once every 12 months. |
An outside auditor checks if you are following the law |
|
Algorithmic Verification |
Ongoing |
You must verify that your software algorithms do not harm user rights |
F. Vendor and processor obligations
Legal Framework – DPDP Act Section 8; DPDP Rules Rule 6(1)(f)
If organisation hire another company (a Data Processor) to handle data for you (like a cloud provider or payroll company):
- Contract: You must have a valid contract with them.
- Security Flow-down: Your contract must force them to use the same security safeguards (encryption, access control) that you use.
- Deletion: If you must delete data, you must make sure your processor deletes it too.
- Responsibility: If the processor messes up, the Data Fiduciary are responsible.
G. Standards for government processing
Legal Framework- DPDP Rules Rule 5; Second Schedule
When the government processes data for benefits, licenses, or certificates, they must follow strict standards:
- Limitation: Only process data that is strictly necessary.
- Accuracy: Make reasonable efforts to ensure data is complete and consistent.
- Security: Must use the same security safeguards (Rule 6) as private companies.
- Central Policy: Must follow any policy issued by the Central Government regarding data governance.