Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Technical & Organizational Requirements

  • All Blogs
  • Digital Personal Data Act, 2023
  • Technical & Organizational Requirements
  • 17 July 2026 by
    Technical & Organizational Requirements
    CKonnect

    A. Security Safeguards (Rule 6)

    Legal framework- DPDP Act Section 8(5) and DPDP Rules, Rule 6

    Every Data Fiduciary must use "reasonable security safeguards

    Technical Requirement

    Practical Controls (What to do)

    Remark

    Data Security Measures

    Encryption: Scramble data at rest and in transit.

    Masking/Obfuscation: Hide parts of the data (like showing only the last 4 digits of a card number).

    Must hide the data so unauthorized people cannot read it.

    Access Control

    Use strong passwords and Multi-Factor Authentication (MFA).

    Grant access only to employees who need it for their job.

    Only the right people should be able to touch the computer systems.

    Visibility & Logs

    Turn on system logs.

    Review these logs regularly to see if anyone is accessing data they shouldn't.

    Must keep a record of who looked at the data to spot hackers.

    Business Continuity

    Backups: Keep copies of data in a safe, separate location.

    Test your backups to make sure they work.

    If data is lost or destroyed, you must be able to get it back.

    Log Retention

    Store access logs and security logs for at least one year.

    Must keep security logs for a specific time.

     

    B. Breach notification requirements (structure, timelines)

    Legal Framework- DPDP Act Section 8(6) and DPDP Rules Rule 7

    If a "personal data breach" happens such as hack or accidental leak, you must follow this strict workflow.

    A. Notification Workflow

    Step 1: Intimate To Data Principal (The User)

    • Time limit: "Without delay".
    • Method: Email, in-app notification, or any other registered communication mode.
    • What to tell them:

      • What happened (nature and timing).
      • How it affects them (consequences).
      • What you are doing to fix it.
      • What they can do to stay safe.
      • Contact details of a person they can talk to.

    Step 2: Intimate to the Data Protection Board of India.

    • Initial Report: Send a description "without delay".
    • Detailed Report: Send full details within 72 hours of knowing about the breach.

      • Content: Facts, causes, remedial measures, and proof that you told the users

    C. Data retention rules, including deletion after inactivity.

    Legal Framework- DPDP Act Section 8(7); DPDP Rules, Rule 8; Third Schedule

    The organisation cannot keep data forever. You must delete it when it is no longer needed.

    General Rule

    You must erase personal data when:

    1. The user withdraws consent.
    2. The purpose for collecting it is finished.

    The "Inactivity" Rule (Automatic Deletion)

    For specific types of companies (E-commerce, Online Gaming, Social Media), if a user does not use their account for a certain time, you must treat the purpose as "finished" and delete the data.

    • Time Limit: 3 Years of inactivity.
    • Exceptions: Do not delete if the law requires you to keep it (like banking logs).

    Deletion Workflow

    1. Warning: 48 hours before deleting the data, send a message to the user saying, "We are about to delete your data unless you log in".
    2. Log Retention: Even after deleting the user's personal data, you must keep the logs of the deletion process for one year.

    D. DPIA requirement and Audit requirements

    Legal Framework- DPDP Act Section 10; DPDP Rules, 2025, Rule 13

    Significant Data Fiduciary- big and data involvement have extra technical duties.

    Requirement

    Timeline

    Description

    Data Protection Impact Assessment (DPIA)

    Once every 12 months.

    A check to see if your software or processing risks the rights of users. Organization must report findings to the Board

    Audit requirements

    Once every 12 months.

    An outside auditor checks if you are following the law

    Algorithmic Verification

    Ongoing

    You must verify that your software algorithms do not harm user rights

     

    F. Vendor and processor obligations

    Legal Framework – DPDP Act Section 8; DPDP Rules Rule 6(1)(f)

    If organisation hire another company (a Data Processor) to handle data for you (like a cloud provider or payroll company):

    1. Contract: You must have a valid contract with them.
    2. Security Flow-down: Your contract must force them to use the same security safeguards (encryption, access control) that you use.
    3. Deletion: If you must delete data, you must make sure your processor deletes it too.
    4. Responsibility: If the processor messes up, the Data Fiduciary are responsible.

     

    G. Standards for government processing 

    Legal Framework- DPDP Rules Rule 5; Second Schedule

    When the government processes data for benefits, licenses, or certificates, they must follow strict standards:

    • Limitation: Only process data that is strictly necessary.
    • Accuracy: Make reasonable efforts to ensure data is complete and consistent.
    • Security: Must use the same security safeguards (Rule 6) as private companies.
    • Central Policy: Must follow any policy issued by the Central Government regarding data governance.

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Master Report
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies