Rule 6 of DPDP Rules 2025

Reasonable security safeguards.


(1) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach, which shall include, at the minimum,—
(a) appropriate data security measures, including securing of such personal data through its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;
(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or such a Data Processor;
(c) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
(d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, including by way of data- backups;
(e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
(f) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor for taking reasonable security safeguards; and
(g) appropriate technical and organisational measures to ensure effective observance of security safeguards.
(2) In this rule, the expression “computer resource” shall have the same meaning as is assigned to it in Information Technology Act, 2000 (21 of 2000).

Rule 7 →
DPDPA
Table of contents


Report error

Legal Interpretation: Reasonable Security Safeguards by Data Fiduciaries

In an era where data is likened to the "new oil," safeguarding personal data has become more than a compliance exercise—it's a fundamental necessity to build trust and mitigate risks. Rule 6 mandates reasonable security safeguards for Data Fiduciaries and their Data Processors, emphasizing accountability and proactive risk management. Let's break down the obligations and their implications.

1. What Are Reasonable Security Safeguards?

At its core, "reasonable security safeguards" refers to a comprehensive framework that protects personal data from breaches and unauthorized access. This responsibility extends beyond the Data Fiduciary to include any Data Processor acting on its behalf. The rule outlines specific measures that set the minimum threshold for data protection practices.

Think of it like fortifying a castle: you wouldn’t just build high walls; you'd also deploy guards, install surveillance systems, and have contingency plans for emergencies. Similarly, these safeguards are layered and multifaceted.

2. Key Safeguards Mandated by the Rule

The rule specifies a detailed list of security measures, each targeting a critical aspect of data protection:

  • (a) Encryption and Obfuscation: Personal data must be secured using techniques like encryption, obfuscation, or masking, ensuring that even if unauthorized access occurs, the data remains unreadable. Virtual tokens, which map sensitive data to anonymized references, add an additional layer of security.
  • (b) Access Control: Implementing strict access control measures over computer resources is crucial. This involves restricting access to sensitive systems and data only to authorized personnel.
  • (c) Logs and Monitoring for Unauthorized Access: Visibility into who accesses personal data is essential. Maintaining logs, performing real-time monitoring, and conducting regular reviews enable early detection of breaches.
  • (d) Backup and Recovery Plans: In case of data loss or compromise, the rule emphasizes having a disaster recovery plan, including regular backups. These measures ensure continuity of operations, even in the face of catastrophic events.
  • (e) Retention of Logs for Investigations: To facilitate the investigation and prevention of recurring breaches, logs and data must be retained for at least one year. This aligns with the principle of traceability.
  • (f) Contractual Obligations for Data Processors: The rule stresses that Data Fiduciaries must include explicit provisions in their contracts with Data Processors, mandating compliance with these security measures.
  • (g) Technical and Organizational Measures: Beyond technical safeguards, organizational policies and training programs are vital. Ensuring employees understand the importance of data security is crucial.

3. The Role of "Computer Resources"

The term "computer resource", as defined under the Information Technology Act, 2000, encompasses a wide array of digital infrastructure, including computers, networks, software, and data storage systems. This broad definition ensures that the security safeguards apply comprehensively to all components involved in data processing.

4. Practical Implications for Data Fiduciaries

For Data Fiduciaries, implementing these safeguards is non-negotiable. Non-compliance not only exposes them to legal penalties but also damages their reputation. Here's why these measures are critical:

  • Building Trust: Consumers are more likely to share their data with entities they perceive as secure and responsible.
  • Mitigating Risks: Proactive safeguards reduce the likelihood of breaches, protecting both the organization and the individuals whose data they process.
  • Compliance Assurance: These measures align with global best practices, including those under GDPR, ensuring that Indian Data Fiduciaries can operate internationally.

5. Balancing Security and Usability

While robust security is essential, it’s equally important not to overburden systems or users. The safeguards must be implemented in a way that maintains the usability and efficiency of data processing operations. For instance:

  • Encryption must not slow down critical processes.
  • Access control should be seamless yet secure, employing technologies like biometric authentication.

6. Broader Implications for Privacy and Governance

This rule reinforces the principle that privacy is a shared responsibility. Data Fiduciaries and Data Processors must work together to create an ecosystem where personal data is treated with the same care as a prized asset. By mandating these safeguards, the rule establishes:

  • Accountability: Data Fiduciaries cannot pass the buck to their Data Processors; they must ensure compliance across the board.
  • Preparedness: With proactive measures in place, organizations are better equipped to handle breaches and minimize damage.

Conclusion

Rule 6 lays down a robust framework for safeguarding personal data, combining technical measures, contractual obligations, and organizational policies. By mandating encryption, access controls, monitoring, and disaster recovery plans, the rule emphasizes a multi-layered approach to security. For Data Fiduciaries, compliance is not just about avoiding penalties—it’s about building trust, enhancing resilience, and demonstrating their commitment to privacy in a data-driven world. These safeguards aren’t just boxes to check; they’re the foundation of responsible data stewardship in the digital age.

© 2024 Advocate (Dr.) Prashant Mali