Back to Blog
DPDP Act 10 min read

DPDP Act Security Safeguards: Technical Measures Required

What technical and organisational security safeguards the DPDP Act 2023 requires under Section 8(5), penalty exposure for breaches, and a practical implementation checklist.

Key Takeaways
  • Section 8(5) requires Data Fiduciaries to implement "reasonable security safeguards" to prevent personal data breaches.
  • A breach caused by failure to implement reasonable safeguards can attract a penalty of up to ₹250 crore under Schedule 1.
  • The Act does not prescribe specific technical standards but references "reasonable" safeguards — SOC 2 and ISO 27001 controls provide a defensible baseline.
  • Breach notification to the Data Protection Board is required within the timeframe specified in the Rules — expected to be 72 hours based on comparable regimes.
  • Significant Data Fiduciaries must additionally appoint a Data Protection Officer and conduct periodic Data Protection Impact Assessments.

In this guide

  1. Security Safeguards Under the DPDP Act
  2. Section 8(5): The Reasonable Safeguards Standard
  3. Penalty Exposure for Security Failures
  4. Technical Controls That Satisfy Reasonable Safeguards
  5. Organisational and Process Controls
  6. Breach Detection and Response Obligations
  7. Significant Data Fiduciary Security Requirements
  8. Aligning with SOC 2 to Meet DPDP Security Obligations

Security Safeguards Under the DPDP Act

The security safeguard obligation is one of the most consequential requirements in the DPDP Act 2023. It imposes a legal duty on every Data Fiduciary to protect personal data against unauthorised access, use, disclosure, alteration, or destruction. Unlike some obligations in the Act that are more procedural (privacy notices, consent records), security safeguards require substantive technical and organisational investment.

The obligation is not new in spirit — the IT Act 2000 and the SPDI Rules 2011 imposed similar requirements for sensitive personal data. But the DPDP Act significantly raises the stakes: the penalty for a data breach caused by inadequate safeguards is up to ₹250 crore, compared with the more limited civil liability under the IT Act. This creates a material financial risk that boards and senior leadership need to take seriously.

Importantly, the security obligation is not just about preventing breaches — it is about implementing a systematic security programme. The Data Protection Board will assess, in the event of a breach, whether the Fiduciary had implemented reasonable safeguards before the breach occurred. A company with no formal security programme that suffers a breach faces a very different enforcement outcome than a company with documented controls that suffered a sophisticated targeted attack.

Section 8(5): The Reasonable Safeguards Standard

Section 8(5) requires a Data Fiduciary to protect personal data in its possession or under its control by taking reasonable security safeguards to prevent a personal data breach. The Act does not define "reasonable security safeguards" — this standard will be developed through the Rules and through Board precedent over time.

The "reasonableness" standard is contextual. What is reasonable for a small startup processing minimal user contact data is different from what is reasonable for a large fintech handling payment and identity data for millions of users. Factors that influence reasonableness include: the sensitivity of the data processed (financial, health, children's data require stricter controls), the volume of Data Principals affected by any potential breach, the technical sophistication of likely threat actors, and the resources available to the Fiduciary.

In the absence of DPDP-specific technical standards, internationally recognised security frameworks provide the clearest guidance on what constitutes reasonable safeguards. ISO 27001:2022 and SOC 2 (particularly the Security trust service criteria) are both well-understood by Indian enterprises and provide comprehensive control catalogues. Alignment with either framework provides a strong basis for demonstrating reasonable safeguards to the Board.

Penalty Exposure for Security Failures

Schedule 1 of the DPDP Act specifies a penalty of up to ₹250 crore for failure to take reasonable security safeguards under Section 8(5) that results in a personal data breach. This is one of the two highest penalty tiers in the Act (equal to the penalty for children's data violations). The breadth of "personal data breach" — any unauthorised access to or disclosure of personal data — means this penalty tier is relevant to a wide range of security incidents.

Critically, the penalty is for failure to implement safeguards, not merely for suffering a breach. A company that had robust, documented, regularly tested security controls but was victimised by a sophisticated nation-state attack faces a different enforcement position than a company with no security programme that suffered a basic SQL injection attack. The Board's assessment of "reasonable" safeguards will look at what was in place before the breach.

Breach notification failures attract a separate penalty of up to ₹200 crore under Schedule 1. This means a single security incident that involves both inadequate safeguards and late notification could attract aggregate penalties of up to ₹450 crore — a potentially company-ending financial exposure for a mid-sized Indian SaaS company. This financial reality should drive security investment at board level.

Technical Controls That Satisfy Reasonable Safeguards

Based on the SOC 2 Security criteria and ISO 27001 control catalogue, the following technical controls form a baseline of reasonable safeguards for Indian SaaS companies: encryption of personal data at rest using AES-256 or equivalent; encryption of personal data in transit using TLS 1.2 or higher; multi-factor authentication for all administrative access to systems containing personal data; access controls implementing the principle of least privilege; comprehensive logging of access to personal data systems with tamper-evident audit trails; and vulnerability management including regular patching and penetration testing.

For cloud-hosted applications (AWS, Azure, GCP — which covers the majority of Indian SaaS companies), reasonable safeguards also include: VPC isolation with appropriate security groups and NACLs; CloudTrail/Activity Log enabled for all accounts; secrets management using a dedicated secrets manager rather than hardcoded credentials; WAF deployment for internet-facing applications; and DDoS protection for high-availability services.

Application-level security controls are equally important: parameterised queries to prevent SQL injection; CSRF and XSS protections; secure session management with appropriate timeout policies; and security-focused code review practices. Many high-profile breaches of Indian SaaS companies have resulted from basic application security failures that would have been caught by a security-aware code review process.

Organisational and Process Controls

Technical controls alone are insufficient — the Board will look at whether the Fiduciary has organisational controls in place as well. Key organisational controls include: a documented information security policy, a security awareness training programme for all staff, a vendor security assessment process, an incident response plan, and periodic security risk assessments.

Access management processes are both technical and organisational. Implement formal access provisioning and deprovisioning procedures: new employees receive access based on role-appropriate templates, access is reviewed at least quarterly, and access is revoked within 24 hours of employment termination. Failed access review processes are a common finding in audits and a common vector for insider threats.

Vendor security assessments matter under the DPDP Act because you are responsible for safeguards covering data in the possession or control of your processors. Your vendor due diligence process should include a security questionnaire for every vendor that processes personal data, a review of the vendor's SOC 2 report or ISO 27001 certificate, and contractual provisions requiring the vendor to maintain adequate security controls and to notify you of any security incidents involving your data.

Breach Detection and Response Obligations

Section 8(6) requires a Data Fiduciary to notify the Data Protection Board and each affected Data Principal of a personal data breach in the form and manner specified by the Rules. Based on the draft Rules and comparable international requirements (GDPR requires 72 hours), companies should prepare for a short notification window.

Effective breach response requires advance preparation. Your incident response plan should cover: detection (SIEM alerting, anomaly detection), containment (isolating affected systems), investigation (forensic analysis to determine scope and affected Data Principals), notification preparation (drafting Board notification and user communications), and post-incident review. Practice the plan through tabletop exercises at least annually.

The Board notification must include specific information about the breach. Draft a notification template in advance that can be populated quickly during an incident: the nature of the breach, the categories and approximate number of Data Principals affected, the data categories affected, likely consequences, and measures taken. Having a pre-approved template reduces the time to notify when every hour counts.

Significant Data Fiduciary Security Requirements

Section 10 of the DPDP Act creates the Significant Data Fiduciary (SDF) category for entities whose processing activities are assessed to pose high risk based on volume of data processed, sensitivity of data, national security implications, or other criteria. SDFs face additional security-related obligations beyond those applicable to all Data Fiduciaries.

SDFs must appoint a Data Protection Officer (DPO) based in India, who reports directly to the Board of Directors or equivalent governance body. The DPO is responsible for advising on DPDP compliance, monitoring the security programme, and liaising with the Data Protection Board. The DPO role should have genuine independence and sufficient seniority to be effective.

SDFs must also conduct periodic Data Protection Impact Assessments (DPIAs), which include security risk analysis for high-risk processing activities. DPIAs assess: the nature of the data processed, the purposes and necessity of the processing, the security controls in place, the residual risks after controls, and planned mitigations. DPIAs should be conducted before launching new high-risk processing activities and at least annually for ongoing high-risk activities.

Aligning with SOC 2 to Meet DPDP Security Obligations

For Indian SaaS companies serving enterprise clients (particularly those with US operations or US-based investors), SOC 2 Type II certification is increasingly required by customers. The good news is that the SOC 2 Security trust service criteria provide comprehensive coverage of the technical and organisational controls that satisfy the DPDP Act's reasonable safeguards requirement.

SOC 2's CC6 (Logical and Physical Access Controls), CC7 (System Operations — including monitoring and incident response), and CC8 (Change Management) criteria map closely to the security safeguards the DPDP Act requires. A company that has implemented SOC 2 controls and can produce a clean Type II report has strong evidence of reasonable safeguards. AuditPath supports simultaneous SOC 2 and DPDP compliance tracking, so controls can be mapped to both frameworks and evidence collected once.

If you are not yet SOC 2 certified, treating DPDP security safeguard compliance as a driver for achieving SOC 2 certification is an efficient approach — you address both the Indian regulatory requirement and the enterprise sales requirement through a single security investment programme. The audit evidence and control documentation you build for DPDP will directly support your SOC 2 audit.

Frequently Asked Questions

Does the DPDP Act specify encryption standards that must be used?
No. The Act uses the standard of "reasonable security safeguards" without prescribing specific encryption algorithms. In practice, AES-256 for data at rest and TLS 1.2+ for data in transit are the industry-standard baselines that regulators globally consider reasonable. The DPDP Rules may provide further guidance on specific standards.
Are we liable for a breach caused by a vendor or subprocessor?
Yes, potentially. The DPDP Act requires you to protect personal data in your possession or "under your control." Data processed by your vendors on your behalf is arguably under your control, and your failure to implement appropriate contractual and oversight controls over the vendor could be characterised as a failure of reasonable safeguards. Vendor security due diligence and DPA provisions are therefore critical.
What is the notification timeline for a personal data breach?
The Act requires notification in the form and manner specified by the Rules. The draft Rules are expected to require prompt notification — likely 72 hours from becoming aware of a breach for Board notification, and contemporaneous notification to affected Data Principals. Companies should build incident response processes that can meet a 72-hour notification window.
Does a breach of a subprocessor (e.g., a cloud hosting provider) require us to notify the Board?
If the breach involves personal data you are responsible for — even if it is hosted on a third-party cloud infrastructure — the notification obligation applies to you as the Data Fiduciary. Monitor your cloud provider's security notifications and have a process to assess whether their incidents affect your data. Your AWS/Azure/GCP enterprise support contract should include security incident notification SLAs.
How does the DPDP security obligation relate to existing RBI and SEBI cybersecurity requirements?
For regulated entities (banks, NBFCs, payment companies under RBI; brokers and listed companies under SEBI), sector-specific cybersecurity requirements must be met in addition to the DPDP Act. Where requirements overlap, meeting the stricter of the two standards satisfies both. For example, RBI's cybersecurity framework for NBFCs includes specific requirements around network segregation and logging that go beyond what the DPDP Act's reasonable safeguards standard currently implies.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act Data Breach Notification: 72-Hour Rule Explained

DPDP Act

DPDP Act 2023 Explained: What Every Indian Company Must Know

DPDP Act

DPDP Act Compliance Checklist: 30 Items You Need to Cover