The Architecture of Security.

Q: What are reasonable security safeguards under DPDPA?

Rule 6 requires data fiduciaries to implement reasonable security safeguards including encryption, access controls, regular audits, employee training, and incident response capabilities. The measures must be proportionate to the data sensitivity and processing risks.

Q: What is the CERT-In reporting requirement?

Under CERT-In directives (April 2022), organizations must report cybersecurity incidents within 6 hours to CERT-In. DPDPA adds a separate 72-hour notification requirement under Rule 7 for personal data breaches to the Data Protection Board.

Q: Is encryption mandatory under DPDPA?

While DPDPA doesn't mandate specific encryption standards, Rule 6 requires "reasonable security safeguards." Encryption is considered a baseline security measure for protecting personal data, especially during transfer and storage.

Reasonable Security Safeguards under Rule 6 is a technical specification involving Encryption, Access Controls, and Zero Trust Architecture.

1. Reasonable Security Defined

Under Section 8(5) of the DPDPA, every Data Fiduciary must implement safeguards to prevent breach. The Data Protection Board of India (DPBI) aligns reasonableness with ISO/IEC 27001:2022 and IS 17428.

Encryption at Rest (AES-256 or higher)
Encryption in Transit (TLS 1.3)
Role-Based Access Control (RBAC) with MFA

2. Anonymization

If data is Anonymized such that identification is irreversibly prevented, it falls outside the scope of the Act.

The Standard

Irreversibility - inability to re-identify even with external datasets.

The Technique

Differential Privacy and K-Anonymity are preferred mathematical proofs.

3. Breach Response Protocol

Detection (T-0)

SOC alerts on anomaly. Incident designated as Potential Breach.

Intimation (T+6 Hours)

Mandatory reporting to CERT-In for cyber incidents.

Notification (Without Undue Delay)

Mandatory reporting to DPBI and Data Principals under DPDPA Rule 7.

CISO Action Plan

Data Discovery AuditMap all shadow data assets.
Access ReviewImplement Least Privilege architecture.
Vendor AuditEnsure all Data Processors meet security baseline.

Request Assessment