

Of every obligation in the DPDP Act, 2023, this one carries the biggest number: failing to maintain reasonable security safeguards can cost up to ₹250 crore per violation, the highest penalty tier in the entire Act.
The good news is that the law does not leave "reasonable" to guesswork. Rule 6 of the DPDP Rules 2025 lists the DPDP security safeguards in concrete terms: encryption of personal data at rest and in transit, data masking, role-based access control with least privilege, multi-factor authentication, tamper-resistant logging kept for at least 1 year, backups, a breach response playbook, and written contracts with your data-processing vendors.
In other words, this is the part of DPDP compliance that lives in your servers, cloud accounts, and codebase, not in a policy document. This page breaks down each safeguard and how to implement it.
No cost. No obligation. Get your compliance gap report.
Each of these is a technical control your systems must actually enforce, every day, across every place personal data lives.
Encrypt personal data at rest and in transit, so a stolen disk or intercepted connection yields nothing readable. Mask data wherever full values aren't needed, like showing only the last digits of a phone number.
Role-based access control means each employee sees only the data their job requires, nothing more. Least privilege keeps admin rights rare, reviewed, and revoked when people change roles or leave.
Passwords alone are not a safeguard anymore. MFA on every system that touches personal data blocks the most common attack: a stolen or guessed credential.
Keep security and processing logs for a minimum of 1 year, in tamper-resistant form. Logs are how you detect a breach, and how you prove what happened when the Board asks.
Maintain backups so personal data survives ransomware, hardware failure, or human error. Remember: a loss of data counts as a breach too, not just a leak.
Have a written breach response playbook ready, DPDP requires notifying users and reporting to the Board within 72 hours. And sign data processing agreements with every vendor, because you stay legally responsible for them.
| Violation | Maximum Penalty |
|---|---|
| No reasonable security safeguards | ₹250 Crore |
| Failure to report a data breach | ₹200 Crore |
| Misusing children's data | ₹200 Crore |
| Significant Data Fiduciary duty failures | ₹150 Crore |
| Other violations | ₹50 Crore |
Penalties apply per violation with no size discount, and a single breach can stack safeguard failures with breach-reporting failures in the same case. The Board weighs gravity, duration, data type, repetition, and mitigation, so provable safeguards are also your best defence if something still goes wrong.
Most of the DPDP Act is policy and process. Rule 6 is different: it is engineering. Somebody has to actually turn on encryption, design the access-control roles, roll out MFA, configure tamper-resistant log storage, and test that backups restore.
As an IT company, this is exactly where Adri IT Software Solutions Pvt Ltd works every day. Our Data Security Safeguards service implements encryption, access control, and backups across your systems, and our Breach Response Setup service builds the detection and reporting protocols that go with them. You get safeguards that hold up in an audit, not a checklist that lives in a drawer.
Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and technical safeguards are usually the slowest piece.
Check My Safeguards FreeSecurity safeguards are one pillar of compliance. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.
Learn Everything About DPDP ComplianceRule 6 of the DPDP Rules 2025 lists them: encryption at rest and in transit, data masking, role-based access control with least privilege, multi-factor authentication, tamper-resistant logs kept at least 1 year, backups, a breach response playbook, and vendor data processing agreements.
Up to ₹250 crore per violation, the highest tier in the Act. There is no discount for business size, and a single breach incident can stack multiple violations at once.
A minimum of 1 year, in tamper-resistant form. Because logging sits inside Rule 6, missing or editable logs fall under the ₹250 crore penalty tier.
Yes. You must have written data processing agreements with vendors, and you stay legally responsible for the personal data they process on your behalf. A vendor's failure can become your penalty.
Our free audit reviews your encryption, access control, MFA, logging, and backups against the DPDP requirements, with a risk-scored gap report and fix roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.