DPDP Security Safeguards (Rule 6)

The technical controls every Indian business must implement, backed by the highest penalty in the Act: ₹250 Crore
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

What Are Reasonable Security Safeguards Under DPDP?

Of every obligation in the DPDP Act, 2023, this one carries the biggest number: failing to maintain reasonable security safeguards can cost up to ₹250 crore per violation, the highest penalty tier in the entire Act.

The good news is that the law does not leave "reasonable" to guesswork. Rule 6 of the DPDP Rules 2025 lists the DPDP security safeguards in concrete terms: encryption of personal data at rest and in transit, data masking, role-based access control with least privilege, multi-factor authentication, tamper-resistant logging kept for at least 1 year, backups, a breach response playbook, and written contracts with your data-processing vendors.

In other words, this is the part of DPDP compliance that lives in your servers, cloud accounts, and codebase, not in a policy document. This page breaks down each safeguard and how to implement it.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The Rule 6 Safeguards, One by One

Each of these is a technical control your systems must actually enforce, every day, across every place personal data lives.

Encryption & Masking

Encrypt personal data at rest and in transit, so a stolen disk or intercepted connection yields nothing readable. Mask data wherever full values aren't needed, like showing only the last digits of a phone number.

RBAC + Least Privilege

Role-based access control means each employee sees only the data their job requires, nothing more. Least privilege keeps admin rights rare, reviewed, and revoked when people change roles or leave.

Multi-Factor Authentication

Passwords alone are not a safeguard anymore. MFA on every system that touches personal data blocks the most common attack: a stolen or guessed credential.

Logging: 1 Year, Tamper-Resistant

Keep security and processing logs for a minimum of 1 year, in tamper-resistant form. Logs are how you detect a breach, and how you prove what happened when the Board asks.

Backups

Maintain backups so personal data survives ransomware, hardware failure, or human error. Remember: a loss of data counts as a breach too, not just a leak.

Breach Playbook & Vendor DPAs

Have a written breach response playbook ready, DPDP requires notifying users and reporting to the Board within 72 hours. And sign data processing agreements with every vendor, because you stay legally responsible for them.

Why This Is the ₹250 Crore Obligation

ViolationMaximum Penalty
No reasonable security safeguards₹250 Crore
Failure to report a data breach₹200 Crore
Misusing children's data₹200 Crore
Significant Data Fiduciary duty failures₹150 Crore
Other violations₹50 Crore

Penalties apply per violation with no size discount, and a single breach can stack safeguard failures with breach-reporting failures in the same case. The Board weighs gravity, duration, data type, repetition, and mitigation, so provable safeguards are also your best defence if something still goes wrong.

This Is IT Work, and That Is What We Do

Most of the DPDP Act is policy and process. Rule 6 is different: it is engineering. Somebody has to actually turn on encryption, design the access-control roles, roll out MFA, configure tamper-resistant log storage, and test that backups restore.

As an IT company, this is exactly where Adri IT Software Solutions Pvt Ltd works every day. Our Data Security Safeguards service implements encryption, access control, and backups across your systems, and our Breach Response Setup service builds the detection and reporting protocols that go with them. You get safeguards that hold up in an audit, not a checklist that lives in a drawer.

  • Encryption at rest and in transit across databases, storage, and APIs
  • Role-based access control and MFA rollout for your team and tools
  • Centralized, tamper-resistant logging with 1-year retention
  • Backup and restore setup, tested, not assumed
  • Breach detection and a 72-hour response runbook

Security Safeguards Take the Longest to Build

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and technical safeguards are usually the slowest piece.

Check My Safeguards Free

Want the Complete DPDP Picture?

Security safeguards are one pillar of compliance. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

Learn Everything About DPDP Compliance

DPDP Security Safeguards: Frequently Asked Questions

What are reasonable security safeguards under the DPDP Act?

Rule 6 of the DPDP Rules 2025 lists them: encryption at rest and in transit, data masking, role-based access control with least privilege, multi-factor authentication, tamper-resistant logs kept at least 1 year, backups, a breach response playbook, and vendor data processing agreements.

Would Your Systems Pass a Rule 6 Check Today?

Our free audit reviews your encryption, access control, MFA, logging, and backups against the DPDP requirements, with a risk-scored gap report and fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.