Reasonable technical and organisational measures to protect personal data from unauthorised access and breaches.
Under DPDPA Section 8(4), every Data Fiduciary must implement "reasonable security safeguards" to prevent personal data breaches. Rule 6 of Rules 2025 elaborates these to include: encryption, access controls, data anonymisation techniques, regular security testing, incident response capabilities, employee training, and privacy impact assessments. The standard is "reasonable" — proportionate to the volume and sensitivity of data processed, the state of technology, and the cost of implementation.
Inadequate security safeguards carry the highest DPDPA penalty — up to Rs 250 crore. The Board evaluates whether your safeguards were "reasonable" at the time of breach. Documenting your security measures provides evidence of good faith compliance.
A Bengaluru startup implements a security safeguards framework: WAF + DDoS protection, AES-256 encryption at rest, TLS 1.3 in transit, RBAC with quarterly reviews, daily backup encryption, annual penetration testing, and monthly vulnerability scans. All documented in their compliance dashboard.
The "reasonable" standard does not mean you must implement every possible security measure. It means implementing safeguards proportionate to your risk profile. A 10-person startup is not expected to have a SOC but is expected to have encryption and access controls.
DPDPA Shield automates Compliance Dashboard. See how →