DPDPA 2023: What Cybersecurity Measures Does India's Data Protection Law Actually Require?

India's Digital Personal Data Protection Act 2023 (DPDPA) is now law, and the DPDP Rules published in 2025 have made the compliance obligations concrete. Every organisation that processes the personal data of individuals in India — which means virtually every enterprise — must implement "reasonable security safeguards" to protect that data. But what does "reasonable" actually mean in practice?

This article cuts through the legal language and tells you exactly what cybersecurity controls you need to implement, what the breach notification timelines are, and how to prove compliance during audits.

Who Is Covered by DPDPA 2023

The DPDPA applies to every "Data Fiduciary" — any entity that determines the purpose and means of processing personal data. This includes:

• Banks and financial institutions: Processing customer KYC, transaction data, loan applications
• Insurance companies: Health records, claims data, policyholder information
• E-commerce platforms: Customer profiles, payment data, purchase history
• Healthcare providers: Patient records, diagnostic data, insurance information
• IT/BPO companies: Processing data on behalf of global clients
• Any enterprise with an HR department: Employee personal data is covered

"Significant Data Fiduciaries" — large enterprises designated by the government based on data volume, sensitivity, and risk — face additional obligations including mandatory Data Protection Impact Assessments and annual audits.

What "Reasonable Security Safeguards" Means in Practice

The DPDPA requires Data Fiduciaries to implement "reasonable security safeguards to prevent personal data breach." While the Act does not prescribe specific technologies, the DPDP Rules and CERT-In guidelines make it clear that the following controls are expected:

Technical Safeguards:

• Encryption of personal data at rest and in transit
• Access controls with role-based permissions and multi-factor authentication
• Regular vulnerability assessment and penetration testing of systems storing personal data
• Network security controls — firewalls, intrusion detection/prevention, network segmentation
• Endpoint protection and patch management
• Secure software development practices for applications processing personal data
• Data masking and anonymisation where possible

Organisational Safeguards:

• Board-approved data protection and cybersecurity policies
• Designated Data Protection Officer (DPO) for Significant Data Fiduciaries
• Employee training and awareness programmes
• Incident response plan with defined roles and escalation procedures
• Third-party vendor security assessments
• Data retention and deletion policies

The 72-Hour Breach Notification Deadline

This is the most operationally demanding requirement. When a personal data breach occurs, the Data Fiduciary must:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach
• Submit a comprehensive report detailing the nature, extent, timing, and location of the breach
• If the breach also constitutes a cybersecurity incident, report it to CERT-In within 6 hours as per existing CERT-In directives
• Notify affected Data Principals (individuals) "without delay" if the breach is likely to cause them harm

Meeting this timeline requires three capabilities: real-time threat detection to know about the breach quickly, forensic investigation to understand the scope, and pre-built reporting templates to submit accurate reports under time pressure.

How to Prove "Reasonable Security Safeguards" During Audits

Significant Data Fiduciaries must undergo annual audits by independent auditors. Even regular Data Fiduciaries may face audits following complaints or breach investigations. The evidence auditors look for includes:

• Vulnerability assessment reports: Regular VAPT reports showing you actively identify and remediate vulnerabilities in systems that process personal data
• Penetration testing results: Evidence that you test your defences from an attacker's perspective
• Security monitoring logs: SIEM logs, SOC reports, and incident response records proving continuous monitoring
• Breach simulation results: Evidence that you test your incident response procedures through drills and simulations
• Configuration audit reports: Proof that firewalls, access controls, and encryption are properly configured
• Third-party assessment reports: Security assessments of vendors processing personal data on your behalf

The DPDPA-VAPT Connection

Vulnerability Assessment and Penetration Testing is the most tangible way to demonstrate "reasonable security safeguards." Regular VAPT proves that you are proactively identifying vulnerabilities before attackers exploit them. The key is making VAPT continuous rather than annual — personal data environments change constantly, and a year-old VAPT report is evidence of negligence, not diligence.

A continuous vulnerability assessment platform that scans your data-processing infrastructure daily, tracks remediation progress, and generates audit-ready reports is the most efficient way to satisfy both the DPDPA and your auditors.

Building a DPDPA-Ready Security Posture

The most effective approach combines:

• Continuous vulnerability assessment across all systems processing personal data
• Real-time threat intelligence to detect indicators of compromise before they become breaches
• Breach simulation exercises to test your 72-hour notification capability under realistic conditions
• Automated compliance reporting that generates audit evidence on demand

Companies that adopt this platform-based approach spend less on compliance than those relying on annual consulting engagements, while maintaining significantly better security posture year-round.

Ogma Consulting helps Indian enterprises achieve DPDPA compliance through continuous vulnerability assessment, threat intelligence, and breach simulation — all from a single platform. With 300+ enterprise clients across banking, insurance, healthcare, and IT, we understand the unique data protection challenges each sector faces. Contact us for a DPDPA readiness assessment.