Reasonable Security Safeguards Under the DPDP Act: The Obligation Indian SMEs Keep Underestimating
Security safeguards carry the DPDP Act's steepest penalty at Rs 250 crore, yet it's the obligation most SMEs overlook. Here's what Section 8(5) and Rule 6 require, and how to prepare before 2027.
Reasonable Security Safeguards Under the DPDP Act: The Obligation Indian SMEs Keep Underestimating
Most Indian SMEs preparing for the DPDP Act have spent their energy on consent banners and privacy notices. Those matter. But if you look at where regulators actually hand out the biggest fines, a different obligation deserves your attention first: reasonable security safeguards. Under the DPDP Act, this is the requirement that quietly carries the highest penalty, and it's the one a lot of smaller companies are least prepared for.
Here's why it belongs higher on your list now, well before enforcement hardens in 2027.
What Section 8(5) actually asks of you
Section 8(5) of the DPDP Act, 2023 says every Data Fiduciary must protect the personal data in its possession or control by taking reasonable security safeguards to prevent a personal data breach. That duty stays with you whether you process the data yourself or hand it to a Data Processor.
The DPDP Rules, 2025, notified on 13 November 2025, put some meat on the word "reasonable." Rule 6 lists the kinds of measures the Board will expect to see: encryption or obfuscation of personal data, access controls so only authorised people can reach it, logging and monitoring to detect unauthorised access, and backups to recover from an incident. The Rules also expect logs and personal data to be retained long enough to support an investigation, generally read as at least one year.
One detail trips people up. The penalty for a security failure can apply even if no breach ever happens and nobody is harmed. The obligation is to have the safeguards in place, not merely to avoid getting caught out.
The number that should get your attention
The Schedule to the DPDP Act sets the maximum penalty for failing to take reasonable security safeguards at Rs 250 crore per instance. That is the single largest figure in the whole penalty table, higher than the Rs 200 crore ceiling for failing to notify a breach.
And these stack. A single incident can attract the Rs 250 crore safeguards penalty and the Rs 200 crore notification penalty at the same time, so one badly handled breach can, in principle, expose a company to Rs 450 crore of combined liability. The Board decides the actual amount case by case, weighing the nature of the failure and what you did about it, but the ceiling tells you how seriously this duty is treated.
Europe already shows how this plays out
If you want a preview of where enforcement attention goes once a privacy law matures, look at the GDPR numbers. Cumulative GDPR fines have now crossed 7.1 billion euros, with more than 600 million euros added in the first half of 2026 alone, according to enforcement trackers such as ComplianceHub.
Break those fines down by cause and a pattern shows up. Unlawful processing is the largest category at about 34 percent. Second, at roughly 28 percent, is insufficient technical and organisational measures, which is Europe's version of the security-safeguards obligation. In plain terms, more than a quarter of all GDPR money penalties trace back to companies that did not secure data properly.
It isn't only the big platforms. In 2026 France's data regulator, the CNIL, fined telecom operator Free Mobile 27 million euros for security measures that did not match the sensitivity of the subscriber data it held. The lesson for an Indian SME is not the euro figure, which sits under a different law. It is that regulators keep treating weak security as a headline offence, not a footnote.
India's own timeline gives you room to act. Through 2026 the Data Protection Board is in what most practitioners call a soft-enforcement phase: constituted, watching, issuing guidance, but not yet running penalty proceedings while staffing is finished. Consent Manager registration opens around 13 November 2026, and the full substantive obligations, security safeguards included, are expected to take effect around 13 to 14 May 2027. That gives a smaller company roughly a year of runway to close gaps quietly rather than under a notice.
Where SMEs usually fall short
The failures we see most often aren't exotic. Customer databases sitting unencrypted on a shared drive. Everyone on the team using one admin login, so access can't be traced to a person. No logging, which means that after an incident nobody can say what was taken or when. Backups that were set up once and never tested. Ex-employees whose accounts still work months after they left.
None of these need a large budget to fix. Turning on encryption at rest, giving each staff member their own credentials with role-based access, switching on audit logs, and running a quarterly access review will move you past the most common findings. A short privacy impact assessment is a practical way to find the gaps before someone else does, and it doubles as evidence that you took the duty seriously.
A sensible order of work
Start by mapping what personal data you hold and where it lives, because you can't protect what you haven't listed. Then apply Rule 6's four basics to the systems holding that data: encryption, access control, logging, and tested backups. Write down what you've done, since the Board will care about demonstrable diligence if an incident ever occurs. Finally, extend the same questions to your vendors, because their breach becomes your liability under Section 8(5).
If security sits outside your team's expertise, this is a reasonable place to bring in help, whether through a data protection officer service or a scoped review of your controls. The companies that come through the 2027 deadline calmly will be the ones that treated security as a first-order task in 2026, not the ones that bolted it on at the end.
This article is general guidance for Indian businesses and not legal advice; please consult a qualified professional about your specific situation. Ready to check where you stand? Start with our free DPDP compliance checklist or get in touch for a tailored review.
Get help implementing this
Turn this reading into a compliance plan.
Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.
Book a free 30-minute consultation