Author: Jhanvi Anam
Over the past year, a series of high-profile cybersecurity incidents have impacted both governments and private sector entities. A recent report by Check Point Research revealed that India-based organizations faced the second-highest number of weekly cyberattacks in the Asia Pacific region in 2024. This alarming trend highlights the need for improved levels of data-security within India. While the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) were primarily designed for ensuring basic levels of cybersecurity, the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act) and Draft Rules under it mark a shift towards an ‘informational privacy-centric’ approach to digital space. This presents new opportunities for enhancing the implementation of cyber-security protections and data-handling hygiene within the country.
The DPDP Act embeds key principles aimed at safeguarding personal data while ensuring cybersecurity. One of these is ‘data minimization’, which refers to the practice of limiting the amount of personal data that is collected, stored, and processed. The following features in the DPDP Act reflect this principle:
(i) The requirement for purpose-specific consent
A key concern in data security is the risk of unauthorized secondary uses. These occur when data collected for one purpose is re-purposed without consent. It generates uncertainty over how an individual’s information will be used in the future increasing the likelihood of misuse. This exposes individuals to heightened security threats and increases the volume of personal data placed at risk of abuse. Section 4 of the DPDP Act addresses this risk by mandating that personal data processing should be limited to specified purposes by Data Fiduciaries, while the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) require Data Fiduciaries to obtain explicit consent through an itemized notice outlining the purposes and required data-types. This framework limits data collection and ensures focus on specific, lawful purposes. This prevents organizations from unnecessarily hoarding data that could become a liability in the event of a personal data breach. Therefore, by limiting the scope of data collection and use, organizations can reduce the potential attack surface and the amount of sensitive data that could be compromised, through privacy compliances.
(ii) The right of data principals to revoke their consent for data processing
Excessive data retention creates security vulnerabilities because even seemingly innocuous data, when aggregated, can be exploited. Therefore, the ‘right to withdraw consent’ serves as a safeguard by limiting future data-processing, rather than retroactively undoing past actions. The DPDP Act, under Section 6(4), enables this right. It also requires organizations to implement mechanisms which promptly cease data processing, once consent is withdrawn. The Draft Rules further mandate a link for the withdrawal of consent to be integrated into the notice format itself.
(iii) Specification of maximum retention periods for personal data
While the DPDP Act provisions the right to withdraw consent, data principals may not always promptly exercise this right to limit their information exposure. Unrestricted data retention increases security risks, as stored personal data remains vulnerable to breaches and misuse. Setting maximum retention periods mitigates these risks by ensuring that outdated or unnecessary data is deleted. Under the Draft Rules, certain categories of Data Fiduciaries (social-media intermediaries, online-gaming intermediaries and e-commerce entities) must erase personal data 3 years after a user’s last interaction, unless legal obligations require longer retention. This provision enhances cybersecurity by preventing organizations from accumulating personal data for excessive durations, which could become a liability in the event of a breach.
The introduction of elements of data minimization and purpose limitation promote accountability in how personal data is collected, used, and stored, allowing Indian cyber security practices to be supported through the DPDP framework. This system also ensures greater transparency and control over personal data. However, even with these precautions, breaches can occur where personal data is maliciously targeted.
To address these eventualities, Section 8(5) of the DPDP Act mandates the deployment of ‘reasonable security safeguards’ by data fiduciaries to protect personal data under its control. Further, Rule 6 of the new draft DPDP Rules specifies that Data Fiduciaries must, at a minimum, implement essential security measures such as encryption, obfuscation, masking, and virtual tokens to protect sensitive information. It also requires contracts to extend these safeguards to Data Processors, ensuring consistent security across the data processing chain. A failure to implement reasonable security safeguards can result in penalties of up to INR 250 crores, reinforcing the importance of compliance. The higher penalties encourage better data security, making it more cost-effective for companies to invest in cybersecurity measures instead of facing penalties.
The DPDP framework also mandates post breach intimation which requires organizations to inform the Data Protection Board and affected Data Principals of any data breach which allows affected individuals to take necessary action. Failure in observing the obligation to give notice of a personal data breach may attract a penalty of up to INR 200 crore.
By integrating these pre-breach security measures and post-breach response mechanisms, the DPDP framework creates a safer digital environment where organizations are potentially held to higher security standards. This structured approach enforces uniform standards, promoting responsible data handling and reduces risks across the data lifecycle. These measures reduce the likelihood of personal data breaches, and ensure that when they do happen, the damage is mitigated.
