Introduction
The enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), followed by the notification of the Digital Personal Data Protection Rules, 2025, represents a shift in corporate governance operations. For nearly a quarter of a century, data protection in India was governed by the 43A and the SPDI Rules of 2011 under the Information Technology Act, 2000. It was characterised by a liability model based on compensation. The regulatory environment was reactive, triggered only after a litigant could prove specific damages. The DPDP Act changes this entirely, replacing it with penalties under the Schedule of the DPDP Act. This shift is not merely semantic but structural. Under the new Act, a Data Fiduciary can be penalised hundreds of crores for a failure in security safeguards, even if no individual Data Principal suffers financial loss. The internal documents are no longer administrative formalities; they are the primary evidentiary aspects for defence. A well-drafted policy, backed by implementation, serves as the strongest mitigating factor against the maximum penalties outlined in the Schedule to the DPDP Act.
The Adjudicatory Framework: Engineering Defence Strategies
Section 33(2) of the DPDP Act lists the specific factors the Board must consider when determining the quantum of the penalty. A well-drafted set of internal policies should be mapped to these factors to mitigate the penalty.
1. Nature, Gravity, and Duration of the Breach: The duration element is the most controllable variable. A breach that remains undetected for months indicates a failure of monitoring, which is treated more severely than a breach detected in hours. The Incident Management Policy or Internal Policy must mandate specific mean time to detect targets and mean time to respond targets. It must require the use of continuous monitoring tools. A policy that says logs are reviewed daily serves as evidence for a lower penalty.
2. Type and Nature of Personal Data Affected: Breaches involving financial data, health data, or children’s data attract higher fines. Data Classification is essential in Internal Policy. It must segment data into “Public”, “Internal”, “Confidential” and “Restricted”. The policy should enforce stricter controls (e.g., encryption at rest) for Restricted data. If a breach occurs but only affects Public data, the policy classification helps argue that the nature of the data justifies a lower penalty.
3. Repetitive Nature of the Breach: If an entity makes the same mistake twice, the Board infers negligence. The Corrective and Preventive Action Plan must be rigorous. It should mandate that after every incident, a Root Cause Analysis (“RCA”) is conducted, and specific controls are implemented to prevent recurrence. The existence of a documented RCA and subsequent system upgrade proves that the second breach was not a result of ignoring the first.
4. Realization of Gain and Loss: These targets entities that cut corners on security budgets. If a company saves ₹10 crore by not buying a firewall and then suffers a breach, the Board may penalise on account of negligence. The IT Budgeting Policy should allocate funds for data security that are essential to general IT spending. Documentation of security investments serves as evidence that the data fiduciary did not prioritise profit over privacy.
5. Mitigation Steps: This is the most dynamic factor. Prompt action to contain the breach and support affected users acts as a powerful mitigator. The Crisis Management Policy must allow the Chief Information Security Officer (“CISO”) to take immediate unilateral action (e.g., shutting down a server) without waiting for CEO approval. Speed is mitigation. The policy should also mandate offering support to victims (e.g., credit monitoring services) immediately.
Reasonable Security Safeguards
The requirement to take reasonable security safeguards (Section 8(5)) is the pivot on which the largest penalty turns. The Act does not define “reasonable” creates a challenge for policy drafters. However, the Rules and industry standards provide the necessary references.
1. Defining Reasonable via Standards (IS 17428): While the previous SPDI Rules referred to ISO 27001, the DPDP Act does not make any such reference. However, the Bureau of Indian Standards (BIS) standard is IS 17428 (two parts): Requirements and Guidelines. It covers privacy by design, data minimisation, and lifecycle management.
2. Log Retention and Accountability (Rule 6): A critical operational mandate in the DPDP Rules 2025 is the requirement to maintain logs. Rule 6 mandates the retention of system logs for a period of one year. Logs are evidence of processing compliance, but they are also potential evidence of failure.
- Retention Period: Security logs shall be retained for a minimum of one year to facilitate forensic investigation.
- Immutability: Logs must be stored in a Write-Once-Read-Many (WORM) format to prevent tampering.
- Access: Access to logs is restricted to the Security Operations individuals and Internal Audit.
If a breach occurs and the Fiduciary cannot produce logs showing how it happened, the Board will likely presume the absence of safeguards, pushing the penalty toward the higher side.
3. Vulnerability Management and Penetration Testing: Reasonableness is not a one-time setup; it is a continuous process. The policy must mandate: Quarterly Vulnerability Assessments and Annual Penetration Testing (“VAPT”) by a CERT-In certified auditor. The remediation reports (showing that bugs found in VAPT were fixed) are critical evidence. A policy that ignores VAPT findings may be seen as negligence.
Vendor Liability
Many organisations rely on Indemnity Clauses in contracts for all losses. While this is valid for commercial recovery, it is irrelevant to the Data Protection Board. The Board will fine the Data Fiduciary. The Fiduciary must then try to recover that money from the Vendor in a civil court, a process that may take years. The internal Third-Party Risk Management (“TPRM”) Policy must mandate that no data is shared with a vendor unless a DPA is signed.
Key Clauses for Deterrence:
- Mirror Security Standards: The Processor must maintain security safeguards no less stringent than those required of the Fiduciary under the DPDP Act.
- Audit Rights: The Fiduciary reserves the right to audit the Processor’s systems annually or upon a security incident.
- Breach Notification: The Processor must notify the Fiduciary as soon as possible, but no less than 2 hours (giving the Fiduciary time to meet its own regulatory deadline).
- Sub-processor Ban: No sub-processing without prior written consent. (Prevents the vendor from outsourcing data to an insecure fourth party).
AMLEGALS Remarks
The DPDP Act necessitates a reimagining of corporate policy. Internal documents can no longer be viewed as static templates. Now, they are dynamic legal instruments that serve as a defence in an adjudicatory proceeding. By curating internal policies to DPDPA specific needs, organisations can effectively make a defensive policy that mitigates financial exposure. Whether it is through data classification or stringent third-party risk management, the goal is to show a practice of reasonable security safeguards that moves beyond mere paper compliance. In an era where the Data Protection Board can levy penalties reaching hundreds of crores, evidence-backed policy is not just a regulatory requirement, it is a business safeguard. Organisations that bridge the gap between policy drafting and operational implementation will not only withstand the scrutiny of the DPDP Act but will also emerge as a trusted organisation in privacy centric consumer base.
For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com or Khilansha.mukhija@amlegals.com