Chapter 1 – Preliminary (DPDP Act 2023)
Chapter 2 – Obligations of Data Fiduciary
Chapter 3 – Rights and Duties of Data Principal
Chapter 4 – Special Provisions
Chapter 5 – Data Protection Board of India
Chapter 6 – Powers & Procedures of the Board
Chapter 7 – Appeals & Alternate Dispute Resolution
Chapter 8 – Penalties & Adjudication
Chapter 9 – Miscellaneous
Schedule – DPDP Act 2023
Rule 1 – DPDP Draft Rule 1
Rule 2 – DPDP Draft Rule 2
Rule 3 – DPDP Draft Rule 3
Rule 4 – DPDP Draft Rule 4
Rule 5 – DPDP Draft Rule 5
Rule 6 – DPDP Draft Rule 6
Rule 7 – DPDP Draft Rule 7
Rule 8 – DPDP Draft Rule 8
Rule 9 – DPDP Draft Rule 9
Rule 10 – DPDP Draft Rule 10
Rule 11 – DPDP Draft Rule 11
Rule 12 – DPDP Draft Rule 12
Rule 13 – DPDP Draft Rule 13
Rule 14 – DPDP Draft Rule 14
Rule 15 – DPDP Draft Rule 15
Rule 16 – DPDP Draft Rule 16
Rule 17 – DPDP Draft Rule 17
Rule 18 – DPDP Draft Rule 18
Rule 19 – DPDP Draft Rule 19
Rule 20 – DPDP Draft Rule 20
Rule 21 – DPDP Draft Rule 21
Rule 22 – DPDP Draft Rule 22
Conditions for Registration of Consent Manager
Schedule Second – DPDP Draft Rules
Schedule Third – DPDP Draft Rules
Schedule Fourth – DPDP Draft Rules
Schedule Fifth – DPDP Draft Rules
Schedule Sixth – DPDP Draft Rules
Schedule Seventh – DPDP Draft Rules
DPDP Final Rule 1
DPDP Final Rule 2
DPDP Final Rule 3
DPDP Final Rule 4
DPDP Final Rule 5
DPDP Final Rule 6
DPDP Final Rule 7
DPDP Final Rule 8
DPDP Final Rule 9
DPDP Final Rule 10
DPDP Final Rule 11
DPDP Final Rule 12
DPDP Final Rule 13
DPDP Final Rule 14
DPDP Final Rule 15
DPDP Final Rule 16
DPDP Final Rule 17
DPDP Final Rule 18
DPDP Final Rule 19
DPDP Final Rule 20
DPDP Final Rule 21
DPDP Final Rule 22
DPDP Final Rule 23
First Schedule – DPDP Final Rules
Second Schedule – DPDP Final Rules
Third Schedule – DPDP Final Rules
Fourth Schedule – DPDP Final Rules
Fifth Schedule – DPDP Final Rules
Sixth Schedule – DPDP Final Rules
Seventh Schedule – DPDP Final Rules
Rule - 6
(1) A Data Fiduciary shall protect personal data in its possession or
under its control, including in respect of any processing undertaken by it or on its behalf by a Data
Processor, by taking reasonable security safeguards to prevent personal data breach, which shall include, at
the minimum, —
(a) appropriate data security measures, such as securing of personal data through encryption,
obfuscation, masking or the use of virtual tokens mapped to that personal data;
(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or
such a Data Processor, wherever applicable;
(c)visibility on the accessing of such personal data, through appropriate logs, monitoring and review,
for enabling detection of unauthorised access, its investigation and remediation to prevent
recurrence;
(d)reasonable measures for continued processing in the event of confidentiality, integrity or
availability of such personal data being compromised as a result of destruction or loss of access to
personal data or otherwise, such as by way of data-backups;
(e)for enabling the detection of unauthorised access, its investigation, remediation to prevent
recurrence and continued processing in the event of such a compromise, retain such logs and
personal data for a period of one year, unless compliance with any law for the time being in force
requires otherwise;
(f)appropriate provision in the contract entered into between such Data Fiduciary and such a Data
Processor, wherever applicable, for taking reasonable security safeguards; and
(g)appropriate technical and organisational measures to ensure effective observance of security safeguards.
(2)In this rule, the expression “computer resource” shall have the same meaning as is assigned to it in Information Technology Act, 2000 (21 of 2000).