Rule 6: Your Minimum Mandatory Security Checklist
Every organisation today big, small, digital-first or traditional lives on data. Customer information, employee details, vendor records, transactions, analytics everything flows through systems at lightning speed. And as data moves faster, the risks around it grow just as quickly.
We hear about data breaches almost every week. Sometimes it’s hackers. Sometimes it’s a simple mistake an email sent to the wrong person, a lost laptop, an exposed spreadsheet.
But whatever the cause, the impact is real. People lose trust. Businesses face penalties. Operations get disrupted. Reputations take a hit.
That’s why the Digital Personal Data Protection Act (DPDPA) includes Rule 6 Reasonable Security Safeguards.
It may sound technical, but the message is simple: treat personal data with care and protect it like it truly matters.
Because it does.
What is Rule 6 About?
So, What Is Rule 6 Really Asking For?
Rule 6 requires organisations to put in place reasonable security measures to protect personal data from being breached, misused, or accessed without permission.
The keyword here is reasonable.
The rule doesn’t expect a small business to have the same security infrastructure as a multinational corporation.
But it does expect every organisation to take steps that make sense for their size, the nature of the data they handle, and the risks they face.
If you own a small shop, you don’t need biometric scanners and armed security. But you do need a sturdy lock on the door.
Why Rule 6 Matters (More Than Most Realise)
Security isn’t just a compliance requirement it’s a trust-building responsibility.
Customers trust you with a part of their identity.
When someone gives you their phone number, Aadhaar details, or email, they’re placing their trust in you. Rule 6 ensures that this trust isn’t broken.
Security incidents cost more than prevention.
A data breach can bring legal penalties, recovery costs, technical clean-up, and loss of business all far greater than the cost of implementinggood security.
One mistake can damage your brand for years.
Just one breach can make customers think twice before engaging with you again. It affects loyalty, growth, and perception.
Strong security is now a competitive advantage.
Organisations that show they take privacy seriously win more customers especially in digital-first industries. Rule 6 isn’t only about “following the law”. It’s about operating responsibly and sustainably.
What Do “Reasonable Security Safeguards” Look Like?

It’s easy to get overwhelmed by jargon like encryption, firewalls, zero trust, MFA…
But Rule 6 simply wants organisations to take practical steps in three areas:
- Administrative safeguards
- Technical safeguards
- Physical safeguards.
1. Start With a Good Risk Assessment
Before you fix anything, understand what needs protecting, by conducting a risk assessment.
A risk assessment tells you:
- What personal data you collect
- Where you store it
- Who has access
- What can go wrong
- Which areas carry the highest risk
It’s like checking your house for entry points before deciding where to put locks.
Risk assessment isn’t one-time it should be done periodically and whenever major systems change.
2. Control Who Can Access What
Not everyone in the organisation needs access to all data.
Using the least privilege principle, you ensure:
- Employees only get access they genuinely need
- Sensitive information is restricted
- Admin access is tightly controlled
- Every access request is logged
Add multi-factor authentication (MFA), and you’re already avoiding 90% of basic attacks.
3. Protect Data Through Encryption
Encryption is like turning personal data into a secret language. Even if someone steals it, they can’t read it.
Rule 6 expects:
- Encryption when data is stored
- Encryption when data is shared or transmitted
- Masking or anonymising data when full visibility isn’t required
This is one of the strongest shields an organisation can put up.
4. Keep Systems Updated and Securely Configured
Many breaches happen not because hackers are brilliant but because systems are outdated.
Some must-do steps include:
- Regular software updates
- Quick application of security patches
- Secure cloud configurations
- Routine vulnerability scans
- Secure coding practices
Think of updates as health check-ups for your digital systems.
5. Collect Less Data; Keep It for Less Time
Storing unnecessary personal data increases risk.
Rule 6 ties into the principle of minimisation:
- Collect only what is required
- Don’t store data “just in case”
- Delete or anonymise data as soon as the purpose is fulfilled
Less data = fewer vulnerabilities.
6. Don’t Forget Physical Security
Digital security is incomplete without physical safety.
Examples include:
- Locked server rooms
- Limited access to sensitive areas
- CCTV
- Secure disposal of paper documents
Even a lost USB drive can cause a breach.
7. Train Employees They Are Your First Line of Defence
Most breaches happen because someone clicked the wrong link or shared the wrong file.
Training should cover:
- How to identify phishing
- Good password hygiene
- Proper data handling
- How to report suspicious activity
A well-trained team is better protection than any expensive tool.
8. Prepare a Clear Incident Response Plan
Accidents may still happen, and that’s okay.
What matters is how quickly and transparently you respond.
Organisations should have:
- An incident response team
- Breach reporting templates
- A clear chain of communication
- Steps to contain the issue
- A process for notifying authorities and individuals (Rule 7 requirement)
A good response plan turns a disaster into a manageable situation.
9. Strengthen Vendor and Third-Party Security
Your security is only as strong as your partners.
You must:
- Vet vendors
- Check their security posture
- Sign Data Processing Agreements
- Audit high-risk partners regularly
Many famous breaches happened through third parties not the main organisation.
How Can Organisations Practically Get Started?

This is the part most businesses struggle with: “What do we do first?”
Here’s a simple action plan:
Step 1: Run a basic security gap assessment
Where are you today vs. where Rule 6 needs you to be?
Review your current security practices, compare them with Rule 6 requirements, and identify the gaps you need to close.
Step 2: Prioritise the highest-risk areas
Start with access control, encryption, masking, and employee training.
Step 3: Build or update your security policies
Clear written policies make implementation smoother.
Step 4: Implement quick wins
MFA, secure passwords, device encryption, and regular data clean-ups are quick wins that instantly strengthen your security posture. They’re easy to implement but make a big impact.
Step 5: Set up monitoring and audits
Security isn’t a one-time achievement it’s an ongoing habit. Organisations need to consistently monitor, update, and strengthen their safeguards to stay protected.
Step 6: Maintain documentation
Logs, evidence, and reports matter during DPB investigations. They help you prove what safeguards were in place, how incidents were handled, and whether you followed proper procedures.
The Bigger Picture: Why Rule 6 Helps Every Organisation
Strong security does more than reduce risks. It transforms how people trust your brand.
Businesses with good security:
✔ Attract more customers
✔ Avoid downtime
✔ Reduce financial exposure
✔ Safeguard their reputation
✔ Operate more confidently in the digital world
Rule 6 essentially says: “Protect the data you’re trusted with and protect your business in the process.”
Conclusion
Rule 6 is not a scary requirement. It’s not meant to burden companies.
Instead, it gives organisations a clear and practical guide to building a safer, more trustworthy environment for personal data.
By adopting reasonable safeguards today, organisations strengthen their future, build customer confidence, and stay ready for the evolving digital landscape.
Key Takeaways
- Rule 6 is about one thing: keeping personal data safe in a practical, sensible way.
- Good security builds trust people expect you to protect their information.
- Small steps like access control, updates, training, and encryption make a big difference.
- Don’t collect more data than you need and delete it when it’s no longer useful.
- Have a plan for when things go wrong so you can respond quickly and responsibly.
- Security isn’t a one-time task it’s something you keep improving.
- Strong safeguards aren’t just compliance they make business smoother and safer.
