Illustration of a computer locked with chains representing Rule 6 data protection

Rule 6: Your Minimum Mandatory Security Checklist

Every organisation today big, small, digital-first or traditional lives on data. Customer information, employee details, vendor records, transactions, analytics everything flows through systems at lightning speed. And as data moves faster, the risks around it grow just as quickly.

We hear about data breaches almost every week. Sometimes it’s hackers. Sometimes it’s a simple mistake an email sent to the wrong person, a lost laptop, an exposed spreadsheet.

But whatever the cause, the impact is real. People lose trust. Businesses face penalties. Operations get disrupted. Reputations take a hit.

That’s why the Digital Personal Data Protection Act (DPDPA) includes Rule 6 Reasonable Security Safeguards.

It may sound technical, but the message is simple: treat personal data with care and protect it like it truly matters.

Because it does.

What is Rule 6 About?

So, What Is Rule 6 Really Asking For?

Rule 6 requires organisations to put in place reasonable security measures to protect personal data from being breached, misused, or accessed without permission.

The keyword here is reasonable.

The rule doesn’t expect a small business to have the same security infrastructure as a multinational corporation.

But it does expect every organisation to take steps that make sense for their size, the nature of the data they handle, and the risks they face.

If you own a small shop, you don’t need biometric scanners and armed security. But you do need a sturdy lock on the door.

Why Rule 6 Matters (More Than Most Realise)

Security isn’t just a compliance requirement it’s a trust-building responsibility.

Customers trust you with a part of their identity.

When someone gives you their phone number, Aadhaar details, or email, they’re placing their trust in you. Rule 6 ensures that this trust isn’t broken.

Security incidents cost more than prevention.

A data breach can bring legal penalties, recovery costs, technical clean-up, and loss of business all far greater than the cost of implementinggood security.

One mistake can damage your brand for years.

Just one breach can make customers think twice before engaging with you again. It affects loyalty, growth, and perception.

Strong security is now a competitive advantage.

Organisations that show they take privacy seriously win more customers especially in digital-first industries. Rule 6 isn’t only about “following the law”. It’s about operating responsibly and sustainably.

What Do “Reasonable Security Safeguards” Look Like?

Security safeguards checklist with icons.

It’s easy to get overwhelmed by jargon like encryption, firewalls, zero trust, MFA…

 But Rule 6 simply wants organisations to take practical steps in three areas:

  • Administrative safeguards
  • Technical safeguards
  • Physical safeguards.

1. Start With a Good Risk Assessment

Before you fix anything, understand what needs protecting, by conducting a risk assessment.

A risk assessment tells you:

  • What personal data you collect
  • Where you store it
  • Who has access
  • What can go wrong
  • Which areas carry the highest risk

It’s like checking your house for entry points before deciding where to put locks.

Risk assessment isn’t one-time it should be done periodically and whenever major systems change.

2. Control Who Can Access What

Not everyone in the organisation needs access to all data.

Using the least privilege principle, you ensure:

  • Employees only get access they genuinely need
  • Sensitive information is restricted
  • Admin access is tightly controlled
  • Every access request is logged

Add multi-factor authentication (MFA), and you’re already avoiding 90% of basic attacks.

3. Protect Data Through Encryption

Encryption is like turning personal data into a secret language. Even if someone steals it, they can’t read it.

Rule 6 expects:

  • Encryption when data is stored
  • Encryption when data is shared or transmitted
  • Masking or anonymising data when full visibility isn’t required

This is one of the strongest shields an organisation can put up.

4. Keep Systems Updated and Securely Configured

Many breaches happen not because hackers are brilliant but because systems are outdated.

Some must-do steps include:

  • Regular software updates
  • Quick application of security patches
  • Secure cloud configurations
  • Routine vulnerability scans
  • Secure coding practices

Think of updates as health check-ups for your digital systems.

5. Collect Less Data; Keep It for Less Time

Storing unnecessary personal data increases risk.

Rule 6 ties into the principle of minimisation:

  • Collect only what is required
  • Don’t store data “just in case”
  • Delete or anonymise data as soon as the purpose is fulfilled

Less data = fewer vulnerabilities.

6. Don’t Forget Physical Security

Digital security is incomplete without physical safety.

 Examples include:

  • Locked server rooms
  • Limited access to sensitive areas
  • CCTV
  • Secure disposal of paper documents

Even a lost USB drive can cause a breach.

7. Train Employees They Are Your First Line of Defence

Most breaches happen because someone clicked the wrong link or shared the wrong file.

Training should cover:

  • How to identify phishing
  • Good password hygiene
  • Proper data handling
  • How to report suspicious activity

A well-trained team is better protection than any expensive tool.

8. Prepare a Clear Incident Response Plan

Accidents may still happen, and that’s okay.

 What matters is how quickly and transparently you respond.

Organisations should have:

  • An incident response team
  • Breach reporting templates
  • A clear chain of communication
  • Steps to contain the issue
  • A process for notifying authorities and individuals (Rule 7 requirement)

A good response plan turns a disaster into a manageable situation.

9. Strengthen Vendor and Third-Party Security

Your security is only as strong as your partners.

You must:

  • Vet vendors
  • Check their security posture
  • Sign Data Processing Agreements
  • Audit high-risk partners regularly

Many famous breaches happened through third parties not the main organisation.

How Can Organisations Practically Get Started?

Security roadmap steps shown along a path.

This is the part most businesses struggle with: “What do we do first?”

Here’s a simple action plan:

Step 1: Run a basic security gap assessment

Where are you today vs. where Rule 6 needs you to be?

Review your current security practices, compare them with Rule 6 requirements, and identify the gaps you need to close.

Step 2: Prioritise the highest-risk areas

Start with access control, encryption, masking, and employee training.

Step 3: Build or update your security policies

Clear written policies make implementation smoother.

Step 4: Implement quick wins

MFA, secure passwords, device encryption, and regular data clean-ups are quick wins that instantly strengthen your security posture. They’re easy to implement but make a big impact.

Step 5: Set up monitoring and audits

Security isn’t a one-time achievement it’s an ongoing habit. Organisations need to consistently monitor, update, and strengthen their safeguards to stay protected.

Step 6: Maintain documentation

Logs, evidence, and reports matter during DPB investigations. They help you prove what safeguards were in place, how incidents were handled, and whether you followed proper procedures.

The Bigger Picture: Why Rule 6 Helps Every Organisation

Strong security does more than reduce risks. It transforms how people trust your brand.

Businesses with good security:

 ✔ Attract more customers

 ✔ Avoid downtime

 ✔ Reduce financial exposure

 ✔ Safeguard their reputation

 ✔ Operate more confidently in the digital world

Rule 6 essentially says: “Protect the data you’re trusted with and protect your business in the process.”

Conclusion

Rule 6 is not a scary requirement. It’s not meant to burden companies.

 Instead, it gives organisations a clear and practical guide to building a safer, more trustworthy environment for personal data.

By adopting reasonable safeguards today, organisations strengthen their future, build customer confidence, and stay ready for the evolving digital landscape.

Key Takeaways

  • Rule 6 is about one thing: keeping personal data safe in a practical, sensible way.
  • Good security builds trust people expect you to protect their information.
  • Small steps like access control, updates, training, and encryption make a big difference.
  • Don’t collect more data than you need and delete it when it’s no longer useful.
  • Have a plan for when things go wrong so you can respond quickly and responsibly.
  • Security isn’t a one-time task it’s something you keep improving.
  • Strong safeguards aren’t just compliance they make business smoother and safer.

Related Blogs:

Liked the post? Share on :

Picture of user

user

Table of Contents

More Posts

Send Us A Message

Privacy Global - logo

Head Office

Unit #T241, Tower #10, ITC,
C.B.D. Belapur, Navi Mumbai,
India – 400614

Support

91 22 67120704

[email protected]

Terms of Use

Privacy Policy

Cookie Policy

Contact

Privacy Global - logo

Head Office

Unit #T241, Tower #10, ITC,
C.B.D. Belapur, Navi Mumbai,
India – 400614

Support

+91 98923 01317

[email protected]

Terms of Use

Privacy Policy

Cookie Policy

Contact

© 2026 Privacy Global . All Rights Reserved.

Scroll to Top