Your database was just breached. What does the attacker actually see?
If the answer is “real names, phone numbers, and financial records” β your organisation is not DPDP-compliant. And not safe.
Rule 6(1)(a) of the DPDP Rules, 2025 names specific techniques as the statutory minimum for protecting personal data: encryption, obfuscation, masking, and virtual tokens mapped to that data. The IS Audit Standards under ICAI further recognise pseudonymisation and anonymisation as techniques that every data protection audit must evaluate.
Here is what each means β and why it matters under DPDP:
π Encryption Converts personal data into unreadable ciphertext. Applies to data at rest (databases, backups) and in transit (API calls, transfers to processors). If storage is breached or a cloud bucket is misconfigured, encrypted data is useless to the attacker. Under Section 2(u), a breach includes any unauthorised access that compromises confidentiality β encryption limits that impact directly.
π«₯ Masking Replaces real personal data with fictitious but structurally realistic data. Protects customer information from leaking into development, testing, and analytics environments β where real data should never appear.
π Tokenisation Replaces sensitive identifiers β Aadhaar numbers, bank account details, mobile numbers β with system-generated tokens. Real data stays locked in a secure vault. Rule 6(1)(a) explicitly uses the language “virtual tokens mapped to that personal data,” making this a named statutory obligation, not merely best practice.
π Pseudonymisation Replaces direct identifiers with artificial pseudonyms, while the mapping is stored separately under strict controls (ISAS 420, Section 4.5). Pseudonymised data remains personal data under the Act β re-identification is still possible β but the technique significantly reduces exposure in the event of a breach.
β¬ Anonymisation Removes or irreversibly modifies all identifying information so that the individual can no longer be identified (ISAS 420, Section 4.6). Truly anonymised data falls outside the DPDP Act entirely β since Section 2(t) defines personal data as data about an individual “who is identifiable.” This makes anonymisation a powerful strategic tool for analytics, research, and secondary data use, with no consent or compliance obligations attached.
π The obligation extends to your vendors Rule 6(1)(f) requires these safeguards to be written into every contract with your Data Processors. Your cloud provider, analytics vendor, and IT partners must contractually commit to these controls β the Data Fiduciary remains accountable regardless.
These techniques are the floor, not the ceiling. Organisations processing higher-risk data must go further.
Episode 3 of 9 | Technology & DPDP Compliance series Follow DSK Sustainability Tech LLP for the full series.
Episode 4 of this series will cover Access Control and Identity Management β another explicitly mandated technical requirement under Rule 6(1)(b) of the DPDP Rules.
In association with our knowledge partners β Karthik & Sunil, Chartered Accountants.
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Leave a Reply