That gap is a technology architecture problem — solved only by logs, continuous monitoring, and SIEM.

What the law mandates

Rule 6(1)(c), DPDP Rules 2025 requires visibility on the accessing of personal data through appropriate logs, monitoring and review — to enable detection of unauthorised access, investigation and remediation. Rule 6(1)(e) mandates that logs and personal data must be retained for a minimum of one year.

The DPDP Rules illustrate this precisely: an e-book platform must retain order, payment, and delivery logs for at least one year — even after the customer deletes her account. No logs = no investigation = no defence before the Board.

What logs must actually capture

Logs — also called audit trails — are records that enable reconstruction of the sequence of events, from inception to output, capturing who acted, when, and where.

For DPDP compliance, logs must cover every instance of personal data being accessed, every administrator action at application, database, and network level, every failed login and privilege change, and every bulk data export or third-party transmission. CERT-In (LM.1) requires comprehensive logging on all key ICT systems with secure storage within Indian jurisdiction.

Monitoring — logs that are never reviewed are archives, not controls

Rule 6(1)(c) requires monitoring and review — not just collection. An employee downloading ten thousand customer records at 2am must trigger an immediate alert, not a three-month-later discovery. CERT-In (LM.2) mandates continuous monitoring of network activity and privileged user actions for suspicious behaviour.

Insufficient logging and monitoring, coupled with missing incident response integration, allows attackers to persist undetected — precisely what DPDP’s visibility obligation is designed to prevent.

SIEM — the infrastructure that makes 72-hour compliance achievable

SIEM = Security Event Management + Security Information Management. Agents installed on every device collect and normalise logs. Collectors aggregate them. The SIEM Core correlates them, runs real-time analysis, and surfaces anomalies as alerts. A 24×7 SOC monitoring team checks alerts against pre-set deviation criteria, declares incidents, and escalates to investigators for root-cause analysis.

Critically, SIEM auto-generates compliance reports that auditors and regulators can directly use — making it a compliance evidence engine, not just a security tool.

Rule 7(2)(b) requires a detailed Board report within 72 hours — covering nature, extent, timing, root cause, remediation, and Data Principal notifications. Without SIEM, the breach may remain undetected well past that window. With SIEM, the clock starts from the moment of detection.

The penalty exposure

Failure to implement security safeguards including logs: up to ₹200 crore. Failure to notify the Board in time: up to ₹200 crore. Separate and potentially cumulative.

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.