Section 7(f) of the Digital Personal Data Protection Act (DPDPA), 2023, requires Data Fiduciaries to implement appropriate technical and organizational measures to ensure the security of personal data. But what does this mean in practice? What specific safeguards—such as encryption, access controls, or incident response plans—should organizations have in place to prevent data breaches and unauthorized access?
For instance, if a company stores sensitive personal data in a cloud environment, what security measures would be considered sufficient under the law? Are there industry standards, such as ISO 27001 or NIST frameworks, that Data Fiduciaries can follow to demonstrate compliance? If you have insights on best practices, regulatory expectations, or real-world implementations, please share.