Introduction
On 13 November 2025, the Ministry of Electronics & IT (MeitY) notified the Digital Personal Data Protection (DPDP) Rules, 2025, laying out the operational framework of the Digital Personal Data Protection Act, 2023. These rules impose strict technical, organizational, logging, breach of notification, consent, and access control obligations on all Data Fiduciaries and Data Processors.
According to a document of 13 November 2025, the Rules mandate obligations in areas such as:
- Reasonable security safeguards including encryption, access control, and logging
- Visibility and monitoring of personal data access with mandatory log retention for one year
- Breach notification to Data Principals and the Board with detailed incident facts and mitigation steps
- Access control over computer resources
- Technical & organizational measures for accuracy, accountability, and purpose limitation (Second Schedule)
In this blog, we explain the key security requirements and map them directly to ARCON’s Privileged Access Management (PAM) capabilities.
A close reading of the official notification reveals the emphasis placed on technical and organizational controls, which are no longer optional but explicitly required by law. For example, Rule 6 mandates the adoption of “reasonable security safeguards,” including the use of encryption, obfuscation, masking, or tokenization of personal data. The rules go further by requiring strict access control over all computer resources used by the Data Fiduciary or its processors. Additionally, the Rules require organizations to maintain complete visibility of all personal data access through logs, continuous monitoring, and regular review so that any unauthorized activity can be detected, investigated, and remediated. These logs must be retained for a minimum of one year, ensuring accountability long after an access event has occurred.
Another major area of compliance relates to security incidents. Rule 7 obligates organizations to notify every affected Data Principal in a clear and timely manner whenever a personal data breach occurs. Importantly, the notification is not merely a token requirement—it must include the nature and extent of the breach, the likely impact on the Data Principal, the measures taken to reduce harm, and the specific safety steps the individual should follow. Simultaneously, a far more detailed report must be submitted to the Data Protection Board, including facts leading to the breach, the identity of any individual who caused it, the remedial measures implemented, and confirmation that all affected Data Principals have been notified. This places significant pressure on organizations to maintain strong internal monitoring, forensic capabilities, and incident investigation workflows.
Beyond security incidents and access control, the DPDP Rules emphasize accuracy, purpose limitation, data minimization, and accountability. The Second Schedule clearly states that organizations must ensure all processing is lawful, limited only to what is necessary, and accompanied by reasonable efforts to maintain completeness and accuracy. The Rules also repeatedly underline the need for accountability—meaning that an organization must be able to identify the individual responsible for any processing activity and demonstrate the controls it used to prevent misuse.
In an environment where privileged accounts are the gateway to systems holding vast volumes of personal data—databases, application servers, cloud platforms, core infrastructure—Privileged Access Management (PAM) becomes an essential compliance enabler. This is where ARCON PAM directly aligns with the DPDP Rules, serving as a cornerstone for multiple regulatory requirements.
ARCON PAM provides strong encryption for credentials and sensitive access workflows. All privileged passwords, secrets, and keys are stored in an encrypted vault, ensuring they cannot be accessed, shared, or stolen. By tokenizing privileged sessions and eliminating static credentials through just-in-time access, ARCON ensures that privileged users never actually see passwords, addressing the regulation’s requirement for masking and obfuscation of sensitive identifiers.
The Rules also require robust control over access to computer resources. ARCON addresses this by enforcing zero-trust-based access management where users receive only the minimum privileges necessary for a specified duration. Multi-factor authentication, granular role definitions, workflow approvals, and adaptive access policies ensure that no privileged account can be misused to view or manipulate personal data. This satisfies Rule 6’s requirement for “appropriate measures to control access.”
Visibility and monitoring—which are mandatory under the DPDP Rules—are areas where ARCON PAM’s capabilities are particularly strong. Every privileged session can be monitored in real time, recorded as video, and captured at a keystroke level. Detailed logs allow an organization to see exactly who accessed which system, what commands were executed, and what data was viewed or modified. Because the Rules require organizations to retain logs for at least one year, ARCON’s tamper-proof long-term archival of audit trails becomes a natural fit.
Moreover, the Rules’ breach of reporting obligations implicitly requires organizations to have strong forensic capabilities. ARCON PAM enables this by providing the full context of an incident: the user’s identity, the systems accessed, the exact action that caused a compromise, and all preceding events. This evidence becomes essential when reporting breaches to both affected individuals and the Data Protection Board, as required under Rule 7.
Finally, accountability—another cornerstone of DPDP compliance—is inherently built into ARCON’s design. Every privileged action is tied to a verified identity, eliminating shared passwords and anonymous administrative access. Through periodic access reviews, automatic access expiration, and strict governance workflows, ARCON ensures that Data Fiduciaries can demonstrate exactly who performed which action, why it was authorized, and how policies were enforced.
In summary, the Digital Personal Data Protection Rules, 2025 place stringent requirements on organizations to protect personal data, ensure lawful processing, maintain accuracy, enforce access control, detect and respond to breaches, and demonstrate accountability. ARCON PAM naturally complements these mandates by providing the technical controls, monitoring mechanisms, governance structures, and forensic capabilities needed to achieve full compliance. For any organization handling sensitive or large volumes of personal data, ARCON PAM is not just a cybersecurity tool—it is an indispensable compliance infrastructure for India’s new data protection regime.
