Rule 6: Reasonable Security Safeguards
Rule 6 requires every Data Fiduciary to implement reasonable security safeguards to protect personal data against unauthorized access, disclosure, alteration, or loss. The obligation is proactive, meaning organizations must secure data before problems occur rather than waiting until after a breach.
Under this rule:
- Security safeguards must include appropriate technical measures such as encryption, pseudonymization, secure storage systems, and access controls.
- Organizational measures such as staff training, role-based access, internal policies, and periodic audits are also required to minimize risks of human error or negligence.
- Safeguards should be proportionate to the nature and volume of data processed, meaning that a large bank handling sensitive financial data will be expected to have stronger protections compared to a small local retailer collecting only email addresses.
- Regular review and updating of security measures is mandatory to keep up with evolving technology and threats.
Example Scenarios
A stock broking firm that processes customer trading histories and PAN details must use end-to-end encryption and two-factor authentication to prevent account takeovers.
An e-commerce company like ABC Mart Online should encrypt payment details, maintain secure backups, and restrict employee access to only the data required for their role.
A hospital chain storing patient medical histories must ensure that only authorized doctors can view health records, with audit logs showing who accessed the data and when.
Failure to adopt reasonable safeguards may not only result in penalties but also increase the severity of consequences if a breach occurs. By embedding security as a core responsibility, Rule 6 makes it clear that protecting personal data is not optional but a legal duty.