Skip to content
checkDPDP

Guide

Section 8 security safeguards — the minimum stack every Indian website needs

Section 8(5) is the DPDP clause with the biggest penalty band — ₹250 crore. Most enforcement risk for SMBs sits here, not in consent. Here is the minimum security stack — HTTPS, password hygiene, backup hygiene, vendor hygiene — that puts you in a defensible posture for the cost of a coffee.

28 May 2026 · 7 min read

Section 8(5) of the DPDP Act says a Data Fiduciary must 'protect personal data in its possession or under its control by taking reasonable security safeguards'. That single sentence sits inside the highest penalty band — ₹250 crore per failure. Section 8 is the silent killer for SMB DPDP risk: most websites obsess over the consent banner and ignore the much more financially exposed security baseline.

**HTTPS everywhere with HSTS.** Cloudflare's free tier gives you HTTPS, automatic certificate renewal and HSTS preload eligibility. If your site is on HTTP in 2026, that's a Section 8 finding the scanner will catch in two seconds. Fix today, not next quarter.

**Password hygiene at the boundary.** WordPress login, cPanel, database admin, Stripe dashboard, email — every one of these needs 2FA on, unique passwords (a password manager — Bitwarden free, 1Password starter), and a rotation policy when an employee leaves. Most Indian SMB breaches in 2024-25 were not zero-days; they were re-used passwords on cPanel.

**Backup hygiene.** Daily backups stored OFF the same server, encrypted at rest. UpdraftPlus for WordPress (free) to S3 or Google Drive does this in 15 minutes. Test the restore quarterly — a backup you've never restored is not a backup. The DPB will ask 'how would you recover?' after any breach; 'we have backups' is not an answer.

**Vendor hygiene.** List every external service that touches user data. For each, ask: do they have SOC 2 or ISO 27001? Is the data in transit and at rest encrypted? Do we have a Data Processing Addendum on file? For Indian SMBs, the realistic answer is 'we've never asked' — fix that with one email per vendor over the next 30 days.

**Patching cadence.** WordPress core auto-updates ON. Plugins manually reviewed monthly (or use a managed WP host that handles this). Server packages updated weekly via unattended-upgrades or your host's auto-patch toggle. Out-of-date software is the single most common Section 8 finding when scanners actually log in.

These five controls take a weekend to set up and almost nothing to maintain. None of them are sophisticated. All of them are evidence you can produce in 30 seconds when the Board asks — and Section 33(2) explicitly counts 'has the Data Fiduciary cooperated and put safeguards in place' as a mitigating factor when penalties are set. That's the gap between a ₹250 crore exposure and a token reprimand.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts