The Digital Personal Data Protection Rules, 2025 set a hard compliance deadline of 13 May 2027 for every organisation that processes the personal data of individuals in India. This guide breaks down what the DPDP Act and Rules require at the endpoint level, and how Zecurit Endpoint Manager helps data fiduciaries get there.
The Constitution of India guarantees the right to privacy under Articles 14, 19, and 21, a position the Supreme Court reaffirmed in its landmark 2017 Puttaswamy judgment. After a decade of drafts and consultation, Parliament passed the Digital Personal Data Protection Act on 11 August 2023. It remained largely dormant until the Ministry of Electronics and Information Technology notified the DPDP Rules, 2025 on 13 November 2025, finally operationalising the law.
Unlike sector-specific frameworks, the DPDP Act applies horizontally to almost every business that touches personal data in India: HR systems, CRM platforms, e-commerce checkouts, employee laptops, and the endpoints that store, process, and transmit that data every day.
This guide translates the DPDP Act and Rules into the specific endpoint controls IT and compliance teams need, and maps each one to Zecurit Endpoint Manager capabilities.
Before mapping obligations, it helps to understand the three core roles the Act defines:
The individual to whom the personal data relates. For example, an employee whose name, email, and phone number sit in your HR system.
The entity that determines the purpose and means of processing personal data. Most businesses collecting customer or employee data fall into this category.
An entity that processes personal data on behalf of a Data Fiduciary, such as a payroll vendor or a cloud service provider.
A subset of Data Fiduciaries may be classified as Significant Data Fiduciaries (SDFs) by the Central Government, based on the volume and sensitivity of data processed, risk of harm to data principals, and potential impact on India's sovereignty. SDFs face enhanced obligations including mandatory Data Protection Impact Assessments (DPIAs), annual independent audits, and appointing a Data Protection Officer based in India.
The Act's scope is broader than many businesses assume. It applies to:
The DPDP Rules, 2025 introduced a staggered 18-month implementation window. Organisations that treat this as a single deadline rather than a phased build will find themselves short on time.
The DPDP Rules, 2025 were notified via Gazette G.S.R. 846(E). The Data Protection Board of India became operational, with headquarters in the National Capital Region, and the penalty framework activated.
Indian-incorporated entities meeting net worth thresholds can register as Consent Managers, interoperable platforms through which data principals manage, review, and withdraw consent. This also marks the end of the informal "soft enforcement" phase.
By 13 May 2027, every obligation under the Act and Rules must be operational: standalone consent notices, data principal rights infrastructure, 72-hour breach protocols, retention and erasure automation, verifiable parental consent, and Rule 6 security safeguards across every endpoint that touches personal data.
The Act's principles translate into concrete technical controls at the endpoint level. The following sections map each relevant obligation to specific Zecurit capabilities.
Rule 6 requires Data Fiduciaries to implement security measures that ensure the confidentiality, integrity, and availability of personal data, including encryption, access controls, and continuous monitoring to prevent breaches. These obligations extend to any Data Processor engaged by the fiduciary.
BitLocker Management enforces drive encryption across every managed Windows endpoint, ensuring personal data at rest remains unreadable if a device is lost or stolen. Monitoring and Alerts continuously tracks firewall status, antivirus health, and BitLocker protection state, giving you the confidentiality and integrity safeguards Rule 6 requires.
Rule 7 requires Data Fiduciaries to notify affected data principals without delay and submit a detailed breach report to the Data Protection Board within 72 hours, covering the nature, date, time, and impact of the breach. Detecting a breach quickly is the precondition for meeting this clock at all.
Real-time Security Alerts flag disabled antivirus, disabled firewalls, and BitLocker protection being turned off the moment they happen, rather than during a periodic scan. Device Control logs every connection attempt and blocked event with a timestamp, giving incident response teams the forensic detail needed to scope a breach within the 72-hour window.
The Act's purpose limitation and storage limitation principles only hold if personal data cannot leave the organisation through uncontrolled channels. USB drives, unauthorised cloud sync, and unmanaged peripherals are common, and largely preventable, vectors for personal data leakage.
Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, wireless adapters, and Windows Portable Devices, including BadUSB keystroke injection prevention. Policies are enforced even when endpoints are offline, closing a gap that purely network-based DLP tools cannot cover.
The Act's accountability principle requires Data Fiduciaries to demonstrate that only authorised personnel can access personal data, and to maintain records of who accessed what, and when. This becomes especially important for systems holding HR records, customer databases, or healthcare information.
Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely and enforce password policies from a central console. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, with every session fully logged for audit purposes.
Rule 8 and the Third Schedule require Data Fiduciaries to define purpose-specific retention periods and erase personal data once its purpose is fulfilled. Individuals must be notified at least 48 hours before scheduled erasure. Knowing exactly what software, and therefore what data-handling applications, exist on each endpoint is foundational to enforcing this.
Software Inventory tracks every installed application with real-time version data, helping compliance teams identify which endpoints run systems that store or process personal data. Remote Script Execution can automate scheduled data cleanup tasks across thousands of endpoints simultaneously, supporting retention and erasure workflows at scale.
Rule 13 requires Significant Data Fiduciaries to conduct annual Data Protection Impact Assessments and independent compliance audits. These exercises depend on accurate, continuously updated visibility into the organisation's device and data landscape, not a one-time snapshot.
The Monitoring and Alerts module provides real-time notifications across security, hardware, software, and certificate events, feeding a continuous compliance posture rather than a periodic audit scramble. Hardware Inventory and geo-location tracking maintain the asset visibility that DPIAs and independent audits require as supporting evidence.
Rule 6 requires detailed activity logs to be retained for at least one year to support breach investigation and the Data Protection Board's review process. Producing this evidence manually under audit pressure is precisely the failure mode regulators are designed to catch.
Compliance and Reporting provides 100+ built-in report templates, including security reports that surface BitLocker gaps, firewall status, and antivirus health across the fleet. Scheduled Report Delivery emails these reports to stakeholders automatically on a recurring basis in PDF, CSV, or XLS format, building the continuous audit trail Rule 6 expects without manual extraction.
A consolidated reference mapping each DPDP endpoint-relevant obligation to the relevant Zecurit features, useful for DPIA preparation and internal compliance reviews.
| DPDP Obligation | Zecurit Endpoint Manager Capability |
|---|---|
| Reasonable Security Safeguards (Rule 6) | BitLocker ManagementSecurity AlertsFirewall ConfigurationTPM Policy Management |
| 72-Hour Breach Detection (Rule 7) | Real-Time Security AlertsAudit Device LogsHardware/Software Change Alerts |
| Preventing Unauthorised Exfiltration | Device ControlUSB/Removable Storage PoliciesOffline Policy Enforcement |
| Access Control and Accountability | User and Group ManagementRole-Based AccessSession Confirmation and Audit |
| Data Minimisation and Retention (Rule 8) | Software InventoryRemote Script ExecutionSoftware Alerts |
| Continuous Monitoring (SDF, Rule 13) | Real-Time Monitoring and AlertsHardware InventoryGeo Location Tracking |
| Audit Trail Retention (Rule 6) | 100+ Compliance ReportsScheduled Report DeliverySecurity Reports |
The DPDP Act and its 2025 Rules give Indian data protection law real teeth: a 72-hour breach clock, penalties up to ₹250 crore, and an 18-month runway that is already running. Most personal data breaches do not begin with a sophisticated attack on a data centre. They begin with an unencrypted laptop, an unmonitored USB port, or a local account nobody remembered to disable.
Building the endpoint controls Rule 6 demands now, rather than in the final months before 13 May 2027, gives your organisation a defensible compliance posture and the audit evidence to prove it.
Zecurit Endpoint Manager addresses the core endpoint-level obligations of the DPDP Act from a single lightweight agent and a unified management console, without separate tools to reconcile when the Data Protection Board comes asking for evidence.
Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.
To learn more about Zecurit Endpoint Manager and how it supports your DPDP compliance programme, start a free 14-day trial or contact the Zecurit team.
Contact Zecurit