India's Digital Personal Data Protection Act, 2023 doesn't say "do a pen test". Section 8 — the data fiduciary's obligations — says "reasonable security safeguards". The draft DPDP Rules (2025) operationalise this. Once notified, the regulator's Data Auditor profession will be the enforcement vehicle. Here is how that translates to a pen testing requirement.
Section 8 — what the Act actually says
A data fiduciary must implement appropriate technical and organisational measures to ensure compliance, and protect personal data by taking reasonable security safeguards to prevent personal data breach. Breach-notification timelines are tight — to the Data Protection Board and to affected data principals.
"Reasonable security safeguards" is the operative phrase. It is deliberately not defined as a checklist — but the Data Auditor regulations and any future Data Protection Board guidance will fill that in.
What "reasonable" looks like in practice
Across all regulators globally — GDPR Art 32, US state laws, RBI CSF, ISO 27001 — "reasonable security" has converged on a common minimum:
- Encryption at rest and in transit.
- Access control with least privilege.
- Vulnerability management with documented testing — including penetration testing.
- Incident detection and response.
- Vendor risk management.
- Training and awareness.
In a post-breach DPDP inquiry, "we did annual VAPT and remediated findings" is the artifact a Data Auditor will look for. Its absence is the indicator of unreasonable security.
Specific technical interpretations
- Personal-data-handling endpoints must be in scope. Login, signup, KYC, profile, search, export, deletion — all the flows where personal data enters or leaves your system.
- Significant data fiduciaries (the higher-obligation tier defined under Section 10) have stricter DPIA and audit requirements — annual VAPT becomes table stakes, with explicit findings traceability.
- Cross-border transfers need security attestation; a VAPT report on the transfer mechanism is the most defensible artifact.
- Erasure (Section 12 — right to erasure) must actually work — including in backups, replicas, log archives. A pen test should verify deletion across all stores.
- Children's data — verifiable parental consent and age-gating flows must be testable for bypass.
The Data Auditor angle
The draft Rules envisage Data Auditors as a registered profession that audits compliance. A VAPT report that maps findings to DPDP obligations becomes the primary evidence packet the Data Auditor relies on. Vendors that already produce ISO 27001-mapped VAPT reports can extend the same format to DPDP with minimal additional work.
Breach-notification preparedness
DPDP breach-notification is fast. A pen test should not only find the bug but also exercise your detection-and-response. We optionally include a "table-top breach simulation" as part of larger engagements — useful exactly for DPDP readiness.
Do an annual VAPT covering all personal-data-handling endpoints, keep the report mapped to "reasonable security" framework controls, and verify erasure as part of the test plan. That posture answers ~80% of the technical-safeguards questions a Data Auditor will raise.
To scope a DPDP-aware engagement, see web app VAPT or API security testing.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.