Table of Contents
If an attacker breaches your network and walks away with your data, encryption ensures they walk away with nothing they can use. In the eyes of a regulator, encrypted data is “stolen noise”; unencrypted data is a “catastrophic breach.”
Reading time: 6 minutes | Topics: Data Encryption, Zero Trust, DPDP Act 2023
Why Stolen Data is Only Dangerous if it’s Readable
In early 2024, a major Indian edtech platform suffered a breach of 8 million user records. While hackers accessed the database, the most sensitive fields—passwords and financial IDs—were encrypted. Because the attackers couldn’t monetize a string of unreadable characters, the breach was manageable rather than fatal.
The Two Pillars of Encryption
To meet “reasonable safeguard” standards, you must protect data in both its states:
1. Encryption at Rest (The Vault)
This protects data sitting on hard drives, servers, and cloud buckets.
- The Scenario: A sales manager’s laptop is stolen at an airport.
- The Fix: With Full Disk Encryption (FDE) like BitLocker or FileVault, the thief cannot access any files without the recovery key.
2. Encryption in Transit (The Secure Tunnel)
This protects data as it travels—from a customer’s browser to your server, or between your office and the cloud.
- The Scenario: An attacker intercepts Wi-Fi traffic at a cafe while an employee logs into the HR portal.
- The Fix: TLS (Transport Layer Security), the tech behind
https://, ensures that intercepted data looks like gibberish to the attacker.
Quick Check: Look at your company URL. If it doesn’t have the padlock icon, your data is traveling in “plaintext.” This is a high-priority DPDP vulnerability. Fix it today.
Key Management: Don’t Hide the Key Under the Doormat
Encryption is only as strong as your Key Management. Storing your encryption keys on the same server as your data is like locking your front door but leaving the key in the lock.
- KMS (Key Management Systems): Tools like AWS KMS or Azure Key Vault store keys separately with strict access logs.
- HSMs (Hardware Security Modules): For banks and “Significant Data Fiduciaries,” physical tamper-proof hardware is the gold standard for key protection.
Encryption and the DPDP Act 2023: The “Safe Harbor”
The DPDP Act requires “reasonable” safeguards. While the law is technology-neutral, the 2025 Rules and global standards (like ISO 27001) point to these minimums:
| Category | Standard | Why? |
| Data at Rest | AES-256 | The global banking and government standard. |
| Data in Transit | TLS 1.2 or 1.3 | Prevents “Man-in-the-Middle” interceptions. |
| Passwords | SHA-256 (Hashing) | Ensures passwords can’t be “reversed” even if stolen. |
The Legal Advantage: If you can prove to the Data Protection Board (DPB) that stolen data was encrypted with industry-standard algorithms and the keys were not compromised, you can argue that no “harm” was caused to the Data Principal. This is your strongest defense against the maximum ₹250 crore penalty.
4 Common Mistakes to Avoid
- Hardcoding Keys: Never leave encryption keys in your application’s source code. Attackers find them in minutes.
- Forgetting Backups: Organizations often encrypt their live database but leave their backup tapes or cloud snapshots in plaintext.
- Using Broken Algorithms: MD5 and SHA-1 are “broken.” Using them in 2026 is considered negligence under DPDP.
- No Key Rotation: If a key is used for five years, the chance of it being leaked increases. Rotate keys annually.
Recommended Solutions
- Thales CipherTrust: The enterprise leader in India for managing keys across hybrid environments.
- Microsoft BitLocker: Free, built-in encryption for Windows—essential for every corporate laptop.
- Azure Key Vault / AWS KMS: The go-to for cloud-native encryption.
- IBM Guardium: Specialized for encrypting sensitive fields within large, complex databases.
The Bottom Line
Encryption doesn’t stop the thief from entering the house, but it ensures that when they open the jewelry box, they find nothing but locked steel. For an Indian business, it is the difference between a “security incident” and a “business-ending catastrophe.”
