Table of Contents
Ransomware attacks in India have more than doubled in the last two years. In every high-profile recovery story, the hero isn’t a hacker or a negotiator—it’s a robust, tested backup strategy.
Reading time: 5 minutes | Topics: Business Continuity, Ransomware, DPDP Compliance
When Everything Goes Wrong: A Cautionary Tale
In early 2024, a Chennai-based logistics firm started its Monday morning with every server encrypted. The ransom? ₹85 lakh in cryptocurrency. Because they had no offsite backup, they faced a devastating choice: pay a criminal with no guarantee of recovery or lose five years of operational data.
This is the “new normal.” Whether it’s ransomware, hardware failure, or accidental deletion, a backup is the only thing that transforms a catastrophe into a minor inconvenience.
The 3-2-1 Rule: The Gold Standard
To satisfy the “reasonable safeguards” clause of the DPDP Act, your strategy should follow this globally recognized framework:
- 3 Copies of Data: Your live production data plus two backup copies.
- 2 Different Media: Store backups on different types of storage (e.g., one on a local NAS, one in the cloud).
- 1 Copy Offsite/Offline: Keep one copy in a separate physical location or “air-gapped” (disconnected from the network) so ransomware cannot reach it.
Modern Backup Types You Need to Know
| Backup Type | How it Works | Why it Matters for DPDP |
| Incremental | Only backs up what changed since the last backup. | Saves bandwidth and storage while ensuring high “Recovery Point Objectives” (RPO). |
| Immutable | Cannot be deleted or encrypted, even by an admin. | The ultimate defense against ransomware that tries to “kill” your backups first. |
| Snapshot | Point-in-time “photos” of entire servers. | Allows you to restore an entire system in minutes, not days. |
Backup and the DPDP Act 2023: The Legal Connection
Many organizations overlook that the DPDP Act considers the “accidental destruction” of data a reportable breach.
- Availability & Integrity: The Act mandates that personal data must be available and accurate. A failed server with no backup is a direct violation of this duty.
- The “Right to Erasure” Challenge: Under Section 12, a “Data Principal” (user) can ask you to delete their data. This is tricky with backups. Your backup solution must be granular enough to find and remove specific records without destroying the entire archive.
- Breach Mitigation: If you can prove to the Data Protection Board that you restored data within hours from a clean backup, your “harm assessment” (and subsequent penalty) will be significantly lower.
Compliance Alert: A backup you have never tested is not a backup—it’s a wish. The DPDP Rules suggest that “reasonable safeguards” include regular testing of recovery procedures.
Top Backup Solutions for 2026
- Veeam Data Platform: The “powerhouse” for hybrid environments. Excellent for creating Immutable Backups that ransomware can’t touch.
- Acronis Cyber Protect: Combines backup with AI-malware scanning. If a backup contains a virus, Acronis flags it before you “restore” the infection.
- Druva: A 100% SaaS, India-born global leader. Perfect for backing up remote laptops and Microsoft 365/Google Workspace data without buying hardware.
- AWS / Azure Backup: The best choice for organizations already running their workloads in the public cloud.
The “Restore” Test: The Step Everyone Skips
At least once a quarter, your IT team should perform a “Fire Drill.”
- RTO (Recovery Time Objective): How long did it take to get the system back up? (Goal: Minutes/Hours)
- RPO (Recovery Point Objective): How much data did we lose? (Goal: Less than 24 hours of data)
The Bottom Line
Under the DPDP Act, the inability to recover customer data isn’t just an IT failure—it’s a legal liability. A robust 3-2-1 backup strategy is your most cost-effective “insurance policy” against both hackers and regulators.
