Obligation 1 — Appropriate technical and organisational measures
The first Schedule I obligation requires data fiduciaries to implement 'appropriate technical and organisational measures' commensurate with the volume, sensitivity, and risk profile of the personal data being processed. In practice: encryption at rest (database, file storage, backups), encryption in transit (TLS 1.2+), key management (rotation, HSM where applicable), secure software development lifecycle, and periodic code review. The threshold of 'appropriate' is risk-proportional — a payments fintech faces a higher bar than a brochureware website.
Obligation 2 — Reasonable security safeguards against breach
Operational controls to prevent unauthorised access: access control (least-privilege, MFA, periodic access review), network segmentation, endpoint protection, intrusion detection, vulnerability management (patching SLA, annual VAPT), backup integrity. This is the obligation most often tested against in post-breach analysis — what controls were in place, were they exercised, were they bypassed by reasonable adversary effort.
Obligation 3 — Breach response and notification
Capability to detect, contain, and respond to a personal data breach, and to notify the Data Protection Board within the prescribed time (currently 72 hours from awareness, per draft rules). Requires a documented incident response plan, defined breach severity bands, communication templates, and tested executive escalation paths.
Obligation 4 — Periodic audit and review
The schedule expects a regular cadence — typically annual — of independent technical review. VAPT is the primary evidence artifact: a third-party-attested vulnerability assessment showing the safeguards were tested and findings remediated. Bachao.AI runs annual VAPT scan cycles with Schedule I mapping built in; your hired auditor reviews the output and attests.
Obligation 5 — Retention limits
Personal data must be deleted once the original purpose is complete and no other lawful basis to retain exists. Requires data lifecycle tracking, automated retention policies in data stores, and verifiable deletion workflows. The schedule explicitly cites deletion failure as a breach-multiplier.
Obligation 6 — Vendor / processor risk management
Where personal data is processed by a third party (cloud provider, payment processor, analytics platform, support tooling), the data fiduciary must flow Schedule I obligations down via contract and verify compliance via vendor audits. The fiduciary remains liable even when the breach originates with the processor.
Obligation 7 — Logging and audit trail
Every personal-data-affecting event must produce a tamper-evident log entry: who accessed what data, when, from which network, for what stated purpose, with which authorisation. Logs must be retained for at least the regulator-specified period (currently a year per draft rules) and made available on Board request.
How Bachao.AI helps you meet Schedule I
Bachao.AI's VAPT + DPDP gap analysis is the technical-controls evidence pack for obligations 1, 2, 4, and 7. The deliverable: a CERT-In aligned VAPT report with Schedule I mapping per finding, a gap matrix showing which obligations need additional work, and a remediation roadmap prioritised by Board penalty exposure. For obligations 3, 5, and 6, we provide a compliance partner network introduction (DPDP-specialised CAs and consent management platforms).