• Determine if and when your organization is subject to DPDPA
• Legally assess the use of publicly sourced data
• Understand compliance checkpoints for outreach, marketing, and member engagement
• Structure your internal data handling policies with lawful purpose and consent
• Prepare your organization for data breaches and subject access requests

Session 1: Introduction & Applicability

Understanding the DPDPA Framework

• Purpose and background of the DPDP Act, 2023
• Evolution of privacy laws in India
• Overview of the DPDP Rules, 2025

Scope of the Act: Who Must Comply?

• Applicability to private companies, NGOs, religious institutions, and government bodies
• Cross-border applicability for global organizations
• Exemptions: personal/domestic use, public disclosures by the Data Principal, research and statistics

Real-Life Applicability – Interactive Discussion

• Are NGOs subject to the DPDP Act?
• Does the Act apply to religious organizations collecting devotees' data?

Session 2: Core Concepts & Definitions

Key Terms and Roles Under the DPDPA

• Personal Data, Digital Personal Data, Data Fiduciary, Data Principal
• Consent Manager and Significant Data Fiduciary
• Role of the Data Protection Board of India

Understanding “Processing” and its Implications

• What constitutes processing under DPDPA
• Data lifecycle: collection to deletion

Publicly Available Data – What the Law Says

• Is DPDPA triggered if I collect someone's name or phone number from their website?
• Must I comply before I make contact, or only once they engage with me?
• Legal interpretation: voluntary disclosure vs unsolicited processing
• Doctrine of legitimate use and notice compliance

Session 3: Consent, Notice & Data Rights

Lawful Basis of Processing: The Role of Consent

• Essentials of valid consent: free, specific, informed, unambiguous
• Granularity, withdrawal mechanism, and bundling restrictions
• Special cases: employment, emergencies, legal obligations

Notice Requirements and Responsibilities

• What information must be given to the data principal
• Language, format, clarity, and accessibility of notices
• Data Fiduciary’s duty to retain evidence of consent and notice

Case Analysis

• How businesses must treat a phone number fetched from a public site
• What if a customer withdraws consent post initial outreach?

Session 4: Sensitive Data, Security & Organizational Compliance

Sensitive Personal Data & Biometric Identifiers

• Do photographs, hand impressions, or facial data count as personal data?
• Interpretation based on identifiability and digital capture
• Treatment of biometric and visual data under the Act

Security Obligations of Data Fiduciaries

• Encryption, masking, access control, logging, backups
• Vendor contracts and processor obligations
• Breach notification procedures and 72-hour compliance rule

Data Retention, Erasure, and Inactivity Rules

• Auto-deletion of inactive users
• Rules for retaining data after service termination
• Mandatory destruction post withdrawal of consent

Session 5: Individual Rights, Compliance tools & Case Studies

Empowering the Data Principal

• Right to access, correction, erasure
• Mechanisms for redressal and verification
• Publishing rights request channels and contact points

Sector-Specific Case Studies

• Outreach-based NGOs, online retailers, healthcare providers, religious bodies
• Compliance workflows for small teams vs large enterprises

Session 6: Children’s Data, Automated Deletion & Future Readiness

Special Provisions for Minors and Guardians

• Parental/guardian consent requirements
• Bans on targeted ads and tracking of children
• Verification protocols for under-18 users

Inactivity Rules & Auto-Deletion Mandates

• Mandatory data purge for large digital platforms
• Inactivity timelines and advance notice requirements

Preparing for DPDPA Compliance

• Building internal checklists
• Creating consent logs and activity reports
• Role of DPOs, consultants, and legal teams

Session 7: Digital Data Protection as a Fundamental Right

The Constitutional and Societal Context

• Right to privacy under Article 21 of the Constitution (Puttaswamy judgment)
• Role of the state and private entities in protecting individual digital autonomy

Data Dignity and Digital Empowerment

• Why personal data is central to identity, autonomy, and trust
• Ethical handling of data in the digital economy

Building a Culture of Digital Responsibility

• From compliance to accountability
• The role of transparency, trust, and citizen awareness in data protection

Sakshi Madan - Founder, Samantha Legal | Corporate & Employment Law Expert