| Part | You will learn |
|---|---|
| 1 · Orientation | What the course covers, why it matters, and how to use it. |
| 2 · Why it matters | Real harm scenarios, duty of care, and privacy as a right. |
| 3 · The basics | Personal vs sensitive data, ‘processing’, the data lifecycle, GDPR contrast. |
| 4 · Meet the Act | History, scope, extra-territorial reach, and the 2025 Rules timeline. |
| 5 · The key roles | Data Principal, Fiduciary, Processor, SDF, Consent Manager, the Board. |
| 6 · Consent & notice | The consent standard, itemised notice, children, exemptions. |
| 7 · Rights & duties | Access, correction, erasure, grievance, nomination — and principal duties. |
| 8 · Fiduciary duties | Purpose limits, security, breach notice, retention, SDF extras, transfers. |
| 9 · Enforcement | The Board, complaints, the penalty schedule, worked scenarios. |
| 10 · Do it now | Data map, consent forms, retention, breach plan, contracts, checklist. |
| Where it comes from | What it contains | Why it is sensitive |
|---|---|---|
| Baseline & survey forms | Name, age, caste, income, phone, GPS location | Can identify and target the poorest households |
| Beneficiary MIS / Excel | Attendance, entitlements, bank/Aadhaar-linked IDs | Financial fraud and exclusion risk if leaked |
| Case files (GBV, child protection) | Abuse history, medical notes, family details | Can endanger a survivor’s life |
| Health programmes | HIV, TB, disability, mental-health status | Stigma, discrimination, blackmail |
| HR & volunteers | ID proofs, salary, references, photos | Employee privacy and identity theft |
| Donors & grants | Contact details, giving history, PAN | Financial and reputational exposure |
| Category | Examples in NGO work | Harm if exposed |
|---|---|---|
| Health | HIV, TB, disability, pregnancy, mental health | Stigma, job and housing loss |
| Identity markers | Caste, religion, tribe, sexual orientation | Discrimination, targeted violence |
| Protection cases | GBV, trafficking, child abuse records | Physical danger to survivors |
| Financial | Bank, Aadhaar-linked IDs, transfer amounts | Fraud, extortion, exclusion |
| Location | Home GPS, shelter addresses | Stalking, re-victimisation |
| Children | Names, photos, school and family details | Exploitation, safeguarding failure |
| Stage | The core question | Your duty |
|---|---|---|
| Collect | Do we truly need this field? | Collect only what the purpose requires (minimisation) with notice and consent. |
| Store | Where does it live and who can open it? | Secure it — access limits, passwords, encryption, backups. |
| Use | Is this the purpose we told the person? | Use only for the stated purpose; get fresh consent for anything new. |
| Share | Who else sees it and under what rule? | Share only with a lawful basis and a contract binding the recipient. |
| Retain | Is the purpose still active? | Keep it only as long as needed for the purpose or the law. |
| Delete | Can we now safely erase it? | Delete securely when the purpose ends, unless a law requires keeping it. |
| Theme | GDPR (EU) | DPDP Act (India) |
|---|---|---|
| Person | Data subject | Data Principal |
| Organisation | Controller / processor | Data Fiduciary / Data Processor |
| Sensitive data | Special categories with extra rules | No separate category — one standard for all |
| Lawful bases | Six bases incl. legitimate interests | Consent plus a defined set of ‘legitimate uses’ |
| Child age | 16 (member states may lower to 13) | Under 18 — verifiable parental consent |
| Transfers | Restricted unless adequacy/safeguards | Allowed by default; govt may restrict countries |
| Breach report | 72 hours to supervisory authority | Report to the Board within 72 hours |
| When | What switches on |
|---|---|
| 11 Aug 2023 | The Act receives Presidential assent (Act No. 22 of 2023). |
| 13 Nov 2025 | DPDP Rules notified; foundational provisions and the Data Protection Board take effect. |
| ~12 months later | Consent Manager registration and obligations commence. |
| ~18 months later | The main operational duties — notice, security, breach reporting, retention, children’s consent, SDF duties, transfers — become enforceable. |
| Situation | Treatment under the Act |
|---|---|
| Personal or domestic use | An individual using data for purely personal reasons is not a Data Fiduciary. |
| Publicly available data | Data an individual has themselves made public, or that must be published by law, is treated differently. |
| Research, archiving, statistics | Processing for these purposes may be exempt from many duties, subject to conditions — provided it is not used for decisions about a specific person. |
| Certain State functions | The government can exempt notified agencies for reasons like national security or public order. |
| Legal claims & regulators | Processing needed to enforce a legal right or comply with a legal duty is permitted. |
| Startups (if notified) | The government may relax some duties for classes of Data Fiduciaries it notifies. |
| Part of the Act | What it deals with |
|---|---|
| Preliminary | Short title, commencement, and the definitions that anchor the whole law. |
| Obligations of Data Fiduciaries | Grounds for processing, notice, consent, security, breach notice, children’s and SDF duties. |
| Rights & duties of Data Principals | Access, correction, erasure, grievance, nomination — and the duties on individuals. |
| Special provisions | Cross-border transfer, exemptions, and processing by the State. |
| Data Protection Board | Establishment, composition, powers and functions of the regulator. |
| Penalties & appeals | The penalty schedule, adjudication, voluntary undertakings and the appellate route. |
| The Schedule | The table of maximum financial penalties for each type of failure. |
| Principle | Your operational duty |
|---|---|
| Lawful & transparent | Process only on consent or a legitimate use, and give a clear notice first. |
| Purpose limitation | State the purpose; do not reuse data for a new purpose without fresh consent. |
| Minimisation | Cut every field from your form that the stated purpose does not require. |
| Accuracy | Have a process to correct and update data on request. |
| Storage limitation | Set a retention period and delete when it ends. |
| Security | Apply access controls, passwords, encryption and backups. |
| Accountability | Keep a policy, records, and a named responsible person. |
| Aspect | Before (IT Act / SPDI Rules) | Now (DPDP Act & Rules) |
|---|---|---|
| Coverage | Only ‘sensitive personal data’ had real rules | All personal data covered by one standard |
| Individual rights | Minimal and rarely usable | Clear rights to access, correct, erase, complain |
| Regulator | No dedicated data-protection authority | Data Protection Board of India |
| Consent | Vague and often bundled | Free, specific, informed, unambiguous; withdrawable |
| Breach duty | Limited and unclear | Notify affected persons and the Board within 72 hours |
| Penalties | Low and hard to enforce | Structured schedule up to ₹250 crore |
| Actor | Role under the Act |
|---|---|
| The mother enrolled in the programme | Data Principal |
| Her child under 18 | Data Principal, represented by the mother/guardian |
| The NGO deciding what to collect and why | Data Fiduciary |
| The mobile survey app storing the forms | Data Processor (needs a contract) |
| The cloud host behind the app | Sub-processor in the chain |
| The NGO’s grievance officer | Contact point for rights and complaints |
| The Data Protection Board | Regulator, if a complaint is escalated |
| Role | Decides purpose? | Key duty |
|---|---|---|
| Data Principal | No — holds rights | Exercise rights honestly; do not mislead |
| Data Fiduciary | Yes | Meet all core duties; stay accountable |
| Data Processor | No — acts on instruction | Process only under contract; secure the data |
| Significant Data Fiduciary | Yes, at scale/high risk | Extra: DPO, data auditor, DPIA |
| Consent Manager | No — serves the individual | Enable give/withdraw consent; keep records |
| Data Protection Board | No — enforces | Investigate breaches; impose penalties |
| Exemption area | What it allows | The catch |
|---|---|---|
| Research & statistics | Processing for research, archiving or statistics | Only if not used for decisions about a specific person; conditions apply |
| Legal rights | Processing to enforce or defend a legal claim | Limited to that purpose |
| Notified State agencies | Government may exempt certain bodies | For defined reasons like security and public order |
| Publicly available data | Data the person made public themselves | Does not cover data that merely leaked |
| Startups (if notified) | Relaxation of some duties | Only for classes the government notifies |
| Right of the individual | What you must do |
|---|---|
| Access (Sec 11) | Provide a summary of data held, uses, and who it was shared with. |
| Correction & erasure (Sec 12) | Fix, complete or delete data on valid request. |
| Grievance redressal (Sec 13) | Offer an accessible complaint channel and respond in time. |
| Nomination (Sec 14) | Honour a valid nominee acting for a deceased or incapacitated person. |
| Duty | Purpose |
|---|---|
| DPO in India | A senior, accountable person owning data protection |
| Independent audit | External check that duties are actually met |
| Periodic DPIA | Assess and reduce risk before harm occurs |
| Obligation | The one-line test |
|---|---|
| Lawful basis | Do we have consent or a legitimate use for every use? |
| Notice | Did we tell people what, why, and how to exercise rights? |
| Purpose limitation | Are we using data only for the stated purpose? |
| Minimisation | Have we cut every field we do not need? |
| Accuracy | Can people correct their data easily? |
| Security | Is access limited, and are devices and files protected? |
| Breach response | Can we notify people and the Board within 72 hours? |
| Retention | Do we delete data when its purpose ends? |
| Contracts | Is every vendor bound by a data contract? |
| Failure | Maximum penalty |
|---|---|
| Failure of reasonable security safeguards | Up to ₹250 crore |
| Failure to notify a personal data breach | Up to ₹200 crore |
| Breach of obligations regarding children’s data | Up to ₹200 crore |
| Breach of additional obligations of an SDF | Up to ₹150 crore |
| Breach of a Data Principal’s duties | Up to ₹10,000 |
| Breach of any other provision | Up to ₹50 crore |
| Myth | Fact |
|---|---|
| ‘Non-profits are exempt from penalties.’ | The Act has no non-profit carve-out; duties and penalties apply to all Fiduciaries. |
| ‘We’ll be fined ₹250 crore for any slip.’ | That is a ceiling for the worst failures; the Board sets penalties proportionate to gravity. |
| ‘If we hide a breach, no one will know.’ | Concealment is itself a heavily penalised failure — up to ₹200 crore. |
| ‘The Board will audit us out of the blue.’ | Action typically follows a complaint or a known breach, not random audits. |
| ‘There’s no way to challenge a penalty.’ | Orders can be appealed to the Appellate Tribunal and the courts. |
| ‘Cooperating makes no difference.’ | Mitigation and voluntary undertakings can reduce or avoid penalties. |
| Column | What to record |
|---|---|
| Data type | e.g. beneficiary survey, case files, donor list, HR records |
| Fields | The actual data points collected (name, phone, health, bank…) |
| Purpose | Why you collect it and the lawful basis (consent / legitimate use) |
| Location | Every place it lives: laptops, cloud, app, paper, inboxes, backups |
| Access | Who can open it |
| Sharing | Which processors, partners or donors receive it |
| Retention | How long you keep it and when it is deleted |
| Myth | Fact |
|---|---|
| ‘DPDP is only for big tech companies.’ | It applies to any organisation processing personal data, including NGOs. |
| ‘Consent once given lasts forever.’ | People can withdraw consent at any time, as easily as they gave it. |
| ‘Anonymised means just removing the name.’ | True anonymisation is hard; rare attribute combinations can re-identify people. |
| ‘Paper records are outside the law.’ | Once digitised — which is almost always — the duties apply. |
| ‘A child is anyone under 13.’ | In India a child is anyone under 18, needing verifiable parental consent. |
| ‘Using a foreign cloud moves data out of scope.’ | You remain the accountable Fiduciary wherever the data is hosted. |