
Learn the seven core principles of DPDP—consent and transparency, purpose limitation, data minimalization, accuracy, storage limitation, security safeguards, and accountability—and apply them to everyday data decisions.
Understand the DPDP Act's scope: who is covered, extraterritorial reach, exemptions such as startups and MSMEs, including WhatsApp, and a three-question framework to map digital personal data flows.
Explore significant data fiduciaries and their four extra obligations—appointing a data protection officer in India, annual data protection impact assessments, independent audits, and algorithmic accountability—plus data transfer restrictions.
Learn how data fiduciaries manage third-party tools and subprocessors under dpdp, enforce security safeguards, update data processing agreements, and maintain a live data processing register for ongoing vendor oversight.
India now has a data protection law with teeth.
The Digital Personal Data Protection Act 2023 — and the DPDP Rules 2025, notified in November 2025 — is India's first comprehensive, enforceable data privacy framework. With penalties reaching up to Rs.250 crore per violation and a full compliance deadline of May 13, 2027, this is no longer a 'we'll deal with it later' conversation. It's a boardroom priority.
But most of what's been written about DPDP is written by lawyers, for lawyers. Dense, jargon-heavy, and almost entirely useless if you're the founder deciding what data to collect, the product manager designing a consent flow, or the HR leader figuring out how long to keep ex-employee records.
This course is different. It's built and taught from a product and business leadership perspective — because that's where compliance actually lives. Not in legal memos. In the daily decisions your teams make about data.
What you'll cover:
Section 1 builds the foundation. You'll understand where the DPDP Act came from — the Supreme Court's landmark Puttaswamy privacy judgment, the long road from the IT Act 2000 to the IT Rules 2011, and why India finally needed a dedicated data protection law. You'll learn the 7 core principles the law is built on — consent, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability — with real examples from Indian businesses. And you'll work through the scope: who this law applies to, what's exempt, and how the extraterritorial provisions affect companies outside India that serve Indian users.
Section 2 maps the ecosystem. The DPDP framework introduces a set of defined roles that every organisation needs to understand. Data Principals — your users — have legally enforceable rights: access, correction, erasure, consent withdrawal, and grievance redressal. Data Fiduciaries — you — have core obligations: compliant consent notices, security safeguards, breach notification, data retention and erasure policies, and a named Grievance Officer. Significant Data Fiduciaries — a designated high-stakes tier — face additional requirements including a Data Protection Officer, annual DPIAs, independent audits, and algorithmic accountability. Consent Managers introduce an entirely new consent orchestration layer unique to India. And Data Processors — your vendors — fall within your accountability boundary.
Section 3 makes it actionable. You'll walk through the three-phase compliance timeline, understand how the Data Protection Board enforces penalties up to Rs.250 crore, and build a practical 6-step compliance programme — data mapping, gap analysis, consent infrastructure, governance, security, and team training — ready to take back to your organisation the same week.