DPDP Act: Core Obligations of Data Fiduciaries and Everyday Employee Responsibilities

This topic focuses on the accountability principle embedded in the DPDP Act, clarifying that the Data Fiduciary is responsible for ensuring compliance with the law even when processing is outsourced to Data Processors. It reinforces that agreements or internal delegations do not reduce legal responsibility. The topic explains how this...

This topic focuses on the accountability principle embedded in the DPDP Act, clarifying that the Data Fiduciary is responsible for ensuring compliance with the law even when processing is outsourced to Data Processors. It reinforces that agreements or internal delegations do not reduce legal responsibility. The topic explains how this shapes expectations for employees: due diligence on new tools must involve privacy checks; vendor contracts must include data protection clauses; and internal practices must align with published policies and notices. Practical examples include choosing between two SaaS tools with different privacy postures, onboarding a new background verification agency, or proposing a new analytics project. Learners appreciate that their recommendations and day-to-day choices can have significant compliance impact because the organisation as Data Fiduciary will be answerable for any misuse or breach.

Show more

This topic unpacks three key principles: collect only what is necessary (data minimisation), use data only for the purposes stated in the notice or permitted by law (purpose limitation), and keep data complete, accurate and consistent when it is used to take decisions or shared with others (accuracy). Through examples,...

This topic unpacks three key principles: collect only what is necessary (data minimisation), use data only for the purposes stated in the notice or permitted by law (purpose limitation), and keep data complete, accurate and consistent when it is used to take decisions or shared with others (accuracy). Through examples, it shows how forms, questionnaires, onboarding templates, CRM fields and analytics dashboards often ask for more data than they genuinely need. It encourages employees to critically evaluate data fields, remove unnecessary ones and avoid re-using data for new purposes without checking legal and policy requirements. The topic also stresses the importance of promptly updating records when individuals provide corrections and avoiding duplicative or inconsistent entries across systems. Learners see how small, everyday choices can significantly reduce privacy risk.

Show more

This topic clarifies that under the DPDP Act, Data Fiduciaries must not retain personal data for longer than necessary to fulfil the stated purpose or comply with legal obligations, and should erase or anonymise data when it is no longer needed. It explains, with examples, how retention schedules work for...

This topic clarifies that under the DPDP Act, Data Fiduciaries must not retain personal data for longer than necessary to fulfil the stated purpose or comply with legal obligations, and should erase or anonymise data when it is no longer needed. It explains, with examples, how retention schedules work for HR records, customer information, CCTV footage, logs and marketing lists. The topic highlights the risks of over-retention, such as larger breach impact and regulatory penalties. It also covers practical challenges like scattered copies of data in email attachments, local folders and collaboration tools. Learners receive guidance on regular clean-up practices, using official systems instead of personal storage, and following documented procedures for defensible deletion or archiving. The topic reinforces that good record keeping and disciplined deletion are core to DPDP compliance, not merely housekeeping tasks.

Show more

This topic links the legal obligation to maintain a grievance redressal mechanism with the organisation’s internal processes. It explains where employees can find the official grievance contact details and privacy policy, both for their own use and to share with Data Principals who raise concerns. The topic walks through the...

This topic links the legal obligation to maintain a grievance redressal mechanism with the organisation’s internal processes. It explains where employees can find the official grievance contact details and privacy policy, both for their own use and to share with Data Principals who raise concerns. The topic walks through the typical stages of grievance handling: intake, acknowledgement, investigation, response and closure. It stresses that employees should not ignore privacy complaints or try to resolve complex issues informally without documentation. Scenarios illustrate when it is appropriate to escalate to HR, Legal, the Data Protection Officer or the information security team, especially if a complaint suggests systemic issues or potential breaches. Learners understand that timely escalation helps the organisation meet DPDP timelines and reduces legal risk.

Show more

This topic explains that the DPDP Act requires Data Fiduciaries to implement reasonable technical and organisational security safeguards to protect personal data against unauthorised access, use, alteration, disclosure or destruction. It translates this into simple behaviours for employees: using strong, unique passwords and multi-factor authentication; locking devices; avoiding unattended screens;...

This topic explains that the DPDP Act requires Data Fiduciaries to implement reasonable technical and organisational security safeguards to protect personal data against unauthorised access, use, alteration, disclosure or destruction. It translates this into simple behaviours for employees: using strong, unique passwords and multi-factor authentication; locking devices; avoiding unattended screens; not sharing accounts; using approved, encrypted channels for file sharing; and being cautious of phishing emails and social engineering attempts. It underscores that following IT and security policies is not optional but a legal compliance requirement. The topic also touches on secure configuration of cloud tools, proper disposal of physical documents, and the importance of promptly installing security updates on authorised devices. Learners are encouraged to see themselves as the first line of defence against data breaches, with clear examples of how minor lapses have led to major incidents elsewhere.

Show more