IIT Bombay, in collaboration with the Ministry of Electronics and IT (MeitY) and the Bureau of Indian Standards, is conducting a workshop to elicit stakeholder views on the practical aspects of implementing the Digital Personal Data Protection Act 2023.

India has taken a significant step in safeguarding personal data with the enactment of the Digital Personal Data Protection (DPDP) Act 2023. With the legislative process now complete, the focus is steadily shifting towards implementation — a critical phase that requires proactive collaboration across sectors to ensure the Act’s objectives are effectively met.

As organisations prepare to align their processes with the new regulatory framework, a range of procedural and practical challenges are beginning to emerge. Addressing these challenges early on will be key to successful, sustainable compliance and the protection of digital rights in India.

To facilitate this vital conversation, the Ashank Desai Centre for Policy Studies and IITB Trust Lab in collaboration with the Ministry of Electronics and Information Technology (MeitY) and the Bureau of Indian Standards (BIS), are pleased to announce an interactive, participative workshop designed to gather insights from stakeholders and explore practical solutions.

Overview of the Act

Representatives from MeitY will present an overview of the DPDPA 2023, highlighting the Act’s key provisions.

Key Discussion Points

  • A brief discussion around the aim of the Act: to protect personal data while enabling its processing.
  • Implementation of SARAL: Simple, Accessible, Rational, and Actionable.
  • The priority of the law is ‘individual consent’ for the use of personal data.
  • The Act prioritises ease of doing business.
  • Data may be processed without consent only in legitimate cases where the state or its agencies perform.

Breakout Session Questions

  1. What procedure will the Data Protection Board follow? Will it be the Code of Civil Procedure or something else? 
  2. How will alleged violations of the provisions of the Act be investigated? 
  3. What are the practical impediments to a completely digital office for the Data Protection Board? 
  4. What kind of technological intervention can help entities comply with the DPDP Act? 

Representatives from BIS will present existing standards on IT Security and Privacy. They also highlighted the need for standards mentioned in the DPDP Act.

Key Discussion Points

  • Highlight on current standards landscape: ISO 27001, ISO 17428, IS 29184.

Breakout Session Questions

  1. Are the current standards available sufficient to implement the provisions of the Act efficiently?
  2. If the current standards are not sufficient, what are the specific 3-4 items that need to be standardised?
  3. How can this standardisation gap (if it exists) be addressed in the next 6-12 months?

Mr. Sachin Khalap will present the session. The discussion will be in the context of the DPDP Act, focusing on scenarios for consent collection, business models for consent managers, and the creation of standard formats for consent.

Key Discussion Points

  • A brief discussion on Consent with respect to the DPDPA.
  • A comparison of the DPDPA with the GDPR shows that there is no reference point for a global consent manager.
  • New-age digital businesses need a seamless consent.

Breakout Session Questions

  1. In what scenarios must consent be collected?
  2. What is the business model for a consent manager?
  3. How do we create a standard format for “Consent” and the underlying “Purposes”?
  4. What role can Account Aggregators play with respect to consent management?

The session will be presented by Mr. P.P. Singh and will focus on differentiating data breaches, determining reasonable data protection, identifying data leak sources, and assessing traditional techniques like encryption.

Key Discussion Points

  • The DPDPA mandates Data Fiduciaries and Processors to protect personal digital data through appropriate security safeguards. It defines a breach as any unauthorized or accidental compromise of the data’s confidentiality, integrity, or availability.
  • Discussion on key control areas in the domain of protection and privacy: operational (rules and processes), administrative (policies), architectural (system connections), technical (security controls), response (incident handling), and visibility (threat detection).

Breakout Session Questions

  1. Differentiate between a data breach and a personal data breach.
  2. Determine what constitutes reasonable data protection.
  3. Identify the source of a data leak when similar data points are held across multiple providers.
  4. Ascertain whether traditional data protection techniques, such as encryption, are sufficient in the context of privacy.
  • Registration
    Registration 9:00 AM to 9:30 AM

  • Welcome & Overview of the Workshop
    Welcome & Overview of the Workshop 9:30 to 10:00

  • Session 1
    Session 1 10:00 to 11:30

    Topic 1 – Overview of DPDPA

    Topic 2 – Role of Standards

  • Session 2
    Session 2 11:30 to 14:00

    Breakout Session for Topics 1 & 2

    Report & Discussion on Topics 1 & 2

  • Session 3
    Session 3 14:00 to 16:00

    Topic 3 – Consent

    Topic 4 –Data Protection

  • Session 4
    Session 4 16:00 to 17:30

    Breakout Session for Topics 3 & 4

    Report & Discussion on Topics 3 & 4

  • Session 5
    Session 5 17:30 to 18:00

    Summarization and wrap-up

Outcome Document