SECTION 1: Consent Mechanics & Data Erasure
Q: If a data principal asks to erase their personal data, can the organisation encrypt the data instead of deleting it? Some tech vendors say this is legally permissible.
A: Encryption is not a valid substitute for erasure when a withdrawal or deletion request has been made. Two critical points were made on this. First, from a legal standpoint, the data principal has an unconditional right to withdraw consent under Section 6.4 of the DPDP Act, 2023. Encrypting the data still means it is being retained, which can be questioned by the Data Protection Board — particularly around whether the obligation to withdraw has genuinely been fulfilled. Anonymisation (rendering data unidentifiable) may be a possible middle path, but even that remains a grey area and cannot be treated as a guarantee of compliance. Second, from a technical standpoint, encryption cannot be treated as equivalent to erasure because encrypted data is always retrievable using a decryption key. The data is not destroyed — it merely sits in a protected state. Accordingly, organisations should implement genuine deletion pipelines backed by audit trails, rather than relying on encryption as a compliance shortcut.
SECTION 2: Employee Data & Workplace Privacy
Q: Does obtaining employee consent protect an organisation from liability in the event of a data breach involving employee personal data? What precautions should organisations take before and after a breach?
A: No. Consent is a compliance requirement at the point of collection — it does not constitute a liability shield if a breach subsequently occurs. A breach represents a wrongdoing, and consent is never given for wrongdoing. The organisation's obligations upon a breach are independent of whether consent was properly obtained. Under DPDP 2023, breach response timelines are not yet explicitly codified (unlike GDPR's 72-hour window), but the Act mandates a prompt notification to the Data Protection Board and to affected data principals. The steps an organisation must have in place include: a clear internal incident notification chain, a process to determine whether an incident qualifies as a reportable breach (based on nature of data, extent of harm, reputational impact, etc.), and a post-breach investigation and corrective action framework. The DPO plays a central role in these assessments. Consent is not a substitute for information security — both must co-exist.
Q: Our company uses geo-tagging and location mapping for employees on field or sales duty. Is this mandatory tracking, and can an employee refuse? What happens if the employee refuses during office hours?
A: No tracking — including bio-tagging, location mapping, or any form of surveillance — can be made mandatory without explicit, informed consent. This applies to field staff as much as to office-based employees. The DPDP Act is clear that consent must be free and without coercion. However, a practical tension arises here: employers hold significant power in the employment relationship. If an employer effectively conditions employment or field deployment on the employee's consent to tracking, that constitutes coercion under the DPDP framework and is non-compliant. Employees do have the legal right to refuse consent for tracking. That said, it is important for professionals to exercise this right with awareness of their organisational context. Organisations should design their tracking frameworks to offer genuine choice — not a coercive opt-in masked as a policy requirement.
Q: Does an HR department need prior consent from candidates before collecting data for an interview process, including video interviews?
A: Yes. Consent is required before collecting candidate data, and this extends to the interview stage. For video interviews in particular, candidates should be informed and their consent taken before recording begins. Best practice is to include the consent request in the calendar invite or interview scheduling communication, and to give candidates a genuine option to decline recording without being disadvantaged in the process. While Section 7A of the DPDP Act gives employers a legitimate basis for collecting certain data necessary for employment (such as background checks or medical tests directly related to the role), this exemption is narrow. Interview recordings, AI-assisted evaluation tools, and behavioural assessments are not automatically covered under 7A — they require separate, explicit consent under Section 6.
Q: What is the employer's liability when a data breach occurs at the vendor's side (e.g., an HR application used by the company), especially when there is no specific liability clause in the contract?
A: The data fiduciary — i.e., the organisation that collected the data — remains liable. Under DPDP 2023, you cannot transfer liability to a data processor or vendor simply because the breach originated on their systems. Regulators have deliberately structured the fiduciary model to ensure that the organisation accountable to the data principal bears end-to-end responsibility. This makes vendor contract drafting critically important. Every vendor processing personal data on your behalf must have a Data Processing Agreement (DPA) in place that includes clear liability allocation, breach notification obligations, and data return or deletion clauses. If such a clause is absent and a breach occurs, the data fiduciary will bear full regulatory and legal exposure.
SECTION 3: AI, Technology & Compliance
Q: What should organisations keep in mind when auditing an AI application?
A: An AI audit should begin long before the audit itself — at the implementation stage. Before any AI tool goes live, organisations must ensure: (a) audit trail functionality is built into the tool itself; (b) contractual audit rights are negotiated with the vendor; and (c) data processing boundaries are clearly documented. During the audit, key areas to examine include: (i) vendor-side data flows — confirm that no personal data is being leaked, shared, or retained beyond agreed parameters, despite contractual assurances; (ii) employee prompt usage — review what data employees are actually inputting into AI tools; this should be monitored more frequently than vendor audits, and flagged instances should be addressed through targeted training; and (iii) access controls and tool whitelisting — confirm that only approved tools are in use and that personal GPT accounts or unvetted third-party tools are not being accessed on company networks or devices. Quarterly internal audits are recommended for organisations with AI-integrated products or client-facing AI services.
SECTION 4: CCTV, Surveillance & Public Spaces
Q: Our office CCTV captures video and audio of not just employees, but also visitors, customers, vendors, and passersby. How can explicit consent be obtained from all these individuals?
A: For physical surveillance in shared or public-facing spaces, the DPDP framework (consistent with established regulatory practice) accepts signage as a valid form of notice. Organisations must place a clearly visible notice beneath or near each CCTV installation informing individuals that they are under surveillance. This acts as constructive notice to all who enter the premises — employees, visitors, vendors, and members of the public alike. The notice constitutes the organisation's compliance with the 'informed' requirement for this category of data collection. Importantly, this approach applies specifically to public or semi-public surveillance contexts. For employee-targeted monitoring beyond standard CCTV (such as biometric systems, keylogger tools, or screen tracking), explicit, individual consent remains mandatory.
SECTION 5: Regulatory Landscape & Governance
Q: Has any organisation been penalised under the DPDP Act so far?
A: As of the date of this webinar (June 2026), no penalties have yet been issued under the DPDP Act. The Data Protection Board of India has been constituted, and the process to appoint a Chairperson and Members was initiated by the Ministry of Information Technology in May 2026. The full compliance deadline is 13 May 2027, and the consent manager framework is scheduled to go live on 13 November 2026. While enforcement has not formally begun, the pace of institutional development signals that the government is treating DPDP implementation seriously. Organisations should not interpret the current absence of penalties as an absence of risk — regulatory attention will intensify, and early-movers will be significantly better positioned.
Q: What should be the role of the Board of Directors of listed companies in ensuring DPDP compliance?
A: The Board of Directors bears the most consequential responsibility in this framework. Their primary obligations are: (1) to approve adequate budgets for privacy compliance infrastructure, including consent management systems, DPO resources, employee training programmes, and audit mechanisms; (2) to take privacy governance seriously as a board-level risk item — not merely a legal or IT concern; and (3) to ensure that GCs and DPOs are given organisational authority commensurate with their responsibilities. The speaker strongly emphasised that privacy compliance cannot be delegated downward without board-level backing. GCs and DPOs should formally document their recommendations and briefings to the Board, so that institutional accountability is clear if a regulatory notice or penalty is later received. The DPDP Act creates a regulatory environment where Board-level inaction is itself a risk.
Q: We observe what appear to be data breaches every day — for example, speaking about a product on the phone and immediately seeing targeted ads. How should data principals respond to such situations under DPDP?
A: This is one of the most widespread concerns that the DPDP Act is designed to address. Dark patterns — such as pre-ticked consent boxes, basket-sneaking, and bundled permissions — are already under scrutiny. In 2025, ASCI and the Central Consumer Protection Authority issued notices to major platforms including Zomato, Swiggy, Amazon, BookMyShow, and Rapido for such practices. Under DPDP 2023, data principals will have the right to file complaints with the Data Protection Board. However, the Board is still in its formative stages, and practical enforcement mechanisms will take time to mature. The speaker's view is that the primary burden of change lies with organisations and their legal advisors to proactively fix non-compliant consent frameworks ahead of the 2027 deadline — rather than waiting for the Board to issue orders. As the regulatory machinery becomes operational, a significant volume of complaints on dark patterns is anticipated.
Disclaimer: This is an effort by Lexcomply.com, to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.