DPDP Act Certification Course

Objective: Stop treating DPDP like a legal memo; treat it like a system boundary.

Core concepts

• DPDP scope: digital personal data; non-digital only when digitised
• Roles: Data Principal / Data Fiduciary / Data Processor; shared accountability vs delegated processing
• Exclusions: truly anonymised data; what “anonymised” means operationally (vs pseudonymised)

Vibe-coding build: DPDP Scope & Role Classifier

• Input: processing scenario + data fields + who decides purpose/means
• Output: scope decision + role assignment + obligations checklist

Failure injection

• Dataset contains quasi-identifiers that re-identify individuals → tool must flag “not anonymised”

Artifacts

• DPDP applicability decision log (audit-ready)
• Role map + contract boundaries

2) Data Lifecycle × AI Lifecycle Mapping

Objective: Make DPDP “stick” to AI systems end-to-end.

Core concepts

• Data lifecycle: collect → store → use → share → retain → delete (expand into your org’s steps)
• AI lifecycle: data prep → training → eval → deployment → inference → monitoring/learning loop
• Where privacy breaks in AI: prompt logs, embeddings, vector DBs, telemetry, model feedback loops

Vibe-coding build: AI Data Lineage & DPDP Obligation Mapper

• Drag-drop pipeline stages → auto-assign obligations + risk flags
• Produces a “DPDP control map” per stage (who, what, evidence)

Failure injection

• RAG store contains HR PDFs with personal data → tool must flag purpose mismatch & retention risk

Artifacts

• AI-DPDP lifecycle map
• Processing inventory (RoPA-lite) aligned to lifecycle

3) Consent Engineering & “Consent UX” 

Objective: Convert consent into product + architecture decisions.

Core concepts

• Consent quality: free, specific, informed, unambiguous; anti-bundling
• Withdrawal propagation (downstream systems)
• Consent records + auditability; Consent Managers (where applicable)
• Deemed/legitimate uses vs consent (where the program is designed to avoid over-consenting)

Vibe-coding build: Consent Orchestration Engine

• Consent capture UI (granular toggles)
• Consent receipt JSON + signed audit trail
• Consent withdrawal propagation simulator (marketing → analytics → AI training)

Failure injection

• Bundled marketing consent with account creation → must detect and redesign

Artifacts

• Consent taxonomy (by purpose)
• UX patterns: compliant consent flows + copy patterns

4) Data Principal Rights as Workflows 

Objective: Rights are not buttons; they’re workflows with identity verification, logging, and SLA.

Core concepts

• Rights: access, correction, erasure, grievance redressal, nomination
• “Understandable responses” (no unreadable dumps)
• System constraints: backups, logs, legal retention, and operational feasibility

Vibe-coding build: Data Principal Rights Portal

• Request intake + identity verification flow
• Ticketing + SLA + escalation
• Human-readable response generator (policy-guarded)

Failure injection

• Returns raw database dump → participants must redesign to produce understandable responses

Artifacts

• Rights fulfilment SOP + SLA matrix
• Evidence logs for each request

Objective: Train the “notify vs not notify” muscle using DPDP’s harm standard.

Core concepts

• Section 8(6) logic: notify DPB and Data Principals when breach is likely to cause harm
• Decisioning under uncertainty (what counts as “likely harm”)
• Cloud + vendor breaches; processor obligations + fiduciary accountability

Vibe-coding build: Breach Impact Simulator & Notification Generator

• Input: breach type, fields, scale, controls in place
• Output: harm likelihood score + notify/not notify + draft notices

Failure injection

• Partial breach with tokenized identifiers but leaked mapping table → harm becomes likely

Artifacts

• Breach decision matrix
• Notification templates (DPB + Data Principal)
• Incident evidence binder structure

6) DPB Enforcement, Penalties, Appeals 

Objective: Remove myths; build a penalty-aware operating posture.

Core concepts

• Administrative monetary penalties; aggravating/mitigating factors
• Repeat violations, cooperation, remediation speed
• Appeals window and governance response playbook

Vibe-coding build: Penalty Exposure & Mitigation Dashboard

• Violation type + severity + recurrence + mitigations → exposure band
• Executive view: “what to fix first”

Failure injection

• Same violation repeats across two business units → must detect systemic control failure

Artifacts

• Penalty exposure register
• Board response strategy playbook

7) Significant Data Fiduciary Controls + DPIA-as-Code 

Objective: Make DPIA living, repeatable, and evidence-producing.

Core concepts

• What triggers DPIA: high-risk processing (esp. AI, profiling, large scale)
• DPO responsibilities (where applicable)
• Auditability: risk acceptance, residual risk, compensating controls

Vibe-coding build: DPIA-as-Code Generator

• Questionnaire → scoring → controls mapping → auto-report
• Produces evidence pack: risks, mitigations, approvals, review cadence

Failure injection

• AI feature adds “learning from user chats” post-launch → DPIA needs update and approval workflow

Artifacts

• DPIA template + scoring rubric
• Risk acceptance log + approval trail

8) Capstone: Unified DPDP + AI Compliance Portal 

Objective: Integrate everything into a single leadership-grade system.

Capstone build

Teams implement:

• AI system onboarding (purpose, data, vendors)
• Consent engine + withdrawal propagation
• Rights portal + SLA tracker
• Breach simulator + notification workflow
• DPIA-as-code + approvals
• Evidence binder generation (exportable)

Role-based views (must-have)

• Executive: risk heatmap, top obligations, penalty exposure, roadmap
• DPO/Privacy: DPIAs, rights queue, policies, evidence
• Security: breach readiness, safeguards checklist, telemetry controls
• Product: consent UX, feature gating, data minimisation
• Auditor/Regulator: traceability, logs, approvals, artifacts

Elite extensions (choose 2)

• Shadow AI discovery workflow (rogue tools + unapproved datasets)
• RAG corpus privacy controls (PII detection + retention enforcement)
• Prompt-log minimisation + redaction + purpose binding
• Synthetic data governance (re-identification tests + approval gates)

Final outputs

• Working portal demo
• Leadership pitch (3 slides)
• Compliance architecture blueprint
• Evidence binder pack