Under the DPDP Act 2023, a business is responsible for how every member of its team handles customer data — a single careless email or a shared password can trigger a breach. This is a practical, downloadable training guide you can run with your staff in about an hour. It's the companion to our guide on your responsibilities as a business — that one covers what the business must do; this one turns it into a session you can actually deliver.
Why Staff Training Is a DPDP Requirement (Not Optional)
The Act makes the business — the Data Fiduciary — accountable for compliance, including for anyone acting on its behalf (Section 8). "Reasonable security safeguards" under Rule 6 of the DPDP Rules 2025 explicitly include appropriate technical and organisational measures — and staff training is the organisational half of that. If a breach ever reaches the Data Protection Board, documented training is evidence that you took your obligations seriously. Keep the sign-off sheet at the end as proof.
Who Needs This Training?
Everyone who can see, enter, export, or share customer personal data. In a typical SMB that means:
- Owners and managers (set the policy and handle breaches)
- Front desk / sales / support staff (collect data and consent)
- Delivery, dispatch and accounts staff (see addresses, phone numbers, payment records)
- Anyone with access to WhatsApp, the CRM, spreadsheets, or the billing system
The Core Concepts Every Employee Must Understand
Keep this simple. Every team member should be able to explain, in their own words:
- What personal data is — any information that identifies a customer: name + phone, address, email, payment details, photos, order history.
- Consent — we must ask before we collect, tell people why, and let them say no or change their mind (Section 6).
- Purpose limits — we only use data for the reason the customer gave it; marketing needs separate consent.
- Customer rights — customers can ask what we hold, fix it, or delete it, and we must respond (Sections 11–13).
- Breaches — if data is exposed, lost, or sent to the wrong person, it must be reported internally immediately so the business can act within its deadlines.
The One-Hour Training Session Plan
| Time | Segment | What to cover |
|---|---|---|
| 0–10 min | Why it matters | What the DPDP Act is, that it applies to us, and the penalties (₹50 Cr–₹250 Cr for the business; ₹10,000 for individuals who misuse the system) |
| 10–25 min | The five core concepts | Personal data, consent, purpose limits, customer rights, breaches (above) |
| 25–40 min | Role-based dos & don'ts | Walk each role through the rules that apply to them (see the table below) |
| 40–50 min | Breach drill | Run the scenario below; agree who to tell and how fast |
| 50–60 min | Q&A + sign-off | Answer questions; everyone signs the attendance sheet |
Role-Based Dos and Don'ts
| Role | Do | Don't |
|---|---|---|
| Sales / front desk | Show the consent notice before collecting data; record that consent was given | Don't add customers to marketing lists without separate consent; don't collect more than you need |
| Support / WhatsApp | Keep chats professional; delete screenshots of addresses/IDs once used | Don't forward customer details to personal phones or unofficial groups |
| Accounts / billing | Restrict access to those who need it; keep tax records for their required period | Don't email spreadsheets of customer data unencrypted or to the wrong person |
| Dispatch / delivery | Share addresses only with the courier, only for delivery | Don't reuse delivery data for anything else without consent |
| Everyone | Use strong, unique passwords and two-factor authentication | Don't share logins; don't copy customer data to personal devices |
The Breach Drill (Run This Live)
Read this scenario aloud and ask the team to respond:
"A staff member accidentally sends a spreadsheet with 400 customers' names, phone numbers and addresses to the wrong WhatsApp group. What do we do?"
The correct response your team should reach:
- Report it immediately to the owner/manager — don't hide it. The clock for notifying the Data Protection Board starts when the business becomes aware.
- Contain it — try to recall the message, ask recipients to delete it, note who saw it.
- Document it — what happened, when, whose data, what was done.
- The business notifies affected customers without delay and the Board with an initial intimation without delay, followed by detailed particulars within 72 hours (Rule 7 of the DPDP Rules 2025).
The single most important training message: speed beats secrecy. A breach reported fast is manageable; a hidden one is a ₹200 Crore risk.
Make It Stick: After the Session
- Pin a one-page summary of the dos and don'ts where staff work.
- Add a 10-minute DPDP refresher to your onboarding for every new hire.
- Repeat the session once a year, and whenever your data practices change.
- Keep the signed attendance sheet with your compliance records.
Staff Training Sign-Off Sheet
Print this section and have each attendee sign. Retain it as evidence of your organisational security measures under Rule 6.
| Name | Role | Date | Signature |
|---|---|---|---|
Trainer / session lead: ______________________ Date: ____________
⬇ Download the one-page DPDP staff-training guide (PDF) — a branded summary with a QR code back to this guide, ready to print for your session.
References & Sources
- Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Section 8 general obligations; the Schedule).
- The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — Rule 6 (technical and organisational measures) and Rule 7 (breach intimation).
- Companion guide — Know Your Responsibilities as a Business Under the DPDP Act.
This training guide is general information about the DPDP Act 2023 and DPDP Rules 2025, not legal advice. Adapt it to your business and confirm details against the current notified text.