6 JANUARY 2025

Understanding the DPDP Rules and their Impact on Social Sector (Part I of a 3 Part Series)

BY NANDINI NARAYANASWAMY
The Digital Personal Data Protection (DPDP) Rules, 2023 (the “DPDP Rules”), were introduced by the Ministry of Electronics and Information Technology (MeitY), Government of India, in early January 2025, following the enactment of the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), on August 11, 2023. The DPDP Act read with DPDP Rules is poised to provide a comprehensive framework for digital personal data protection, emphasizing the principles of lawfulness, transparency, and accountability. The DPDP Rules would come into effect in a phased manner. The exact dates for the implementation of different provisions will be notified by the government, which has promised to allow organizations “enough time to adapt their processes to comply with the law”.

In this edition, we delve into the implications of the DPDP Act for social sector enterprises.

Overview of the DPDP Act

The DPDP Act introduce two central roles in the realm of data governance:

1. Data Fiduciaries: These are entities, including organizations, businesses, or individuals, that collect, process, or store personal data. An NGO that collects personal data in digital modes can be a Data Fiduciary under the DPDP Act.

Obligations of a Data Fiduciary under the DPDP: A Data Fiduciary is responsible for ensuring that personal data is handled in compliance with the law. Their obligations include obtaining explicit consent for collecting and processing personal data, implementing data security measures, and respecting the rights of individuals whose data they process.

2. Data Principals: This term refers to the individuals whose personal data is being collected or processed. A beneficiary of an NGO’s programs whose personal data is collected for monitoring, evaluation or program delivery is a Data Principal under the DPDP Act.

Rights of the Data Principal under DPDP: A Data Principal has specific rights under the DPDP Act read with Rules, such as the right to access, correct, or erase their data. They are at the center of the regulatory framework, emphasizing the importance of individual privacy and control over personal information.

Implications for NGOs

NGOs would be classified as Data Fiduciaries as NGOs often collect and process personal data from beneficiaries, donors, and stakeholders, making compliance essential under the DPDP Rules. Importantly the DPDP Act continues to hold the Data Fiduciary responsible even for data breaches or non-compliance by Data Processors, and mandates that contracts between Data Fiduciaries and Data Processes must reflect this responsibility. The following are the compliances under the DPDP Rules that are applicable to social sector:

a. NGOs should obtain explicit and informed consent from individuals (Data Principals) before collecting or processing their personal data. This consent must clearly outline the purpose of data collection, the retention period, and whether the data will be shared with third parties, such as partner organizations or service providers.

b. Implement reasonable security measures, including encryption, controlled access, and regular system monitoring. If NGOs rely on third-party service providers (Data Processors) for data handling, they must ensure these entities also comply with the same security standards, and ensure that they implement appropriate checks of these compliances.

c. NGOs are required to provide detailed information to Data Principals about their data processing practices. This includes specifying the purpose of data collection, the rights of individuals under the DPDP Act, and providing contact details for someone responsible for addressing queries related to data processing.

d. The DPDP Rules also emphasize data minimization and retention limitation, requiring NGOs to collect only the personal data necessary for their stated purposes. Data must be retained only for as long as required by law or operational necessity. Once the purpose has been fulfilled, NGOs are expected to delete the data, ensuring that unnecessary retention does not compromise individual privacy.

e. In cases where NGOs process personal data without explicit consent, as permitted by certain exceptions under the DPDP Act (such as compliance with legal obligations), it must notify the Data Principals about the processing activity. The notification should include information about the processing and provide a communication channel, such as a website or contact point, where individuals can exercise their rights under the DPDP Act.

f. NGOs must appoint a Data Protection Officer (DPO) to ensure compliance with the DPDP Rules. The DPO plays a critical role in overseeing data protection strategies, monitoring compliance, and acting as the point of contact for grievances related to personal data processing. For NGOs, the DPO ensures that data collection, storage, and usage align with the principles of lawfulness, transparency, and accountability. The DPO is also responsible for conducting regular audits, training staff, and coordinating with the relevant authorities to address potential breaches or violations.

NGOs can undertake the following to ensure compliance under the DPDP Rules:

1. Conduct a Data Audit

NGOs must map their data collection, storage, and processing practices to identify gaps and ensure alignment with the DPDP Act and Rules.

2. Update Policies and Procedures

Privacy policies, consent forms, and internal guidelines should be revised to reflect the transparency and accountability requirements under the DPDP Act and Rules.

3. Train Stakeholders

Educating staff, volunteers, and other stakeholders on data protection principles is essential to foster a culture of compliance.

4. Leverage Technology

Investing in technology solutions can simplify compliance tasks, from anonymization to monitoring data access.

Conclusion

The DPDP Rules herald a new era of accountability and privacy in data processing. For NGOs, these rules present both opportunities and challenges. By proactively adopting best practices and ensuring compliance, NGOs can not only avoid penalties but also reinforce their credibility and trustworthiness in the eyes of beneficiaries, donors, and stakeholders.
A full service boutique law firm
On social networks
ABOUT US
Pacta is a full-service boutique law-firm for the social and impact sector.

Pacta provides legal & company secretary services for the biggest philanthropies, family foundations, NGOs, CSR entities, public trusts, start-ups, social incubators/accelerators, schools & universities.
LATEST BLOG POSTS
SUBSCRIBE TO PULSE
The Pulse is Pacta’s in-house periodic newsletter that carries legal updates for the social sector. We decrypt legalese into digestible, relevant & actionable content. In every issue, we pick a subject – a new law, amendment or judgement and contextualise it for non-profit founders and administrators.

Disclaimer

Pacta upholds and strives to exceed the professional standards. This website is not an advertisement or solicitation of work. Legal information shared here are not and do not make up for professional legal advice. By visiting Pacta’s website you know what you are doing and you are doing it at your risk and cost. We disclaim any liability arising from the information or materials contained on this site.
Social | Impact | Legal
Copyright 2021 Pacta. Privacy Policy
New Version found. Installing.