fullscreen
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
ImpactMojo 101 Series · Free Forever
Data Protection
& the DPDP
Act 101
India's Digital Personal Data Protection Act, 2023 for Development Organisations — Consent, Rights, Duties and What to Do Now
India LawSouth Asia FocusFor NGOs105 SlidesFree Access
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
01
Part One
Orientation
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What this course will give you
India now has a comprehensive data-privacy law. This course translates the Digital Personal Data Protection (DPDP) Act, 2023 and its 2025 Rules into plain language and concrete steps for a small or mid-sized NGO. By the end you will be able to:
  • Name the data you hold — and recognise which of it is legally ‘personal data’ you are now accountable for.
  • Explain the law in one paragraph to your board, donors and beneficiaries without needing a lawyer in the room.
  • Identify your role — almost every NGO is a ‘Data Fiduciary’ and must meet specific duties.
  • Write a lawful consent form and notice that meets the Act’s free-specific-informed standard.
  • Handle a rights request — when a beneficiary asks to see, correct or delete their data.
  • Respond to a data breach the way the law requires, including the 72-hour report to the Board.
  • Build a retention and deletion policy so you are not hoarding data you no longer need.
  • Start a 90-day compliance plan that a two-person team can actually complete.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Why data protection is now an NGO issue
  • You hold high-risk data. Beneficiary lists, health records, caste and religion, survivor case files, financial details of the poor — a leak can cause real, physical harm to people who trusted you.
  • The law applies to you. DPDP does not exempt non-profits. If you process the digital personal data of people in India, you are covered like any company.
  • Donors will ask. Institutional and foreign funders increasingly require a written privacy and data-security policy as a grant condition.
  • Trust is your capital. Communities share sensitive information only because they believe you will protect it; a breach destroys years of relationship-building.
  • The penalties are real. The Act allows financial penalties up to ₹250 crore for the most serious failures — there is no ‘too small to matter’ carve-out.
  • Privacy is a fundamental right. Since the 2017 Puttaswamy judgment, protecting personal data is part of upholding the constitutional rights of the people you serve.
  • Good practice is cheap insurance. Most of what the law asks — ask only for what you need, keep it safe, delete it when done — costs little and protects everyone.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Who this course is for
This is written for
• Programme staff who collect data from communities.
• Founders and directors of small and mid-sized NGOs and CBOs.
• M&E and MIS officers who run the database.
• Finance and HR staff who hold employee and donor records.
• Board members who must sign off on organisational risk.
You do NOT need
• A law degree or a compliance department.
• Expensive software — most steps use tools you already have.
• A large budget — the core duties are about discipline, not spend.
• Prior privacy training — we start from first principles.
• To read the full Act — we quote what matters and cite the section.
Bottom line. If your organisation writes down someone’s name, phone number, photo, health status or bank details — on paper, in Excel, or in an app — this course is for you.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The ten parts of this course
PartYou will learn
1 · OrientationWhat the course covers, why it matters, and how to use it.
2 · Why it mattersReal harm scenarios, duty of care, and privacy as a right.
3 · The basicsPersonal vs sensitive data, ‘processing’, the data lifecycle, GDPR contrast.
4 · Meet the ActHistory, scope, extra-territorial reach, and the 2025 Rules timeline.
5 · The key rolesData Principal, Fiduciary, Processor, SDF, Consent Manager, the Board.
6 · Consent & noticeThe consent standard, itemised notice, children, exemptions.
7 · Rights & dutiesAccess, correction, erasure, grievance, nomination — and principal duties.
8 · Fiduciary dutiesPurpose limits, security, breach notice, retention, SDF extras, transfers.
9 · EnforcementThe Board, complaints, the penalty schedule, worked scenarios.
10 · Do it nowData map, consent forms, retention, breach plan, contracts, checklist.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Six words to learn first
Data Principal
The individual the data is about — your beneficiary, donor, volunteer or staff member.
Data Fiduciary
Whoever decides why and how the data is processed — almost always, this is your NGO.
Data Processor
A vendor who processes data for you under contract — your cloud host, survey app or payroll firm.
Processing
Almost anything you do with data: collecting, storing, using, sharing, or deleting it.
Consent
A free, specific, informed and unambiguous ‘yes’ from the person, for a stated purpose.
Data Protection Board
The national regulator that investigates breaches and imposes penalties.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The DPDP Act in one minute
2023
Act passed by Parliament; Presidential assent 11 Aug 2023
Act No. 22 of 2023
13 Nov 2025
DPDP Rules notified; phased enforcement to 2027
MeitY, 2025
₹250 cr
Maximum penalty for a serious security failure
The Schedule, DPDP Act
The Act gives every individual in India rights over their personal data and places binding duties on any organisation — company, government body or NGO — that decides how that data is used. It rests on seven principles: lawful and transparent use, purpose limitation, data minimisation, accuracy, storage limitation, reasonable security, and accountability.
Remember. The law is being switched on in phases through 2026–27. The right time to prepare is now, before your obligations become fully enforceable.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Where does your NGO stand today?
Read each statement. Every ‘no’ is a gap this course will help you close.
  • Inventory. We have a written list of every kind of personal data we hold and where it lives (paper, laptops, cloud, phones).
  • Consent. Our forms tell people exactly what data we take, why, and how to say no or withdraw later.
  • Access control. Only the staff who need a file can open it; laptops and phones are password-protected.
  • Retention. We delete beneficiary data once the programme and its reporting obligations end.
  • Vendors. Our cloud, survey-tool and payroll providers are bound by a written contract on data handling.
  • Grievance. A named person handles complaints and requests about personal data.
  • Breach plan. We know who to call and what to do in the first 24 hours if data is lost or leaked.
If you answered ‘no’ to three or more, you are in the same position as most NGOs in India today — and this course is your catch-up plan.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What this course is — and is not
What it is
• A practical orientation to the DPDP Act and Rules for non-profits.
• Grounded in day-to-day NGO work — field surveys, MIS, case files, donor lists.
• A starting point for building your own policies and forms.
• Current as of mid-2026, citing the Act and the notified Rules.
What it is not
• It is not legal advice for your specific situation.
• It is not a substitute for reading the Act where a decision has legal consequences.
• It does not cover sector-specific laws (health, finance, RTI) that may also apply.
• It cannot anticipate every future clarification the Board may issue.
Golden rule. Where a data decision carries real risk to a person or a large penalty for you, confirm the current text of the Act and take qualified legal advice. This course tells you when to do that.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The data an NGO touches every day
Before the law, look honestly at how much personal data flows through a typical field organisation:
Where it comes fromWhat it containsWhy it is sensitive
Baseline & survey formsName, age, caste, income, phone, GPS locationCan identify and target the poorest households
Beneficiary MIS / ExcelAttendance, entitlements, bank/Aadhaar-linked IDsFinancial fraud and exclusion risk if leaked
Case files (GBV, child protection)Abuse history, medical notes, family detailsCan endanger a survivor’s life
Health programmesHIV, TB, disability, mental-health statusStigma, discrimination, blackmail
HR & volunteersID proofs, salary, references, photosEmployee privacy and identity theft
Donors & grantsContact details, giving history, PANFinancial and reputational exposure
The point. You are already a major handler of personal data. The DPDP Act simply asks you to manage it deliberately rather than by accident.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
02
Part Two
Why data protection matters
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
When a beneficiary list leaks
Scenario
The shared spreadsheet
A livelihoods NGO keeps its 4,000-household beneficiary list in a Google Sheet. To save time, a field officer sets the link to ‘anyone with the link can view’ and pastes it into a public WhatsApp group of local vendors.
  • What was exposed. Names, villages, phone numbers, bank account numbers and the exact cash-transfer amount each family receives.
  • What happened next. A local moneylender used the list to target indebted families; two households received fraudulent ‘verification’ calls asking for OTPs.
  • The organisational cost. The NGO had to notify affected families, rebuild trust village by village, and report the incident — a breach it could not undo.
  • The legal lens. Under the DPDP Act this is a failure of reasonable security safeguards, the single most heavily penalised duty (up to ₹250 crore).
Lesson. Convenience defaults — open links, shared logins, forwarded files — are the most common cause of NGO data leaks, and the easiest to prevent.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
When survivor data is exposed
Scenario
The gender-based-violence case file
A women’s-rights organisation stores counselling case notes for domestic-violence survivors on a shared office computer with no password. A visiting consultant browses the desktop and photographs a folder of names and addresses.
  • Why this is different. For a survivor, disclosure of her location or her decision to seek help can mean renewed violence — the harm is physical, not just financial.
  • The chain of trust. Survivors disclose only because the space feels safe; one exposure can deter an entire community from ever coming forward again.
  • Duty of care. Humanitarian and protection standards have long required ‘need-to-know’ access and secure storage for case data — the law now makes this a statutory duty.
  • Minimisation matters. Much of the harm is avoidable by simply not recording identifying details you do not strictly need for the intervention.
Lesson. The more sensitive the person’s situation, the fewer people should ever see the data, and the harder it should be to open.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
When health status is disclosed
Scenario
The HIV programme register
An outreach NGO runs an HIV-prevention programme. Its printed register of client names and test results is left on a desk during a donor visit and photographed for a ‘field impact’ report.
  • Stigma is the harm. Disclosure of HIV, TB or mental-health status can cost a person their job, marriage, housing or standing in the community.
  • It can be criminal-adjacent. For key populations, exposure can invite harassment or violence, turning a data slip into a safety emergency.
  • Consent was never given for this. Clients consented to testing and support, not to appearing in a donor deck — a classic purpose-limitation failure.
  • Photographs are data too. A photo of a face or a register is personal data; ‘impact’ images need their own specific, informed consent.
Lesson. Data collected for care must not quietly migrate into fundraising, reporting or research without fresh, specific consent.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The sensitive data NGOs routinely hold
The DPDP Act treats all personal data with a single high standard rather than defining a separate ‘sensitive’ category — but ethically, some data demands extra care because a leak causes disproportionate harm:
CategoryExamples in NGO workHarm if exposed
HealthHIV, TB, disability, pregnancy, mental healthStigma, job and housing loss
Identity markersCaste, religion, tribe, sexual orientationDiscrimination, targeted violence
Protection casesGBV, trafficking, child abuse recordsPhysical danger to survivors
FinancialBank, Aadhaar-linked IDs, transfer amountsFraud, extortion, exclusion
LocationHome GPS, shelter addressesStalking, re-victimisation
ChildrenNames, photos, school and family detailsExploitation, safeguarding failure
Rule of thumb. The higher a row sits on the harm scale, the stronger your justification must be for collecting it at all.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Data protection is duty of care
  • Do no harm. The first principle of humanitarian and development work is not to make people worse off — and careless data handling can do exactly that.
  • Power asymmetry. Beneficiaries often cannot refuse to share data if it is the price of receiving aid; that imbalance places the whole duty of protection on you.
  • Informed participation. People have a right to understand what happens to information about them and to shape it — not merely to be surveyed and filed.
  • Dignity, not just security. Protecting data is a way of respecting the person as an agent, not a data point in your logframe.
  • Accountability to communities. Sound data practice is part of being accountable downward — to the people you serve — not only upward to donors.
  • Long-standing standards. Sector frameworks such as humanitarian data-responsibility guidance and child-safeguarding policies already required this; the law now reinforces it.
  • It protects your staff too. Clear rules shield field workers from being blamed personally when something goes wrong.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Trust is the currency of your work
“A community will tell you the truth about their income, their health and their fears exactly once — if you break that confidence, the door closes for everyone who comes after you.”
— A common refrain among frontline field workers
  • Consent depends on credibility. People agree to share data because they believe you will handle it responsibly; a visible breach makes future consent hollow.
  • Data quality follows trust. Where people fear misuse, they give false answers — wrong ages, hidden income, fake phone numbers — and your evidence base rots.
  • Reputation compounds. One leaked list can travel through local networks and media faster than years of good work.
  • Donors watch too. Institutional funders increasingly treat a data-protection incident as a governance red flag.
  • Rebuilding is slow. Trust is lost in an afternoon and regained over seasons of consistent, visible care.
Reframe. Treat data protection not as compliance overhead but as an investment in the relationship that makes your programmes work.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Privacy as a fundamental right — Puttaswamy 2017
Landmark judgment
Justice K. S. Puttaswamy v. Union of India (2017)
On 24 August 2017 a nine-judge bench of the Supreme Court of India unanimously held that the right to privacy is a fundamental right, intrinsic to the right to life and personal liberty under Article 21 and flowing through the freedoms in Part III of the Constitution.
  • Unanimous and binding. All nine judges agreed; the ruling overruled older decisions that had denied privacy the status of a fundamental right.
  • Informational privacy included. The Court expressly recognised control over one’s personal information as part of the right.
  • It set the test. Any intrusion must be lawful, serve a legitimate aim, and be proportionate — the reasoning that underpins the DPDP Act.
  • It ordered a law. The judgment directly prompted the government to draft a data-protection statute, culminating in the 2023 Act.
  • Why NGOs should care. Protecting a beneficiary’s data is now part of upholding their constitutional rights, not just good manners.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The cost of getting it wrong
₹250 cr
Max penalty: failure of security safeguards
DPDP Act, The Schedule
₹200 cr
Max: failure to notify a breach
DPDP Act, The Schedule
72 hrs
Window to report a breach to the Board
DPDP Rules, 2025
No floor
No exemption for small or non-profit bodies
DPDP Act, 2023
The maximum figures are aimed at large data-handlers, and the Board weighs the nature, gravity and duration of a failure before setting any penalty. But the direction is unmistakable: reasonable security and honest breach-reporting are now legal duties, not optional good practice. Beyond fines, the true cost of a failure is measured in harmed beneficiaries, lost trust, and donor confidence that does not come back.
Perspective. The point is not that a village NGO will be fined ₹250 crore — it is that the law now expects everyone, at every size, to handle data with care.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
From ethics to law: why voluntary rules were not enough
For years, responsible data handling in the sector rested on voluntary codes and donor conditions. The DPDP Act makes it enforceable. Here is why that shift happened:
  • Voluntary meant uneven. Well-resourced organisations had privacy policies; most did not, and beneficiaries had no way to tell the difference.
  • No recourse for individuals. Before the Act, a person whose data was misused had almost no practical remedy.
  • Digitisation raised the stakes. Aadhaar-linked delivery, mobile surveys and cloud MIS moved sensitive data into systems that scale — and leak — fast.
  • The Constitution demanded it. After Puttaswamy, a statutory framework was a constitutional expectation, not a policy choice.
  • Global alignment. Partners and funders operating under laws like the GDPR increasingly required Indian counterparts to meet comparable standards.
  • A level field. A single national law gives every organisation the same baseline, so good practice is no longer a competitive disadvantage.
Takeaway. The values have not changed — the difference is that protecting data is now a duty you can be held to, not just an aspiration.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
03
Part Three
Data-protection basics
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What counts as personal data
Personal data
Any data about an individual who is identifiable by or in relation to such data. If it can be linked back to a specific living person, it is personal data.
The test is identifiability. Data does not have to name someone to be personal — if it can be combined with other information to single a person out, it counts.
Clearly personal data
• Name, phone number, address, email
• Photograph, voice recording, video
• Aadhaar/PAN/ration-card number
• Bank account and transaction details
• GPS location of a home or shelter
• Health, caste, religion, disability status
Still personal, because linkable
• A beneficiary ID number tied to a name-list
• ‘The only widow in ward 3 with a disabled child’
• A photo where a face or house is recognisable
• Device or account IDs used to track a person
• A survey record that, combined, identifies one household
Note. The Act covers digital personal data — data in digital form, or paper data that is later digitised. Most NGO data ends up in a spreadsheet, so most of it is covered.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Sensitive data and the DPDP approach
  • A design choice. Unlike the earlier 2011 SPDI Rules and laws like the GDPR, the DPDP Act does not define a separate legal category of ‘sensitive personal data’ with extra rules.
  • One high standard for all. Instead, every category of personal data must meet the same duties of consent, security and purpose limitation.
  • Risk still guides you. The Board weighs the sensitivity and volume of data when judging a failure, so higher-risk data still carries higher stakes in practice.
  • Children get special rules. Data of anyone under 18 is singled out for verifiable parental consent and a ban on tracking and targeted advertising.
  • Sector laws may add more. Health, financial and other regulators can impose stricter handling on their data, on top of the DPDP baseline.
  • Ethics goes beyond the law. Even where the Act treats all data alike, good practice applies extra safeguards to health, GBV, caste and location data.
Practical translation. Do not wait for the law to label your data ‘sensitive’. Judge each field by the harm a leak would cause, and protect accordingly.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What ‘processing’ actually means
Processing
A wholly or partly automated operation performed on personal data — including collection, recording, organisation, storage, use, sharing, alteration and erasure.
Almost everything an NGO does with data is ‘processing’. It is not just about big databases — it starts the moment a field worker writes a name in a notebook and continues until the data is deleted.
01
Collect
02
Store
03
Use
04
Share
05
Delete
  • Collect. A field survey, a registration form, a photograph, a phone call logged in a CRM.
  • Store. Saving files on a laptop, a cloud drive, a phone, or a paper file cabinet.
  • Use. Sorting beneficiaries for a scheme, generating reports, sending SMS reminders.
  • Share. Uploading to a donor portal, emailing a partner, using a third-party analytics tool.
  • Delete. Erasing data once its purpose ends — itself a form of processing you must do lawfully.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The data lifecycle, stage by stage
StageThe core questionYour duty
CollectDo we truly need this field?Collect only what the purpose requires (minimisation) with notice and consent.
StoreWhere does it live and who can open it?Secure it — access limits, passwords, encryption, backups.
UseIs this the purpose we told the person?Use only for the stated purpose; get fresh consent for anything new.
ShareWho else sees it and under what rule?Share only with a lawful basis and a contract binding the recipient.
RetainIs the purpose still active?Keep it only as long as needed for the purpose or the law.
DeleteCan we now safely erase it?Delete securely when the purpose ends, unless a law requires keeping it.
Design principle. Decide the deletion rule at the moment you design the collection form — not years later when the data has spread across five systems.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Identifiable, anonymised, pseudonymised
Identifiable (fully personal)
The record can be traced to a named person — e.g. a beneficiary row with name, phone and village. Full DPDP duties apply.
Pseudonymised (still personal)
Direct identifiers are replaced by a code, but a separate key can re-link them — e.g. ‘HH-0421’ with a lookup table. Still personal data, because it is reversible.
Anonymised (no longer personal)
Data is stripped and aggregated so no individual can be singled out — e.g. ‘62% of 400 households earn below the poverty line’. True anonymisation is hard, because rare combinations of attributes can re-identify someone.
  • Why it matters. Only genuine anonymisation takes data outside the law; pseudonymisation reduces risk but does not remove your duties.
  • The re-identification trap. ‘The only Dalit woman sarpanch in the block’ is identifiable even with the name removed.
  • Practical move. For reports and dashboards, aggregate to groups large enough that no single person stands out.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Digital, paper, and what the Act covers
  • Digital data is in scope. The Act applies to personal data collected in digital form.
  • Digitised paper is in scope. If you collect on paper and later enter it into a computer, the digitised data is covered.
  • Purely paper, never digitised, sits outside. A handwritten register that is never typed up is not covered by the Act — but ethics and other laws still apply, and in practice almost everything gets digitised.
  • Personal or domestic use is exempt. An individual keeping data for purely personal reasons is not a Data Fiduciary — but an organisation running a programme is.
  • Publicly available data has limits. Data an individual has made public themselves, or that must be published by law, is treated differently — but scraping and re-purposing still carries ethical risk.
  • Photos, audio and video count. Any recording from which a person can be recognised is personal data and needs consent.
Do not rely on the paper loophole. The moment a field form is entered into Excel or an app — which is almost always — the full duties switch on.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
How DPDP compares with the GDPR
Many NGO donors operate under Europe’s GDPR. The DPDP Act shares its spirit but differs in important ways:
ThemeGDPR (EU)DPDP Act (India)
PersonData subjectData Principal
OrganisationController / processorData Fiduciary / Data Processor
Sensitive dataSpecial categories with extra rulesNo separate category — one standard for all
Lawful basesSix bases incl. legitimate interestsConsent plus a defined set of ‘legitimate uses’
Child age16 (member states may lower to 13)Under 18 — verifiable parental consent
TransfersRestricted unless adequacy/safeguardsAllowed by default; govt may restrict countries
Breach report72 hours to supervisory authorityReport to the Board within 72 hours
Why it matters. If a European funder asks whether you are ‘GDPR-aligned’, meeting the DPDP Act gets you most of the way — but note the differences, especially the higher child-consent age in India.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The seven principles behind the law
  • Lawful, fair and transparent. Process data only with a valid basis and tell people clearly what you are doing.
  • Purpose limitation. Use data only for the specific purpose the person was told about, not for whatever seems useful later.
  • Data minimisation. Collect only the data you actually need for that purpose — no ‘nice to have’ fields.
  • Accuracy. Keep data correct and up to date, and fix it when a person points out an error.
  • Storage limitation. Keep data only as long as the purpose or the law requires, then delete it.
  • Reasonable security safeguards. Protect data against loss, leak and unauthorised access with appropriate technical and organisational measures.
  • Accountability. Be able to demonstrate compliance — policies, records and a person responsible — not just claim it.
Memory aid. Only collect what you need, for a reason you have told them, keep it safe, keep it accurate, and get rid of it when you are done — and be able to show you did.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
“We are small, it does not apply to us”
The most dangerous myth in the sector is that the law is only for tech giants. Here is why small NGOs are squarely in scope:
The myth
• ‘We are a non-profit, so we are exempt.’
• ‘We only have a few thousand records.’
• ‘We do not sell data, so we are fine.’
• ‘It is just a spreadsheet, not a database.’
• ‘The Board will never look at an NGO.’
The reality
• The Act has no non-profit exemption.
• Duties apply regardless of volume; only some extra duties depend on scale.
• Selling data is not the trigger — processing is.
• A spreadsheet of personal data is a database in law.
• Complaints from beneficiaries, not audits, are the likely trigger.
Reality check. The Act calibrates how much you must do to your size and risk — but not whether the core duties apply. They apply to everyone.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
04
Part Four
Meet the DPDP Act 2023
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The road to the DPDP Act
India’s data-protection law was more than a decade in the making. Understanding the journey explains why the Act looks the way it does.
  • 2011 — SPDI Rules. Early rules under the IT Act set limited safeguards for ‘sensitive personal data’ but were weak and rarely enforced.
  • 2017 — Puttaswamy. The Supreme Court declared privacy a fundamental right and effectively required a dedicated data-protection law.
  • 2018 — Srikrishna Committee. An expert committee produced a draft Personal Data Protection Bill and a landmark report on the issues.
  • 2019–2022 — Bills and withdrawal. Successive drafts were debated by a Joint Parliamentary Committee; the 2019 Bill was withdrawn in 2022 after wide criticism.
  • 2023 — DPDP Act. A leaner Bill was introduced and passed by Parliament, receiving Presidential assent on 11 August 2023 as Act No. 22 of 2023.
  • 2025 — the Rules. The operational Rules were notified on 13 November 2025, setting out the detail and a phased enforcement timeline.
Takeaway. The law is deliberately shorter and simpler than earlier drafts — principles-based, with much of the detail left to the Rules.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The enforcement timeline at a glance
2023
Act passed
2025
Rules notified
2026
Consent-manager rules
2027
Core duties enforceable
WhenWhat switches on
11 Aug 2023The Act receives Presidential assent (Act No. 22 of 2023).
13 Nov 2025DPDP Rules notified; foundational provisions and the Data Protection Board take effect.
~12 months laterConsent Manager registration and obligations commence.
~18 months laterThe main operational duties — notice, security, breach reporting, retention, children’s consent, SDF duties, transfers — become enforceable.
Read it as a runway. The phasing gives organisations time to prepare — roughly through 2027 — but the direction and content of your duties are already fixed.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What the Act covers
  • Digital personal data. The Act governs personal data processed in digital form, or on paper and later digitised.
  • Processing within India. It covers any processing of digital personal data that takes place inside India.
  • All kinds of organisation. Companies, government bodies, trusts, societies and NGOs are all ‘Data Fiduciaries’ when they decide how data is used.
  • Consent and legitimate uses. It sets out when processing is lawful — primarily with consent, plus a defined list of legitimate uses.
  • Rights and duties. It grants individuals rights over their data and places binding obligations on those who process it.
  • An enforcement machinery. It establishes the Data Protection Board of India, a penalty schedule, and an appeals route.
What it does not cover. Non-personal or fully anonymised data, purely personal or domestic processing, and (with conditions) certain publicly available data.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Act’s extra-territorial reach
The DPDP Act does not stop at India’s borders. It also applies to processing that happens outside India in certain cases:
  • The trigger. Processing done outside India is covered if it is in connection with offering goods or services to Data Principals within India.
  • Why it exists. It stops organisations from escaping the law simply by hosting data or operating from abroad while serving people in India.
  • Relevance to NGOs. International NGOs and networks that serve Indian communities from overseas offices are drawn into scope.
  • Cloud and vendors. Using a foreign cloud provider does not move your data outside the law — you remain the accountable Data Fiduciary.
  • A limited outsourcing exception. Where an Indian entity only processes foreigners’ data under a contract with a foreign company, lighter duties may apply — a narrow carve-out unlikely to fit most domestic NGO work.
Practical point. If the people whose data you handle live in India, assume the Act applies — wherever your servers or head office happen to be.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What is exempt or treated differently
SituationTreatment under the Act
Personal or domestic useAn individual using data for purely personal reasons is not a Data Fiduciary.
Publicly available dataData an individual has themselves made public, or that must be published by law, is treated differently.
Research, archiving, statisticsProcessing for these purposes may be exempt from many duties, subject to conditions — provided it is not used for decisions about a specific person.
Certain State functionsThe government can exempt notified agencies for reasons like national security or public order.
Legal claims & regulatorsProcessing needed to enforce a legal right or comply with a legal duty is permitted.
Startups (if notified)The government may relax some duties for classes of Data Fiduciaries it notifies.
Do not over-read the exemptions. The research exemption in particular is conditional; do not assume your beneficiary survey qualifies. When in doubt, treat the core duties as applying.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The status of the Rules in 2026
A statute sets principles; the Rules supply the operating detail. The DPDP Rules, notified on 13 November 2025, tell organisations how to comply. As of mid-2026, key points to know:
  • Phased commencement. Different Rules switch on at different dates — some immediately, consent-manager rules at about twelve months, and the bulk of operational duties at about eighteen months.
  • Notice standards. The Rules specify what an itemised notice to individuals must contain and how it must be presented.
  • Breach reporting. They set the requirement to inform affected persons without delay and to give the Board a detailed report within 72 hours.
  • Retention triggers. They define when certain large platforms must erase data after periods of user inactivity.
  • Children’s consent. They describe how verifiable parental consent and age assurance are to work.
  • Security & SDF duties. They flesh out reasonable security safeguards and the extra duties of Significant Data Fiduciaries.
Stay current. Because the Rules are new and phasing in, confirm the latest commencement dates and any clarifications before making a compliance decision with legal consequences.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
How the Act is structured
Part of the ActWhat it deals with
PreliminaryShort title, commencement, and the definitions that anchor the whole law.
Obligations of Data FiduciariesGrounds for processing, notice, consent, security, breach notice, children’s and SDF duties.
Rights & duties of Data PrincipalsAccess, correction, erasure, grievance, nomination — and the duties on individuals.
Special provisionsCross-border transfer, exemptions, and processing by the State.
Data Protection BoardEstablishment, composition, powers and functions of the regulator.
Penalties & appealsThe penalty schedule, adjudication, voluntary undertakings and the appellate route.
The ScheduleThe table of maximum financial penalties for each type of failure.
Orientation tip. For an NGO, the two chapters that matter most in daily work are the Data Fiduciary obligations and the Data Principal rights — Parts 8 and 7 of this course.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The seven principles as legal duties
The abstract principles from Part 3 become concrete duties in the Act. Here is how each translates into something you must actually do:
PrincipleYour operational duty
Lawful & transparentProcess only on consent or a legitimate use, and give a clear notice first.
Purpose limitationState the purpose; do not reuse data for a new purpose without fresh consent.
MinimisationCut every field from your form that the stated purpose does not require.
AccuracyHave a process to correct and update data on request.
Storage limitationSet a retention period and delete when it ends.
SecurityApply access controls, passwords, encryption and backups.
AccountabilityKeep a policy, records, and a named responsible person.
Use this as a menu. Each row in the right column is a task you can assign, schedule and check off — that is what compliance looks like in practice.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What changed from the old regime
AspectBefore (IT Act / SPDI Rules)Now (DPDP Act & Rules)
CoverageOnly ‘sensitive personal data’ had real rulesAll personal data covered by one standard
Individual rightsMinimal and rarely usableClear rights to access, correct, erase, complain
RegulatorNo dedicated data-protection authorityData Protection Board of India
ConsentVague and often bundledFree, specific, informed, unambiguous; withdrawable
Breach dutyLimited and unclearNotify affected persons and the Board within 72 hours
PenaltiesLow and hard to enforceStructured schedule up to ₹250 crore
Net effect. India moved from a weak, patchy regime to a comprehensive, enforceable one. For NGOs that never had a privacy policy, this is a genuinely new obligation — not a light update.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
05
Part Five
The key roles
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Data Principal
Data Principal
The individual to whom the personal data relates. Where the individual is a child, it includes the parent or lawful guardian; where a person with a disability, it includes their lawful guardian.
  • Who they are in your work. Your beneficiaries, their family members, donors, volunteers, job applicants and staff are all Data Principals.
  • They hold the rights. The Act gives them — not the organisation — the rights to access, correct, erase and complain about their data.
  • Children are represented. For anyone under 18, the parent or guardian acts as the Data Principal for consent purposes.
  • Persons with disabilities. A lawful guardian may act on behalf of a person with a disability who cannot exercise the rights themselves.
  • They can nominate. A Data Principal may nominate someone to exercise their rights in the event of death or incapacity.
  • They also have duties. The Act asks Data Principals to act in good faith — not to impersonate, mislead or file false complaints.
Mindset shift. The data in your MIS belongs, in rights terms, to the people it describes. You are its steward, not its owner.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Data Fiduciary
Data Fiduciary
Any person or organisation that, alone or with others, determines the purpose and means of processing personal data. This is the entity the law holds accountable.
  • This is almost always your NGO. If you decide why data is collected and how it is used, you are the Data Fiduciary.
  • The word matters. ‘Fiduciary’ implies a position of trust — you hold data on behalf of people who depend on you to protect it.
  • You carry the duties. Notice, consent, security, breach reporting, retention and rights-handling all sit with the Fiduciary.
  • Accountability cannot be outsourced. You remain responsible even when a vendor does the actual processing.
  • Joint fiduciaries exist. When two organisations jointly decide purpose and means — e.g. a consortium project — both can be Data Fiduciaries.
  • A named person helps. Even where not strictly required, appointing someone responsible makes the Fiduciary’s duties real.
Test yourself. Do you decide what data to collect and what to do with it? If yes, you are a Data Fiduciary and this whole course is about your duties.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Data Processor
Data Processor
Any person or organisation that processes personal data on behalf of a Data Fiduciary, only under a valid contract with that Fiduciary.
  • Processors act on instruction. They handle data for you but do not decide the purpose themselves.
  • Common NGO processors. Your cloud storage provider, mobile survey platform, SMS gateway, payroll firm, or an outsourced call centre.
  • A contract is mandatory. The Act requires a valid contract between Fiduciary and Processor before data may be handled on your behalf.
  • You stay liable. If your processor leaks data, the accountability still runs back to you as the Fiduciary.
  • Choose carefully. A cheap tool with weak security is a liability you cannot delegate away.
  • Sub-processors count. If your vendor uses another vendor, that chain must also be governed by contract.
Action. Make a list of every third party that touches your beneficiary data, and check that each is bound by a written contract on how they handle it.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Significant Data Fiduciary (SDF)
Significant Data Fiduciary
A Data Fiduciary or class of Fiduciaries that the Central Government notifies as ‘significant’, based on factors such as the volume and sensitivity of data processed and the risks involved.
SDFs carry extra duties because the potential harm from their processing is greater. The government decides who is an SDF using factors including:
  • Volume and sensitivity of the personal data processed.
  • Risk to the rights of Data Principals.
  • Potential impact on the sovereignty and integrity of India and on electoral democracy.
  • Security of the State and public order.
Do most NGOs qualify? Usually not — SDF status is aimed at large-scale, high-risk data handlers. But an NGO running a very large, sensitive database could be notified, so know the extra duties (covered in Part 8): a Data Protection Officer based in India, an independent data auditor, and periodic Data Protection Impact Assessments.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Consent Manager
Consent Manager
A platform, registered with the Data Protection Board, through which a Data Principal can give, manage, review and withdraw consent — presented in an accessible, transparent and interoperable way.
  • A single dashboard for consent. The idea is that individuals manage all their consents in one place, rather than tracking dozens of separate forms.
  • Registered and accountable. Consent Managers must register with the Board and meet conditions set out in the Rules, including record-keeping.
  • They act for the individual. The Consent Manager is accountable to the Data Principal, acting on their behalf.
  • An emerging ecosystem. Registration and obligations phase in about a year after the Rules, so the market is still forming.
  • What it means for NGOs. Most NGOs will not build one, but may in future receive or verify consent through a Consent Manager platform.
  • Records matter. Consent Managers are expected to maintain consent records for extended periods, reinforcing that consent must be documented, not assumed.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Data Protection Board of India
Data Protection Board of India
The independent regulator established by the Act to enforce it — receiving complaints, investigating breaches, and imposing penalties. It is designed to function as a digital-first body.
  • What it does. It determines whether a breach of the Act has occurred and imposes financial penalties where it has.
  • How it is triggered. It acts on complaints from Data Principals, references from government, and its own knowledge of breaches.
  • Grievance first. An individual is generally expected to exhaust the Fiduciary’s own grievance process before approaching the Board.
  • Remedial powers. It can direct urgent measures to contain a breach and can accept voluntary undertakings to fix problems.
  • Digital by design. Proceedings are intended to be conducted largely online for efficiency.
  • Not a rule-maker. The Board enforces; it is the Central Government that makes the Rules.
For NGOs. The realistic way you would encounter the Board is a beneficiary complaint that you failed to resolve — which is why a working grievance process is your first line of defence.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The appellate route
Decisions of the Data Protection Board are not the final word. The Act provides a route to challenge them.
01
Fiduciary grievance
02
Data Protection Board
03
Appellate Tribunal
04
Courts
  • Appeal to the Tribunal. Under Section 29, an appeal from a Board order lies to the Appellate Tribunal — a role assigned to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
  • Digital and time-bound. The appellate process is designed to be efficient, with the Tribunal following its own procedure.
  • Beyond the Tribunal. Its decisions can, in turn, be challenged before the higher courts.
  • Voluntary undertaking as an off-ramp. Under Section 32, the Board may accept a voluntary undertaking to remedy a failure, avoiding a contested penalty — unless the undertaking is then breached.
Reassurance. Enforcement is not arbitrary — there is due process, a right to be heard, and an appeal. But prevention is far cheaper than any of these steps.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Mapping the roles onto a real NGO
Worked example
A nutrition NGO running a district programme
Trace one mother’s data through the programme and the legal roles become concrete.
ActorRole under the Act
The mother enrolled in the programmeData Principal
Her child under 18Data Principal, represented by the mother/guardian
The NGO deciding what to collect and whyData Fiduciary
The mobile survey app storing the formsData Processor (needs a contract)
The cloud host behind the appSub-processor in the chain
The NGO’s grievance officerContact point for rights and complaints
The Data Protection BoardRegulator, if a complaint is escalated
Exercise. Do this mapping for your own flagship programme. If you cannot name the Processor and confirm its contract, that is your first gap to close.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The roles side by side
RoleDecides purpose?Key duty
Data PrincipalNo — holds rightsExercise rights honestly; do not mislead
Data FiduciaryYesMeet all core duties; stay accountable
Data ProcessorNo — acts on instructionProcess only under contract; secure the data
Significant Data FiduciaryYes, at scale/high riskExtra: DPO, data auditor, DPIA
Consent ManagerNo — serves the individualEnable give/withdraw consent; keep records
Data Protection BoardNo — enforcesInvestigate breaches; impose penalties
One-line summary. The Principal owns the rights, the Fiduciary owns the duties, the Processor works under contract, the SDF does more, and the Board enforces.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
06
Part Six
Consent & notice
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The consent standard
Consent is the primary lawful basis for processing under the Act — but only consent that meets a strict standard counts. Valid consent must be:
  • Free. Given without coercion — a real concern in aid settings where refusing may feel like risking the benefit.
  • Specific. Tied to a stated purpose, not a blanket ‘we may use your data for anything’.
  • Informed. Given after the person has been told, in clear terms, what data is taken and why.
  • Unconditional. Not bundled so that a person must accept unrelated processing to get the service.
  • Unambiguous, with a clear affirmative action. A positive act like a signature or tick — not silence, pre-ticked boxes, or inaction.
Watch the power imbalance. When people cannot say no without losing aid, ‘free’ consent is fragile. Separate the essentials of the service from optional uses like photos, case studies and mailing lists — and let people decline the optional parts without penalty.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The itemised notice
Consent is only valid if it follows a proper notice. Before or when you seek consent, you must give the person a clear, itemised notice. It should tell them:
  • What data you are collecting — the specific fields, not a vague ‘your details’.
  • Why — the specific purpose for which the data will be processed.
  • How to exercise rights — the way the person can later access, correct, or erase their data and withdraw consent.
  • How to complain — the way to make a grievance to you, and to the Data Protection Board.
  • In a language they understand — the notice must be available in English or any language listed in the Constitution’s Eighth Schedule.
A bad notice
‘I agree to the terms and conditions.’ — vague, bundled, no purpose, no rights, no plain language.
A good notice
‘We collect your name, phone and household income to check eligibility for the livelihoods grant. You can ask to see, correct or delete this data, or complain, by contacting [name]. [Local language.]’
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The right to withdraw
  • Consent is not forever. A Data Principal can withdraw consent at any time — you cannot treat an initial ‘yes’ as permanent.
  • As easy to leave as to join. Withdrawing consent must be as straightforward as giving it was; you cannot bury it in obstacles.
  • What happens next. Once consent is withdrawn, you must stop processing and delete the data, unless a law requires you to keep it.
  • Past processing stays valid. Withdrawal is forward-looking; it does not make lawful processing that already happened unlawful.
  • Tell them the consequence. If withdrawing means they can no longer receive a service, explain that honestly — without using it as a threat.
  • Flow it to processors. When someone withdraws, you must ensure your processors also stop and delete accordingly.
Build it in. Your consent form should name a simple way to withdraw — a phone number or a person — and your team should know how to action it.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Children under 18 — verifiable parental consent
A defining rule
A child is anyone under 18
India sets the threshold at 18 — higher than many countries. For any Data Principal below that age, extra protections apply.
  • Verifiable parental consent. You must obtain the verifiable consent of a parent or lawful guardian before processing a child’s data.
  • Age assurance. The Rules require reasonable steps to verify that the consenting adult is in fact a parent or guardian, using reliable identity or age information.
  • No tracking or targeting. The Act prohibits tracking, behavioural monitoring and targeted advertising directed at children.
  • No detrimental processing. Processing likely to have a detrimental effect on a child’s well-being is not permitted.
  • Why it matters for NGOs. Education, child-protection, nutrition and sponsorship programmes handle children’s data constantly — this rule is central to your work.
Photos of children. A recognisable image of a child is their personal data. Publishing it — in a report, on social media, to a donor — needs verifiable parental consent for that specific use.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Persons with disabilities and guardians
  • Guardian consent. For a person with a disability who has a lawful guardian, that guardian gives consent on their behalf, in the manner prescribed.
  • Dignity first. Guardianship is not a licence to ignore the person; involve them in decisions about their data to the greatest extent possible.
  • Accessible notices. Present notice and consent in formats the person can genuinely understand — this reflects the spirit of accessibility law.
  • Not all disabilities involve guardianship. Many persons with disabilities give their own consent; the guardian route applies only where there is a lawful guardian.
  • Match your safeguarding policy. Align data consent with your organisation’s existing safeguarding and inclusion commitments.
  • Document the basis. Record who consented and on what authority, so the basis for processing is clear later.
Inclusion lens. Treat accessible consent not as a compliance chore but as part of respecting the agency of every person you serve.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Legitimate uses — when consent is not the basis
Consent is the main route, but the Act also allows processing for certain defined ‘legitimate uses’ without separate consent. The most relevant include:
  • Voluntarily provided data. Where a person gives their data for a purpose and has not objected to its use for that purpose.
  • State benefits and services. For the State to provide a subsidy, benefit, service, certificate, licence or permit, subject to conditions.
  • Legal obligations. To comply with a law, or a judgment or order.
  • Medical emergencies. To respond to a threat to life or an immediate threat to health.
  • Disasters and public order. To provide assistance during an epidemic, disaster or breakdown of public order.
  • Employment purposes. For purposes connected with employment and safeguarding the employer from loss.
Do not over-claim. Legitimate uses are specific and limited. For ordinary programme data, consent is your safest and clearest basis — treat the legitimate-use routes as narrow exceptions, not a way to skip consent.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Exemptions and where they stop
Exemption areaWhat it allowsThe catch
Research & statisticsProcessing for research, archiving or statisticsOnly if not used for decisions about a specific person; conditions apply
Legal rightsProcessing to enforce or defend a legal claimLimited to that purpose
Notified State agenciesGovernment may exempt certain bodiesFor defined reasons like security and public order
Publicly available dataData the person made public themselvesDoes not cover data that merely leaked
Startups (if notified)Relaxation of some dutiesOnly for classes the government notifies
NGO caution. The research exemption tempts organisations that survey communities. But it is conditional and does not cover data used to decide who gets a benefit. When your data drives decisions about individuals, treat the full duties as applying.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Consent Manager mechanism
01
Individual signs up
02
Grants consents
03
Reviews anytime
04
Withdraws easily
  • A consent hub for individuals. The Consent Manager gives people one dashboard to see and control every consent they have granted.
  • Registered with the Board. It must register and meet conditions in the Rules, including maintaining consent records for extended periods.
  • Interoperable by design. It is meant to work across many Data Fiduciaries, so consent is portable.
  • Still emerging. The obligations phase in about a year after the Rules, so the ecosystem is young.
  • For NGOs. You likely will not run one, but should be ready to honour consents and withdrawals that come through such a platform in future.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Getting consent right in the field
Do
• Explain purpose in the local language, out loud, before collecting.
• Separate essential data from optional uses like photos and case studies.
• Let people decline the optional parts and still get the service.
• Record what they consented to and when.
• Give a simple way to withdraw — a name and a number.
• Re-consent when the purpose changes.
Don’t
• Use pre-ticked boxes or assume silence means yes.
• Bundle unrelated uses into one blanket consent.
• Imply that refusing means losing the aid.
• Collect fields ‘just in case’ they are useful.
• Reuse survey data for fundraising without fresh consent.
• Take a child’s photo without verifiable parental consent.
The honesty test. If you would be uncomfortable reading your consent notice aloud, slowly, to the person in their own language — it is not good enough.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
07
Part Seven
Rights & duties of the Data Principal
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The right to access information
Right to access (Section 11)
A Data Principal can ask a Fiduciary for a summary of the personal data being processed, the processing activities, and the identities of other Fiduciaries and Processors with whom the data has been shared.
  • What they can ask for. A summary of the data you hold about them and what you are doing with it.
  • Who has it. The identities of any other Fiduciaries or Processors you have shared their data with, and a description of what was shared.
  • Applies to consent-based processing. The right centres on data processed on the basis of the person’s consent.
  • Be ready to answer. You should be able to pull together what you hold on one individual without a frantic search across five systems.
  • Verify identity first. Confirm the requester is who they claim to be before releasing anything — releasing to an impostor is itself a breach.
  • Respond in reasonable time. Have a defined turnaround so requests are not lost.
Readiness test. If a beneficiary walked in today and asked ‘what do you know about me and who have you told?’, could you answer within a week?
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The right to correction and erasure
Right to correction & erasure (Section 12)
A Data Principal can request correction, completion or updating of their data, and erasure of data that is no longer needed for the purpose it was collected for.
  • Correction. Fix data that is wrong — a mis-recorded age, a wrong bank number, a misspelled name.
  • Completion and updating. Fill in or refresh data that is incomplete or out of date.
  • Erasure. Delete data you no longer need for its purpose, unless a law requires you to retain it.
  • Automatic erasure too. Even without a request, you should erase data once consent is withdrawn or the purpose is fulfilled.
  • Cascade the change. A correction or deletion should flow to your processors and to copies in backups where feasible.
  • Keep a record of the action. Note what you corrected or erased and when, to show you complied.
The hard part. Erasure is only possible if you know where all the copies are. This is exactly why the data map in Part 10 comes first.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The right to grievance redressal
Right to grievance redressal (Section 13)
A Data Principal has the right to a readily available means of grievance redressal provided by the Data Fiduciary, and the Fiduciary must respond within the prescribed period.
  • You must offer a channel. Every Data Fiduciary must give people an accessible way to raise a complaint about their data.
  • Publish the contact. The name and contact of the person handling grievances (or a Data Protection Officer, for an SDF) must be made available.
  • Respond in time. The Fiduciary must respond within the period prescribed under the Rules.
  • Grievance before the Board. Individuals are generally expected to use your grievance process before escalating to the Data Protection Board.
  • Log every complaint. Keep a simple register of complaints received, actions taken and dates — it is your evidence of good faith.
  • Close the loop. Tell the person what you did, not just that you received their complaint.
Your first line of defence. A responsive grievance process is the single most effective way to keep a complaint from ever reaching the Board.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The right to nominate
Right to nominate (Section 14)
A Data Principal can nominate another individual to exercise their rights under the Act in the event of their death or incapacity.
  • Continuity of rights. Nomination ensures someone can act on a person’s behalf if they die or become unable to act.
  • Chosen by the individual. The Data Principal decides who the nominee is.
  • Relevant in sensitive programmes. In health, disability or end-of-life contexts, this can matter for closing accounts and handling records with dignity.
  • Honour it when invoked. If a valid nominee comes forward, treat their requests as you would the Data Principal’s own.
  • Verify the nomination. Confirm the nominee’s authority before acting, just as you would verify any requester.
  • Rare but real. You may seldom see this, but your process should not fall over when you do.
Practical note. You do not need to build elaborate systems for nomination — just know the right exists and be ready to respect a valid one.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Building a rights-request workflow
The four rights only mean something if your team can act on them. A simple, repeatable workflow turns a legal right into a real service:
01
Receive
02
Verify identity
03
Locate data
04
Act
05
Record & reply
  • Receive. Give one clear channel — a phone number, email or person — and log every request.
  • Verify. Confirm the requester’s identity before releasing or changing anything.
  • Locate. Use your data map to find every copy across systems and backups.
  • Act. Provide the summary, make the correction, or erase the data as requested.
  • Record and reply. Note what you did and tell the person, within your set turnaround.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The duties of the Data Principal
The Act is not one-sided. Section 15 places duties on individuals too. Data Principals must, among other things:
  • Comply with applicable law. Exercise their rights within the framework of the law.
  • Not impersonate. Not pretend to be someone else when providing their personal data.
  • Not suppress material information. Not hide required information when applying for a benefit, document or service.
  • Not file false or frivolous complaints. Not register a false or baseless grievance or complaint with a Fiduciary or the Board.
  • Furnish authentic information. Provide only verifiably authentic data when exercising the right to correction or erasure.
The consequence. Breach of these duties can attract a penalty of up to ₹10,000 under the Schedule — small, but a reminder that rights come with responsibilities. For NGOs, this matters when helping beneficiaries make requests: encourage genuine, accurate claims.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
How fast must you respond?
  • Prescribed timelines. The Act and Rules set periods within which you must respond to grievances and rights requests — treat prompt response as the norm, not the exception.
  • Do not sit on requests. A slow or ignored request is what pushes a person to escalate to the Board.
  • Set an internal service standard. Even before the exact statutory period, commit your team to, say, acknowledging within days and resolving within weeks.
  • Acknowledge immediately. A quick ‘we have received your request and will respond by [date]’ buys goodwill and time.
  • Escalate hard cases. If a request is complex — erasure across many systems — assign it and track it, do not let it drift.
  • Keep the clock visible. Log the date received and the date due so nothing quietly expires.
Confirm the exact period. Because the Rules set the precise timelines and are phasing in, check the current prescribed period before publishing a firm commitment.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
A beneficiary asks to be erased
Scenario
“Please remove me from all your records”
A woman who left a livelihoods programme asks the NGO to delete all her data. Her details sit in an Excel file, a mobile app, a printed register, two staff email inboxes, and a donor report already submitted.
  • Verify. Confirm it is really her before acting.
  • Locate. Use the data map to list every place her data lives — including backups and the survey app.
  • Distinguish what must stay. Some records you may be legally required to retain (e.g. audit or grant-compliance records); the rest should go.
  • Erase the rest. Delete from active systems, instruct the processor to delete, and shred the paper register entry.
  • Explain the limits. Tell her honestly what you deleted and what the law requires you to keep, and for how long.
  • Record it. Note the request, the actions and the retained items, with dates.
The lesson. You cannot honour erasure if you do not know where the copies are. Every uncontrolled copy is a future obligation you cannot meet.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Rights and duties at a glance
Right of the individualWhat you must do
Access (Sec 11)Provide a summary of data held, uses, and who it was shared with.
Correction & erasure (Sec 12)Fix, complete or delete data on valid request.
Grievance redressal (Sec 13)Offer an accessible complaint channel and respond in time.
Nomination (Sec 14)Honour a valid nominee acting for a deceased or incapacitated person.
And the individual’s duties (Section 15): comply with the law, do not impersonate, do not suppress material information, do not file false complaints, and furnish authentic information — breach carries a penalty up to ₹10,000.
Balance. The Act pairs strong individual rights with a duty of honesty — and pairs both with the Fiduciary obligations in the next part.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
08
Part Eight
Obligations of the Data Fiduciary
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Purpose limitation and minimisation
Purpose limitation
Use data only for the specific purpose you told the person about. A new purpose needs a new notice and fresh consent. Survey data collected for eligibility cannot quietly become a fundraising mailing list.
Data minimisation
Collect only the data the purpose actually needs. Every extra field is extra risk with no benefit. If you cannot say why a field is needed, remove it from the form.
  • Interrogate every field. For each question on your form, ask: does the purpose fail without this? If not, cut it.
  • Caste, religion, health. Collect these only where the programme genuinely requires them — not out of habit.
  • Separate consents for separate purposes. Eligibility, photos, follow-up research and mailing lists are different purposes.
  • Less data, less exposure. The data you never collected cannot leak, be subpoenaed, or need erasing.
Discipline. Minimisation is the cheapest safeguard you have. A shorter form is safer, faster to fill, and easier to protect.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Accuracy and completeness
  • Keep data correct. Where data is used to make a decision about a person, take reasonable steps to ensure it is accurate and complete.
  • Why it matters. Wrong data means wrong decisions — a mistyped income can wrongly exclude a family from a benefit.
  • Verify at the source. Read details back to the person at collection; a thirty-second check prevents months of error.
  • Enable correction. Make it easy for people to flag and fix mistakes — this is both their right and your duty.
  • Update, do not just add. When circumstances change, update the record rather than piling up conflicting entries.
  • Guard against duplication. Duplicate records for one person cause errors and make erasure requests hard to fulfil.
Quality is protection. Accurate, de-duplicated data is not just a compliance point — it is the foundation of fair, effective programmes and clean evaluation.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Reasonable security safeguards
The Act requires every Data Fiduciary to protect personal data with reasonable security safeguards. This is the most heavily penalised duty. Practical measures for an NGO include:
  • Access control. Give each staff member access only to the data their role needs — not the whole database.
  • Strong authentication. Password-protect every device and account; use unique passwords and, where possible, two-factor login.
  • Encryption. Encrypt laptops, phones and sensitive files so a lost device does not become a lost database.
  • Backups. Keep secure, tested backups so data loss does not become permanent.
  • Logging and monitoring. Keep a basic record of who accessed sensitive data, to detect and investigate misuse.
  • No shared logins. Individual accounts, so actions can be traced and access removed when someone leaves.
  • Physical security. Lock filing cabinets and offices; paper is data too.
Proportionate, not perfect. ‘Reasonable’ scales with your size and the sensitivity of your data — but the basics above are within reach of any organisation.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Personal data breach notification
A dual duty
Tell the people, and tell the Board
If personal data is compromised, the Data Fiduciary must notify both the affected Data Principals and the Data Protection Board — failure to do so is among the most heavily penalised breaches.
  • Notify affected persons. Inform the individuals whose data was compromised, without delay, so they can protect themselves.
  • Report to the Board. Provide the Data Protection Board a detailed report within 72 hours of becoming aware of the breach (an extension may be sought).
  • The clock starts at awareness. 72 hours runs from when you become aware — not when you finish investigating.
  • Broad definition. A ‘breach’ includes unauthorised access, disclosure, loss, or destruction of personal data — not only hacking.
  • Content of the notice. Explain what happened, the likely consequences, and the steps people can take and you are taking.
Prepare in advance. You cannot meet a 72-hour clock if you are inventing a process during the crisis. Part 10’s breach-response plan exists for exactly this moment.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Retention limits and erasure
  • Keep only as long as needed. Retain personal data only for as long as the purpose requires, or as a law requires.
  • Erase when done. When the purpose is served and consent is withdrawn, delete the data — and ensure your processors do too.
  • Set periods in advance. Decide a retention period for each data type when you design collection, not years later.
  • Special rule for large platforms. For certain notified classes of large Data Fiduciaries, the Rules require erasing data after a defined period of user inactivity — commonly three years — with advance notice before deletion.
  • Advance warning. Where that rule applies, the person is given notice (the Rules reference a 48-hour advance intimation) before erasure.
  • Balance with obligations. Where audit, tax or grant rules require you to keep records, retain the minimum for the required period, then delete.
Anti-hoarding mindset. Old data you no longer use is pure liability — it can still leak, but delivers no value. A deletion schedule turns that liability off.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Extra duties of a Significant Data Fiduciary
If the government notifies an organisation as a Significant Data Fiduciary, three additional duties apply on top of everything else:
  • Data Protection Officer (DPO). Appoint a DPO based in India who is responsible to the board of the organisation and serves as the contact point for grievances.
  • Independent data auditor. Appoint an independent auditor to evaluate the organisation’s compliance with the Act.
  • Data Protection Impact Assessment (DPIA). Undertake periodic DPIAs and periodic audits, and other measures the Rules prescribe.
DutyPurpose
DPO in IndiaA senior, accountable person owning data protection
Independent auditExternal check that duties are actually met
Periodic DPIAAssess and reduce risk before harm occurs
For most NGOs. You are unlikely to be an SDF — but adopting a lighter version of these (a named data lead, an annual self-review, a simple risk assessment) is good practice for anyone.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Cross-border data transfer
  • Allowed by default. The Act permits transferring personal data outside India, except to countries or territories the government specifically restricts.
  • A blacklist model. Rather than pre-approving destinations, the government may notify places to which transfers are not permitted.
  • Sector rules still bite. Where other Indian laws impose stricter data-localisation on certain data, those continue to apply.
  • Cloud is a transfer. Using a foreign-hosted cloud service is a cross-border transfer — check where your provider stores data.
  • You remain accountable. Transferring data abroad does not transfer your responsibility for it.
  • Donor and partner sharing. Sending beneficiary data to an overseas HQ or funder is a transfer — do it only with a basis and a contract.
Practical step. Ask your cloud and software vendors where data physically resides, and confirm it is not in a restricted destination — then record the answer.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Processor contracts and accountability
You can delegate processing, but never accountability. Any third party that touches your data must be governed by a contract.
  • Contract is mandatory. The Act requires a valid contract before a Processor handles personal data on your behalf.
  • What the contract should cover. Purpose limits, security measures, confidentiality, breach notification to you, deletion on request, and sub-processor controls.
  • Right to instruct and audit. Reserve the right to direct how the data is handled and to check compliance.
  • Deletion on exit. Require the Processor to return or delete data when the contract ends.
  • Breach flow-up. Require the Processor to tell you promptly if they suffer a breach, so you can meet your own 72-hour duty.
  • Vet before you sign. Choose vendors with credible security; a free tool with weak protection is a false economy.
Common gap. Many NGOs use free or cheap survey, storage and messaging tools with no contract at all. Under the Act, that is an unmanaged risk sitting in your programme.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Fiduciary obligations checklist
ObligationThe one-line test
Lawful basisDo we have consent or a legitimate use for every use?
NoticeDid we tell people what, why, and how to exercise rights?
Purpose limitationAre we using data only for the stated purpose?
MinimisationHave we cut every field we do not need?
AccuracyCan people correct their data easily?
SecurityIs access limited, and are devices and files protected?
Breach responseCan we notify people and the Board within 72 hours?
RetentionDo we delete data when its purpose ends?
ContractsIs every vendor bound by a data contract?
Use it as an agenda. Each row is a standing item for a quarterly data-protection review by your leadership team.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
09
Part Nine
Enforcement & penalties
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The Data Protection Board’s role
  • An adjudicatory body. The Board’s job is to determine whether a breach of the Act occurred and to impose penalties where it did.
  • Investigation powers. It can inquire into complaints and breaches and direct the production of information.
  • Urgent directions. It can order interim or remedial measures to contain an ongoing breach.
  • Penalty setting. It sets the penalty within the maximums in the Schedule, weighing the nature, gravity and duration of the failure.
  • Voluntary undertakings. It can accept an undertaking from a Fiduciary to fix a problem instead of imposing a penalty.
  • Digital first. It is designed to receive complaints and conduct proceedings largely online.
What it is not. The Board does not write the rules or issue detailed sectoral guidance — that is the government’s role. The Board enforces the law as written.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
How a complaint moves through the system
01
Grievance to you
02
Complaint to Board
03
Inquiry
04
Order & penalty
05
Appeal
  • Grievance first. The individual is generally expected to raise the matter through the Fiduciary’s grievance mechanism before going to the Board.
  • Complaint to the Board. If unresolved, the person can complain to the Data Protection Board.
  • Inquiry. The Board examines the facts, seeks information, and gives the Fiduciary a chance to be heard.
  • Order. It can direct remedial steps and impose a financial penalty within the Schedule.
  • Appeal. The Fiduciary (or complainant) can appeal to the Appellate Tribunal, and beyond to the courts.
The lesson for NGOs. Most trouble is stopped at step one. A prompt, fair grievance response usually prevents escalation entirely.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The penalty schedule
The Schedule to the Act sets the maximum financial penalty for each category of failure. These are ceilings; the Board decides the actual amount case by case.
FailureMaximum penalty
Failure of reasonable security safeguardsUp to ₹250 crore
Failure to notify a personal data breachUp to ₹200 crore
Breach of obligations regarding children’s dataUp to ₹200 crore
Breach of additional obligations of an SDFUp to ₹150 crore
Breach of a Data Principal’s dutiesUp to ₹10,000
Breach of any other provisionUp to ₹50 crore
Read the pattern. The law reserves its harshest penalties for two things: failing to keep data secure, and failing to be honest when a breach occurs. Those are precisely the two duties to get right first.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
What triggers each penalty
  • Security failure (up to ₹250 cr). An open link, a lost unencrypted laptop, a shared login, weak access controls — anything that lets data leak because safeguards were inadequate.
  • Breach-notification failure (up to ₹200 cr). Discovering a breach and staying silent — not telling affected people or the Board within the required time.
  • Children’s-data failure (up to ₹200 cr). Processing a child’s data without verifiable parental consent, or tracking or targeting children.
  • SDF failure (up to ₹150 cr). A notified Significant Data Fiduciary skipping its DPO, audit or DPIA duties.
  • Other breaches (up to ₹50 cr). The residual category — defective notice, purpose creep, ignoring rights requests, missing contracts.
  • Data Principal duty breach (up to ₹10,000). An individual who impersonates, suppresses material facts, or files false complaints.
How the Board sets the number. It considers the nature, gravity and duration of the breach, the type and volume of data, whether harm resulted, and what the Fiduciary did to mitigate — genuine effort counts in your favour.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
The voluntary undertaking route
Voluntary undertaking (Section 32)
A commitment a Data Fiduciary offers, and the Board may accept, to take (or stop) specified action to remedy a matter — potentially avoiding a penalty for that matter.
  • A constructive off-ramp. Instead of a contested penalty, the Board can accept a promise to fix the problem.
  • Binding once accepted. An accepted undertaking is enforceable; the Fiduciary must do what it promised.
  • Breach reopens exposure. If the Fiduciary fails to honour the undertaking, the Board can proceed to penalise the underlying breach.
  • Encourages honesty. The route rewards organisations that come forward and cooperate rather than conceal.
  • Not a free pass. It applies to remediation, not to escaping accountability for serious harm.
Signal. The enforcement design favours cooperation and fixing problems over punishment for its own sake — another reason to be transparent when something goes wrong.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Appeals and the Tribunal
  • A right of appeal. A person aggrieved by a Board order can appeal to the Appellate Tribunal under Section 29.
  • Who hears it. The Appellate Tribunal function is performed by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
  • Time-bound and digital. The appeal process is designed to be efficient and largely online.
  • Onward to the courts. Tribunal decisions can be challenged before the higher judiciary.
  • Due process throughout. The chain — grievance, Board, Tribunal, courts — ensures decisions are reviewable, not final at first instance.
  • But prevention is cheaper. Litigation is slow and costly; the point of this course is to never need it.
Reassurance and warning. Enforcement is fair and appealable — but reaching the appeal stage means real cost, real distraction, and reputational damage already done.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
A breach at an NGO
Scenario
The stolen laptop
A field coordinator’s laptop, holding an unencrypted spreadsheet of 6,000 beneficiaries with phone numbers and bank details, is stolen from a bus. The theft is reported to the NGO director the same evening.
  • The failure. Storing sensitive data unencrypted on a mobile device is a lapse in reasonable security safeguards.
  • The clock starts now. Awareness triggers the 72-hour window to report to the Board.
  • Notify the people. The 6,000 affected must be warned so they can watch for fraud and change any compromised credentials.
  • Report to the Board. A detailed report — what happened, scope, likely harm, and remedial steps — goes to the Board within the window.
  • Mitigate. Remote-wipe if possible, reset access, and move to encrypted devices immediately.
  • What would have prevented it. Encryption, minimisation (why 6,000 records on one laptop?), and access controls.
Lesson. The severity here comes from two avoidable choices — no encryption and too much data in one place. Both are fixed before the crisis, not during it.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Children’s data used without consent
Scenario
The sponsorship photo campaign
An education NGO posts photos and first names of sponsored children, with their schools tagged, across social media to attract donors — without verifiable parental consent for online publication.
  • The failure. Publishing identifiable children’s data without verifiable parental consent, and in a way that could enable tracking or targeting.
  • Why it is serious. The Act singles out children’s data for the highest tier of protection and penalty (up to ₹200 crore).
  • The safeguarding angle. Naming a child and tagging their school creates a real child-protection risk, not just a legal one.
  • The fix. Obtain verifiable parental consent for each specific use; better still, use non-identifying images and no location tags.
  • Purpose creep. Photos taken for programme records were repurposed for fundraising — a separate purpose needing separate consent.
Lesson. ‘Impact’ and ‘marketing’ uses of children’s images are exactly where NGOs most often slip — and where the law is strictest.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Enforcement myths, corrected
MythFact
‘Non-profits are exempt from penalties.’The Act has no non-profit carve-out; duties and penalties apply to all Fiduciaries.
‘We’ll be fined ₹250 crore for any slip.’That is a ceiling for the worst failures; the Board sets penalties proportionate to gravity.
‘If we hide a breach, no one will know.’Concealment is itself a heavily penalised failure — up to ₹200 crore.
‘The Board will audit us out of the blue.’Action typically follows a complaint or a known breach, not random audits.
‘There’s no way to challenge a penalty.’Orders can be appealed to the Appellate Tribunal and the courts.
‘Cooperating makes no difference.’Mitigation and voluntary undertakings can reduce or avoid penalties.
Balanced view. Enforcement is real but proportionate. Honest, prepared organisations that fix problems have far less to fear than those that conceal them.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
10
Part Ten
What your NGO must do now
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Make a data map
Everything starts here. You cannot protect, retain or erase data you cannot locate. A data map is a simple inventory of what you hold and where.
ColumnWhat to record
Data typee.g. beneficiary survey, case files, donor list, HR records
FieldsThe actual data points collected (name, phone, health, bank…)
PurposeWhy you collect it and the lawful basis (consent / legitimate use)
LocationEvery place it lives: laptops, cloud, app, paper, inboxes, backups
AccessWho can open it
SharingWhich processors, partners or donors receive it
RetentionHow long you keep it and when it is deleted
Start small. A single spreadsheet, filled in over a week with your team, is enough. This one document underpins every other step in this part.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Write lawful consent forms and notices
  • Lead with purpose. State plainly what data you collect and exactly why.
  • Use plain, local language. Provide the notice in the language the person actually reads or speaks.
  • Unbundle. Separate essential data from optional uses (photos, case studies, mailing list) with their own tick boxes.
  • Name the rights. Tell people how to access, correct, erase, withdraw consent and complain — and to whom.
  • Give a contact. Include the name and contact of your grievance officer.
  • Handle children and guardians. Build in verifiable parental consent for anyone under 18 and guardian consent where relevant.
  • Record the consent. Capture what was agreed and when, so you can prove it later.
Reusable template. Draft one master consent-and-notice template, then adapt it per programme. Read it aloud in the local language as your quality test — if it embarrasses you, rewrite it.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Set a retention and deletion policy
  • Assign a period to each data type. Use the data map: decide, for each row, how long you genuinely need it.
  • Anchor to purpose and law. Keep programme data through the programme and its reporting; keep audit records for the legally required period; then delete.
  • Schedule deletions. Put a recurring calendar reminder to purge data whose period has ended — do not rely on memory.
  • Delete everywhere. Include backups, the survey app, staff inboxes and paper files in the deletion, not just the main database.
  • Instruct processors. Ensure vendors delete on the same schedule and on contract exit.
  • Log it. Record what was deleted and when, as evidence of compliance.
Culture shift. Move your organisation from ‘keep everything forever, just in case’ to ‘keep only what we need, for only as long as we need it’. Old data is liability, not an asset.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Build a breach-response plan
You cannot improvise a 72-hour response mid-crisis. Write a one-page plan now, so everyone knows what to do in the first hours.
01
Detect & report internally
02
Contain
03
Assess
04
Notify
05
Learn
  • Detect & escalate. Any staff member who suspects a breach tells a named person immediately.
  • Contain. Cut off access, reset passwords, remote-wipe devices, take down exposed links.
  • Assess. Determine what data, how many people, and what harm is likely.
  • Notify. Inform affected people without delay and the Board within 72 hours.
  • Learn. Fix the root cause so the same breach cannot recur.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Fix your processor and vendor contracts
  • List every vendor. From the data map, name every third party that stores or handles your data.
  • Check for a contract. Confirm each has a written agreement covering data handling; the Act requires one.
  • Include the essentials. Purpose limits, security standards, confidentiality, breach-notification to you, deletion on request and on exit, and control of sub-processors.
  • Check data location. Ask where each vendor stores data and confirm it is not in a restricted destination.
  • Prefer secure tools. Where a free tool cannot offer a contract or basic security, budget for one that can.
  • Review on renewal. Revisit vendor terms whenever you renew or change tools.
The quiet risk. Free survey apps, personal cloud drives and consumer messaging tools are where unmanaged processor risk hides. Bring each one under a contract or replace it.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Appoint a grievance officer and rights workflow
  • Name a person. Designate someone responsible for data-protection complaints and rights requests — and publish their contact.
  • Give them authority. Ensure they can actually access systems and instruct staff to act on a request.
  • Publish the channel. Put the contact on your consent forms, website and notice board so people know where to go.
  • Use the five-step workflow. Receive, verify, locate, act, record-and-reply — the process from Part 7.
  • Keep a register. Log every request and complaint with dates and outcomes — your evidence of compliance and good faith.
  • Set a turnaround. Commit to acknowledging quickly and resolving within the prescribed period.
Small NGO tip. This need not be a full-time role. In a small team it can be a defined responsibility of one senior staff member — what matters is that it is named, resourced and known.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Train your staff and build a culture
  • Everyone who touches data. Field workers, data-entry staff, finance, HR and volunteers all need the basics.
  • Teach the core habits. Collect only what is needed, explain purpose, lock devices, never share logins, report suspected breaches at once.
  • Make it concrete. Use your own scenarios — the open link, the stolen laptop, the sponsorship photo — not abstract theory.
  • Onboard and refresh. Cover data protection when people join, and refresh it annually.
  • Lead from the top. When leadership visibly follows the rules, staff do too.
  • Reward reporting, not concealment. Make it safe to raise a mistake early, when it can still be contained.
The real safeguard. Policies sit in a drawer; culture travels to the field. The strongest protection is a team that instinctively treats beneficiary data with care.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Your 90-day compliance checklist
Days 1–30: See it
• Build the data map.
• List all vendors and check for contracts.
• Name a grievance officer.
• Do a quick security sweep: passwords, device locks, open links.
Days 31–60: Fix it
• Rewrite consent forms and notices.
• Encrypt devices; remove shared logins; limit access.
• Draft the retention and deletion policy.
• Put missing vendor contracts in place.
Days 61–90: Sustain it
• Write and rehearse the breach-response plan. • Train all staff and volunteers. • Set up the rights-request register and turnaround. • Schedule recurring deletions and a quarterly review.
Momentum over perfection. A small team can complete this in a quarter. Do the visible-risk items first — open links, unencrypted laptops, missing contracts — then build the policies around them.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Questions NGOs ask
  • Are we really covered, as a small non-profit? Yes. The Act has no non-profit or small-size exemption for the core duties.
  • Do we need expensive software? No. Most duties are met with discipline, access controls and free security features you already have.
  • Is verbal consent enough? Consent must be free, specific, informed and unambiguous, with a clear affirmative action — and you must be able to show it was given, so record it.
  • Can we keep old data for future proposals? Only if you have a lawful basis and it is within your stated purpose and retention period; otherwise, delete it.
  • What if a donor wants beneficiary data? Share only with a lawful basis, a contract, and ideally aggregated or de-identified data.
  • Who do we call in a breach? Your named grievance officer starts the breach plan: contain, assess, notify people, report to the Board within 72 hours.
  • When does all this become enforceable? In phases through roughly 2026–27 — but the duties are fixed, so prepare now.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Clearing up the confusion
MythFact
‘DPDP is only for big tech companies.’It applies to any organisation processing personal data, including NGOs.
‘Consent once given lasts forever.’People can withdraw consent at any time, as easily as they gave it.
‘Anonymised means just removing the name.’True anonymisation is hard; rare attribute combinations can re-identify people.
‘Paper records are outside the law.’Once digitised — which is almost always — the duties apply.
‘A child is anyone under 13.’In India a child is anyone under 18, needing verifiable parental consent.
‘Using a foreign cloud moves data out of scope.’You remain the accountable Fiduciary wherever the data is hosted.
Common thread. Most myths shrink the law’s reach in wishful ways. When unsure, assume the duty applies and act accordingly.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Where to go next
  • The Digital Personal Data Protection Act, 2023. The primary text (Act No. 22 of 2023), available on the MeitY website — read the definitions and the Schedule.
  • The DPDP Rules, 2025. The operational detail and enforcement timeline, notified 13 November 2025 — check the latest version for commencement dates.
  • The Puttaswamy judgment (2017). The Supreme Court’s right-to-privacy decision that underpins the law.
  • Humanitarian data-responsibility guidance. Sector frameworks on handling personal data of affected populations, useful for field practice.
  • Child-safeguarding and data policies. Your own and partner organisations’ policies on children’s images and information.
  • Reputable legal explainers. Summaries from established law firms and privacy-research organisations for plain-language interpretation.
How to use these. Rely on this course for orientation and a plan; go to the primary Act and Rules — and qualified legal advice — before any decision with real legal consequences.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Key takeaways
You are covered
NGOs are Data Fiduciaries with real duties — no exemption
Start with a map
You cannot protect what you cannot locate
Prepare now
Duties phase in through 2026–27; the runway is short
  • Protect data because it protects people. Behind every record is a person who can be harmed by a leak — that is why this matters more for NGOs than for most.
  • Consent must be genuine. Free, specific, informed, unambiguous — and honoured when withdrawn.
  • Collect less, secure it, delete it on time. Minimisation, security and retention limits do most of the work.
  • Be ready for the 72-hour breach clock. A written plan beats a panicked scramble.
  • Children’s data is special. Under 18, verifiable parental consent, and never for tracking or careless publicity.
  • Do the 90-day plan. A small team can reach a strong baseline in a single quarter.
Final word. Data protection is not paperwork — it is the modern form of the sector’s oldest promise: do no harm to the people who trust you.
ImpactMojoData Protection & the DPDP Act 101www.impactmojo.in
Data Protection & the DPDP Act 101 · Complete
Protect the data.
Protect the person.
CC BY-NC-ND 4.0·Free Forever·ImpactMojo 101 Series