Draft Digital Personal Data Protection Rules (Implications on NPOs)

The Digital Personal Data Protection Act (DPDPA) was passed by the Indian Parliament in August 2023, but is not yet fully operational. While the Act itself is in place, detailed implementing Rules and the establishment of the Data Protection Board of India are still pending. The DPDPA aims to provide a comprehensive legal framework for protecting digital personal data in India.

Draft Rules released
The Ministry of Electronics and Information Technology has released draft rules for the DPDP Act in January 2025. The government has solicited feedback on the draft rules from various stakeholders, including businesses, NPOs, and the public. The government is expected to release the final rules after considering public feedback and establish the Data Protection Board.
Once the Act is fully operational, companies (including NPOs) and individuals will be bound by its provisions, which include data processing consent, data security measures, and data subject rights.
DPDP Rules
The Digital Personal Data Protection (DPDP) Rules, 2023 (DPDP Rules), have been introduced by the Ministry of Electronics and Information Technology (MeitY), Government of India, in early January 2025. This was following the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act), on August 11, 2023.
The DPDP Rules shall come into effect in a phased manner. The exact dates for the implementation of different provisions will be notified by the government, which has assured allowing organizations “enough time to adapt their processes to comply with the law.”
The DPDP Act read with DPDP Rules is set to provide a comprehensive framework for digital personal data protection, emphasizing the principles of compliance with the law, transparency, and accountability. For NPOs, these rules present both opportunities and challenges. By proactively adopting best practices and ensuring compliance, NPOs can reinforce their credibility and trustworthiness in the eyes of beneficiaries, donors, and all stakeholders.
Overview of the DPDP Act
The DPDP Act introduce two essential roles in the realm of data governance:
- Data Fiduciaries: These are entities, including organizations, businesses, or individuals, that collect, process, or store personal data. An NPO that collects personal data in digital modes can be a Data Fiduciary under the DPDP Act. A Data Fiduciary (including an NPO) is responsible for ensuring that personal data is handled in compliance with the law. Their obligations include obtaining explicit consent for collecting and processing personal data, implementing data security measures, and respecting the rights of individuals whose data they process.
- Data Principals: This term refers to the individuals whose personal data is collected or processed. A beneficiary of an NPO’s programs whose personal data is collected for monitoring, evaluation or program delivery is a Data Principal under the DPDP Act.
Rights of the Data Principal under DPDP
A Data Principal has specific rights under the DPDP Act read with Rules, such as the right to access, correct, or erase their data. They are at the centre of the regulatory framework, emphasizing the importance of individual privacy and control over personal information.
Implications for NPOs
- NPOs shall be classified as Data Fiduciaries since NPOs often collect and process personal data from beneficiaries, donors, and stakeholders, making compliance essential under the DPDP Rules.
- The DPDP Act continues to hold the Data Fiduciary responsible even for data breaches or non-compliance by Data Processors, and mandates that contracts between Data Fiduciaries and Data Processes must reflect this responsibility.
Compliances under the DPDP Rules applicable to NPOs:
- NPOs must obtain explicit and informed consent from individuals (Data Principals) before collecting or processing their personal data. This consent must clearly outline the purpose of data collection, the retention period, and whether the data will be shared with third parties, such as partner organizations, donors or service providers.
- Implement reasonable security measures, including encryption, controlled access, and regular system monitoring. If NPOs rely on third-party service providers (Data Processors) for data handling, they must ensure these entities also comply with the same security standards, and ensure that they implement appropriate checks of these compliances.
- NPOs shall be required to provide detailed information to Data Principals about their data processing practices. This includes specifying the purpose of data collection, the rights of individuals under the DPDP Act, and providing contact details for someone responsible for addressing queries related to data processing.
- The DPDP Rules also emphasize data minimization and retention limitation, requiring NPOs to collect only the personal data necessary for their stated purposes. Data must be retained only for as long as it is required by law or operational necessity. Once the purpose has been fulfilled, NPOs are expected to delete the data, ensuring that unnecessary retention does not compromise individual privacy.
- In cases where NPOs process personal data without explicit consent, as permitted by certain exceptions under the DPDP Act (such as compliance with legal obligations), it must notify the Data Principals about the processing activity. The notification should include information about the processing and provide a communication channel, such as a website or contact point, where individuals can exercise their rights under the DPDP Act.
- NPOs shall appoint a Data Protection Officer (DPO) to ensure compliance with the DPDP Rules. The DPO shall play a critical role in overseeing data protection strategies, monitoring compliance, and acting as the point of contact for grievances related to personal data processing. For NPOs, the DPO ensures that data collection, storage, and usage align with the principles of legal compliance, transparency, and accountability. The DPO is also responsible for conducting regular audits, training staff, and coordinating with the relevant authorities to address potential breaches or violations.
Processing data of Child and Person with Disability
The Draft DPDPR requires the Data Fiduciary to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a minor or a person with a disability. The fiduciary must also ensure due diligence to verify that the individual claiming to be the parent or guardian is an adult and, if necessary, can be identified through reliable age and identity details. For lawful guardians, verification must include confirmation that the guardian was appointed by a court or relevant authority.
Exemptions from obtaining verifiable consent & tracking of children
The Draft DPDPR exempt certain Data Fiduciaries from the requirement of obtaining verifiable consent and from tracking children and monitoring their behaviour in certain cases. The Data Fiduciaries so exempted inter alia include:
- Clinical establishments, mental health establishments or healthcare professionals when providing health services to the extent necessary for protection of health.
- Allied healthcare professionals when processing of data is to support implementation of any healthcare treatment to the extent necessary for protection of health.
- Educational institutions when processing is for behaviour monitoring and tracking for the educational institute’s activities or in the interest of safety of children enrolled with the institution.
Exemptions of applicability for research, archiving or statistical purposes
When processing for research, archiving or statistical purposes is carried out then the provisions of the DPDPA are not attracted provided that such processing must inter alia be carried out in a lawful manner, be limited to such personal data as is necessary for such uses, processing in such cases is done while making reasonable efforts to ensure accuracy of personal data maintaining reasonable security safeguards to prevent personal data breach, etc.
NPOs should undertake the following to ensure compliance under the DPDP Rules:
- Conduct a Data Audit: NGOs should map their data collection, storage, and processing practices to identify gaps and ensure alignment with the DPDP Act and Rules.
- Update Policies and Procedures: Privacy policies, consent forms, and internal guidelines should be revised to reflect the transparency and accountability requirements under the DPDP Act and Rules.
- Build capacity of Stakeholders: Educate the staff, volunteers, and other stakeholders on data protection principles in order to foster a culture of compliance.
- Leverage Technology: Invest in technology solutions in order to simplify and streamline compliance tasks, including maximising privacy of data to monitoring data access.
- Appoint Data Protection Officer (DPO): To oversee data protection strategies and ensure compliance.
- Establish communication channel: For individuals to exercise their rights under the DPDPA.