The Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data privacy law. While much of the public discourse has focused on its impact on tech companies and e-commerce platforms, the Act applies equally to NGOs and charitable organisations that collect and process personal data — including donor information, beneficiary records, and volunteer details.
This guide explains what the DPDPA means for Indian NGOs and how to prepare for compliance.
Does DPDPA Apply to NGOs?
Yes. The DPDPA applies to every entity that processes "digital personal data" — which means any personal data collected in digital form or digitised from physical form. If your NGO:
- Collects donor names, email addresses, phone numbers, or PAN numbers
- Maintains a donor database in a spreadsheet, CRM, or software system
- Stores beneficiary records (names, addresses, health data, income data)
- Collects volunteer information
- Uses email marketing or WhatsApp communication
Then the DPDPA applies to your organisation.
Key Concepts Under DPDPA
Data Principal
The individual whose data is being processed. In your context, this is your donor, beneficiary, or volunteer.
Data Fiduciary
The entity that determines the purpose and means of processing. Your NGO is the data fiduciary.
Consent
You must obtain free, specific, informed, and unambiguous consent from individuals before processing their personal data. Consent must be for a specific purpose, and you cannot use the data for any other purpose without obtaining fresh consent.
Legitimate Use
Certain processing activities are permitted without consent under "legitimate uses" — for example, processing required by law (like filing Form 10BD with donor PAN details) or processing in response to a medical emergency.
What NGOs Need to Do
1. Audit Your Data Collection
Start by mapping all the personal data your NGO collects:
- Donors: Name, email, phone, PAN, address, donation history, payment details
- Beneficiaries: Name, age, gender, address, income, health records, family details
- Volunteers: Name, email, phone, identity proof, emergency contact
- Employees: All HR data
For each data point, document why you collect it, where it is stored, who has access, and how long you retain it.
2. Obtain Proper Consent
Review your donation forms, sign-up pages, and data collection processes. Ensure that:
- You have a clear consent mechanism (checkbox, digital signature, etc.)
- The consent notice explains what data you collect and why
- Consent is not bundled with terms and conditions — it must be separate
- Donors and beneficiaries can withdraw consent easily
3. Implement a Privacy Policy
Publish a clear privacy policy on your website that explains:
- What personal data you collect and why
- How you use the data
- Who you share it with (payment gateways, government departments, etc.)
- How long you retain the data
- How individuals can exercise their rights (access, correction, erasure, grievance)
4. Enable Data Principal Rights
Under DPDPA, your donors and beneficiaries have the right to:
- Access: Request a summary of their personal data and how it is being processed.
- Correction: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of their data when it is no longer needed for the purpose it was collected.
- Grievance redressal: File a complaint if they believe their data is being mishandled.
- Nominate: Nominate another individual to exercise their rights in case of death or incapacity.
You must have a process in place to handle these requests within a reasonable timeframe.
5. Appoint a Data Protection Officer or Grievance Officer
While the requirement for a Data Protection Officer (DPO) may depend on the size and nature of your data processing, it is good practice to designate a staff member responsible for data privacy matters. At minimum, you need a published contact point for data-related grievances.
6. Implement Data Security Measures
Protect the personal data you hold with reasonable security measures:
- Use encrypted databases and secure hosting
- Limit access to personal data to only those staff who need it
- Use strong passwords and two-factor authentication
- Regularly back up your data
- Have an incident response plan for data breaches
7. Data Breach Notification
If a data breach occurs (unauthorised access, loss, or disclosure of personal data), you must notify the Data Protection Board of India and the affected individuals. Have a breach response plan ready before an incident occurs.
8. Review Third-Party Sharing
If you share donor or beneficiary data with third parties (payment gateways, email service providers, WhatsApp Business API providers, cloud hosting), ensure:
- You have data processing agreements with each third party
- The third party provides adequate security
- Data is shared only for the specific purpose consented to by the data principal
Penalties Under DPDPA
The DPDPA provides for significant penalties:
- Failure to take reasonable security measures: up to Rs 250 crore
- Failure to notify the Board of a data breach: up to Rs 200 crore
- Non-compliance with obligations towards data principals: up to Rs 50 crore
While these maximum penalties are aimed at large corporations, NGOs are not exempt. The actual penalty will depend on the nature and severity of the violation.
How Donateazy Helps With DPDPA Compliance
Donateazy is designed with data privacy at its core:
- Consent management: Donation forms include consent checkboxes with clear privacy notices.
- Data subject requests: A built-in data request portal allows donors to submit access, correction, or deletion requests.
- Encryption: All donor data is encrypted at rest and in transit.
- Access controls: Role-based permissions ensure only authorised staff can access sensitive data.
- Data retention policies: Configure automatic data retention periods for different types of data.
- Audit trail: Every data access and modification is logged for accountability.
The DPDPA is a significant shift in India's data protection landscape, and NGOs must take it seriously. Start with a data audit, fix your consent mechanisms, publish a privacy policy, and choose tools that are built with privacy in mind. Get in touch if you need help getting your NGO DPDPA-ready.