DPDP Act 2023 & DPDP Rules 2025 and How to be Ready

DPDP Act 2023 & DPDP Rules 2025 and How to be Ready

You can read the information below in over 15 languages! Simply use the translation tool in the top-left corner of the screen to select your preferred language, including অসমীয়া, বাংলা, ગુજરાતી, हिन्दी, ಕನ್ನಡ, മലയാളം, मराठी, মৈতৈলোন্, नेपाली, ଓଡ଼ିଆ, ਪੰਜਾਬੀ, संस्कृतम्, தமிழ், తెలుగు, and اُردُو.

Table of Contents

Why DPDP Act is relevant for NPOs

Coverage of DPDP Act (DPDPA) & Implementation Schedule

Applicability

  1. when Personal Data is collected online from Data Principals, and
  2. when Personal Data is collected offline (non digital) and subsequently transferred to a digital form.

The Act also covers processing personal data outside of India if that processing is related to profiling people in India or offering goods and services to data principals in India.

Not Applicable

  1. Personal data for personal or domestic purpose
  2. Personal data made public e.g. blogging

Implementation Timelines

Definitions

2 Key Parts of Data Privacy Law i.e. DPDPA

  1. Privacy Notice: by Data Fiduciary to data principal. The notice should provide information about data collection i.e. type of data being collected, for lawful purpose, access to data (user rights), process for withdrawing consent, procedure for grievance redressal, details of DPO/POC and how to file a complaint with the Data Protection Board. Language of notice (English or 22 languages in Eighth Schedule)
  2. Verifiable Consent: by data principal to Data Fiduciary. Consent for collecting and processing data for specific lawful purpose should be free, specific, informed, unconditional and clear affirmative action (demonstrable), revocable.

Content of Notice

The notice should contain:

Obligation of Data Fiduciary

Children's data / data of PWD

Rights & Duties of Data Principal

Rights

Duties

furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB etc. For any breach in such duties, the data principals may be penalized up to INR 10,000.

Legitimate Uses Without Consent

Exemptions/Exceptions

Penalties

Levied for offences under DPDP by DPB considering: nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, realized gain or avoided loss due to breach etc.

No compensation to Data Principal if personal data gets compromised.

NGO Compliance Checklist