Digital Personal Data Protection Act 2023

The people you serve
trust you with their data.
That trust deserves
protection.

Your NGO holds health records, income data, survivor disclosures, children's information. The DPDP Act is now law — with penalties up to ₹250 crore. Know where you stand in 15 minutes.

Begin Self-Assessment → Why this matters ↓ Sector Insights ↓
⚡ DPDP Enforcement Timeline
Nov 2025Active now
IN FORCE
Rules Notified · Board Constituted
DPDP Rules 2025 gazetted 13 Nov. Data Protection Board of India formally established. Regulatory framework is live.
Nov 2026~7 months
PREPARE NOW
Consent Management Obligations Live
Rule 4 activates. All consent mechanisms must be DPDP-compliant. Privacy notices must be updated across every data collection point.
May 2027~13 months
FULL ENFORCEMENT
All Substantive Obligations Enforced
Security safeguards, 72-hour breach notification, rights of data principals, children's data rules, and penalties up to ₹250 crore — all enforceable.
The compliance case

This is now law — with teeth.

This is now law — with teeth. The DPDP Act covers every organisation that processes personal data of Indian citizens, including your NGO, regardless of size or registration type.

It is backed by the Data Protection Board of India — an active regulator with powers to investigate and fine. Every NGO that collects, stores, or shares digital personal data is a Data Fiduciary under the Act.

Consent, security, retention, and rights must all meet defined standards. Full enforcement kicks in May 2027 — the preparation window is open now.

⚠ Financial penalties under the DPDP Act 2023
Up to ₹250 Cr
Failure to implement required data security safeguards (Section 8)
Up to ₹200 Cr
Failure to notify the Board of a personal data breach within required window
Up to ₹200 Cr
Non-compliance with children's data processing obligations (Section 9)
Up to ₹50 Cr
Failure to fulfil data principal rights obligations within 90 days
The community trust case

"Data protection is not a compliance checkbox — it is a commitment to the dignity of every beneficiary who trusts your organisation with their story."

Survivors, children, patients, and informal workers share personal information because they trust your organisation to protect it. A data breach does not just create legal risk — it causes direct harm to the communities you exist to serve.

Children and minors under 18
The highest protection tier under DPDP. Any programme touching under-18s must obtain verifiable parental consent and cannot profile or monitor children's behaviour.
Section 9 · Verifiable parental consent · Up to ₹200 Cr penalty
Vulnerable adults and sensitive disclosures
Health, income, legal, and survival disclosures. A breach here doesn't just create legal risk — it directly harms the communities you exist to serve.
Data minimisation · Purpose limitation · Consent obligations
Field data that outlasts the programme
Records from closed programmes sit in old spreadsheets and servers for years. DPDP requires deletion once purpose is served — and documented proof that it happened.
Retention schedules · Erasure obligations · Rule 8
Why NGOs face particular exposure

The social sector collects the most sensitive data — often with the least protection in place.

NGOs collect data across programmes, M&E systems, and partner databases — without dedicated privacy staff or IT infrastructure. The DPDP Act provides no exemption.

📋
Multi-programme data silos
Multiple programmes, separate systems, no unified data governance. Each programme is its own compliance surface.
Common gap → no unified data register
🤝
Partner and government data flows
Data shared with government systems, hospital partners, or co-implementing NGOs requires Data Processing Agreements — which most NGOs have never put in place.
Common gap → no DPAs with partners or vendors
📱
Field technology without oversight
KoBoToolbox, ODK, Google Forms, WhatsApp, field staff's personal phones — all process personal data and all require contractual agreements under the Act.
Common gap → no systems inventory or access controls
📁
Legacy data without deletion policies
Records from ended programmes sit in servers and filing cabinets for years. DPDP requires active retention limits and documented deletion.
Common gap → no retention schedule or deletion process
📝
Consent forms that miss the mark
Most NGO consent forms were built for IRB or funders — not DPDP. They lack purpose statements, retention periods, and rights language. Every form needs reviewing before Nov 2026.
Common gap → non-compliant consent and notice processes
🔐
No breach response plan
Breach notification to the Board is mandatory — regardless of scale. Most NGOs have no documented response procedure for a lost laptop or compromised database.
Common gap → no incident response procedure
"The communities we serve trusted us with their stories long before any law required it. DPDP compliance is how we formalise that trust — and honour it."
Tech4Dev · DPDP Advisory Practice · 2025
Who can use this tool

Built for the social sector.

Built around how social sector organisations actually collect, process, and share personal data — with guidance calibrated to your sector's specific risks.

🏥
Health & Nutrition
Patient records, treatment data, maternal health, clinical data across field programmes and hospital partnerships.
📚
Education
Schools, EdTech NGOs, learning programmes — all collecting children's data at the highest protection tier under DPDP.
💼
Livelihoods & Skilling
Financial data, bank details, Aadhaar-linked records, and livelihood profiles from vulnerable communities.
⚖️
Gender & SRHR
Survivor disclosures, GBV case records, SRHR data — the most sensitive data in the sector.
Disability Inclusion
Health, functional, and care data — often with legally appointed guardians involved in consent.
🤝
Humanitarian Response
Beneficiary registries, displacement records, vulnerability data — often under emergency conditions with limited governance.
What the assessment covers

In 15 minutes, know exactly
where you stand — and what to fix first.

25 questions across 5 DPDP compliance areas. Your score renders instantly. An AI-generated 30/90/365-day action plan follows — downloadable as a PDF for your board and funders.

SECTION 01
Data Collection & Consent
Notice requirements, children's consent, consent records, data minimisation, and withdrawal process.
5 questions · 10 pts
SECTION 02
Data Storage & Security
Data inventory, access controls, role-based permissions, retention schedules, and backup procedures.
5 questions · 10 pts
SECTION 03
Data Usage & Sharing
Purpose limitation, partner agreements, secure transmission, cross-border hosting, and vendor due diligence.
5 questions · 10 pts
SECTION 04
Rights of Individuals
Access requests, correction, erasure, grievance mechanisms, and timely response within DPDP deadlines.
5 questions · 10 pts
SECTION 05
Governance & Processes
Designated responsibility, written privacy policy, staff training, breach response plan, and periodic review.
5 questions · 10 pts
SCORING
Readiness Bands
0–20 · High Risk   21–35 · Basic   36–45 · Moderate   46–50 · Strong
Max score: 50
Sector Insights

How the sector is faring.

Aggregated from submitted assessments. Sectors shown once 3+ organisations have completed.

Loading data…
See where your organisation stands.
Complete the self-assessment to add your data to these sector benchmarks — and get your personalised compliance roadmap.
Begin Self-Assessment → Talk to an Advisor
Advisory Services

Need guidance beyond the assessment?

Three levels of engagement — from a structured light review to a full implementation partnership.

TIER 1 · SELF-DIRECTED
Assessment + AI Roadmap
25-question assessment, instant scoring, question-level breakdown, and an AI-generated 30/90/365-day roadmap. Downloadable PDF report included.
TIER 2 · LIGHT ADVISORY
Facilitated Review + Templates
Half-day facilitated workshop, data flow mapping, DPDP-compliant policy and consent templates, and 30-day async Q&A with a Tech4Dev advisor.
TIER 3 · DEEP ADVISORY
Implementation Partnership
3-month fractional CxO engagement: full readiness assessment, governance design, vendor contract review, policy drafting, and staff training.

Request a DPDP Consult

Tell us about your organisation and we'll be in touch within 2 working days.

Enquiry received
We'll be in touch within 2 working days. In the meantime, the self-assessment gives you an instant readiness score .
Take the free assessment →