A constitutional right, now backed by statute

On November 13, 2025, India’s Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), operationalizing key provisions of the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

For organizations operating in India—companies, nonprofits, social enterprises, impact investors—this is a structural shift. Data protection is no longer a “policy document” issue. It touches program delivery, HR, vendor management, technology systems, governance, and reputation.

The roots go back to 2017, when India’s Supreme Court recognized privacy as a fundamental right. The DPDP framework gives that right operational force through enforceable duties and individual rights.

Key terms: “Data Principal” and “Data Fiduciary”

The DPDP framework centers individuals (“Data Principals”) and assigns accountability to organizations (“Data Fiduciaries”). If you determine the purpose and means of processing personal data, you are likely acting as a Data Fiduciary.

Personal data is defined broadly: any data that can identify an individual. Processing may be permitted for certain “legitimate uses,” but consent remains the primary basis outside limited grounds.

Consent is the cornerstone—and it must be usable

Under the DPDP framework, consent should be clear, informed, affirmative, and purpose-specific. In practice, this raises the bar for “boilerplate” notices and one-time consent that silently expands over time.

This is especially relevant for nonprofits and development organizations working with the same communities across multiple projects. If your purpose changes (for example, from financial inclusion to health services), you may need fresh consent aligned to the new purpose.

Format matters less than comprehension. Digital or paper consent is secondary to whether people actually understand what they are agreeing to—and can withdraw consent or complain through the channels you provide.

Data mapping is now a compliance requirement, not a nice-to-have

If you do one thing first, make it this: map your data. Specifically: what you collect, from whom, for what purpose, where it lives, who has access, who you share it with, and how long you retain it.

The DPDP Rules reinforce that assumptions and inherited practices are not defensible. Your compliance posture needs to be auditable.

Retention and deletion are purpose-led—and operationally demanding

Unlike regimes that prescribe fixed retention periods across the board, the DPDP framework uses a purpose-based principle: keep personal data only as long as necessary for the stated purpose (or to meet legal obligations).

That pushes organizations toward systems that can track:

• purpose-by-dataset,
• retention timelines,
• withdrawal/erasure requests, and
• defensible deletion workflows.

Vendor contracts and security safeguards are no longer optional

The Rules also tighten expectations for Data Processors (vendors handling personal data on your behalf). Informal arrangements—especially common with cloud tools, CRMs, WhatsApp-based workflows, and analytics vendors—create risk.

Organizations should review vendor contracts to ensure they reflect statutory duties, including reasonable security safeguards and clear allocation of responsibilities.

AI isn’t “carved out”—so treat it as processing

AI is not addressed as a separate category, but using AI tools to analyze identifiable personal data is still data processing. Review cloud service terms, clarify subprocessors, and consider disclosing AI-related processing in your notices where relevant. Until more regulatory clarity emerges, transparency is the safer default.

Marketing, media, and beneficiary storytelling: get granular

Unsolicited marketing may also intersect with telecom enforcement overseen by the Telecom Regulatory Authority of India (TRAI), but the DPDP framework reinforces a core rule: don’t share data for promotional use without explicit consent.

If you collect photos, videos, testimonials, or quotes—especially in development contexts—build granular consent options (what will be used, where, for how long, and whether consent can be withdrawn).

What remains unclear—and why you should plan anyway

Some elements will continue to evolve through phased implementation and guidance (including how certain enhanced obligations apply in practice for larger entities). MeitY has published an implementation timeline alongside the Rules, and stakeholder debate over timelines has been active.

The practical takeaway: don’t wait for perfect clarity. Build the operational basics now—because once enforcement expectations harden, retrofitting systems is slower and more expensive.

A practical “start now” checklist

1. Map your data flows (collection → storage → sharing → deletion)
2. Rewrite notices and consent for clarity and purpose specificity
3. Create a process for consent withdrawal and complaint routing
4. Train frontline staff (field teams are now compliance stakeholders)
5. Fix retention logic (purpose-led, documented, and executable)
6. Update vendor contracts and security safeguards
7. Establish an internal cadence (quarterly reviews, not event-driven panic)