Civil society organisations, including NGOs, community groups, and academic institutions, rely heavily on data for research, advocacy, and welfare initiatives, underscoring the need for data protection compliance. However, as these organisations face increasing scrutiny on multiple fronts, the new data protection law presents a potential challenge. The Centre for Social Impact and Philanthropy has categorised these organisations into two broad types: service delivery organisations and rights and advocacy organisations. Given the growing importance of data in their day-to-day operations, a strong grasp of data protection laws can act as a shield for civil organisations, protecting them from potential legal challenges. The release of the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”), which aims to operationalise the Digital Personal Data Protection Act, 2023 (“Data Protection Act”), marks a critical moment. These rules are currently open for public consultation [you can send your comments here till February 18, 2025], presenting an opportunity for organisations to understand and engage with the new regulations.

What Makes You a Data Fiduciary in the Context of Data Protection Compliance?

The Data Protection Act says that a “data fiduciary” is someone who decides, either alone or with others, how and why personal data will be processed [Section 2(i)]. The Data Protection Act will only apply to you if you are processing personal data in India, which is collected digitally or first collected in a non-digital form and later digitised [Section 3]. So, if you are the one deciding how personal data will be handled, and you are processing it within India (either in digital or digitised form), then yes, you would be considered a Data Fiduciary.

1. Who Is a Data Principal?

A Data Principal is a person whose personal data is collected and processed by a Data Fiduciary [Section 2(j)]. In the context of civil society organisations and NGOs, the beneficiaries, donors, and volunteers would be considered as the Data Principals.

2. Does Nationality Matter? Where Should Your Organization Be Based or Operate for the Law to Apply to It?

The nationality of your organisation does not matter. The Data Protection Act applies to the processing of personal data within India, as well as outside India if the processing is related to offering goods or services in India. This means that foreign organisations must comply with the Data Protection Act when processing personal data connected to activities in India, regardless of their location or the nationality of the organisation.

Read the full article about data protection compliance by Medha Garg at India Development Review.