When it comes to the CSR and impact sector and the way it handles data, the traditional operating model has worked well. Funders supplied funds, implementers carried out the work, and the data was usually kept at the point where it was generated. While the data was collected in most cases by NGOs and grassroots organisations as part of programme implementation, corporate foundations, and CSR teams reviewed the summary reports and took a bird’s eye view.
Impact investors monitored their portfolios through regular progress reports, and grant-makers assessed proposals and made disbursements after receiving milestone documentation. There are exceptions where CSR teams are required by law to hold data around the beneficiaries they are impacting, but that is not a requirement for all CSR work, especially for entities headquartered outside of India.
When implementation is handled by NGOs and grantees, raw data names, identity documents, financial information, and health records generally stay with the implementing organisation that collects and stores them, and they are usually considered to be the ones responsible for their protection.
However, the Digital Personal Data Protection Act changes that. Under the Act, the person or organisation that determines how and why personal data gets processed is the one that takes on the responsibility of protecting it. Such an entity is known as the Data Fiduciary.
And in the majority of cases in the sector, the Data Fiduciary is not the implementing NGO or the grantee. It is the organisation that commissioned the data collection: the CSR team, the funder, the grant-maker, the investor.
That is a significant shift. Let us illustrate what it looks like in practice.
How Beneficiary Data Actually Moves
As a company that develops software to manage and measure impact, we work day in and day out with NGOs, CSR Organizations, corporate foundations, and impact investors. And when it comes to managing data, we have noticed that a few patterns emerge.
One such pattern is that the collection of data is usually conducted in conditions of resource scarcity, with the data being gathered from the field, sometimes on mobile devices and other times on paper forms that are digitised at a later stage at the district office. These digitised records are then sent to a central M and E team, via email, shared drives, and file-sharing platforms, where reports get compiled, and dashboards get updated, and the cycle starts all over again.
To accomplish the above, the tools typically used are Google Sheets, Excel, Google Drive, etc., and in some cases, the ever-convenient WhatsApp is called into duty. We are fans of these tools, and they have their place. They’re relatively inexpensive and don’t require much setup, which is essential when operating with tightly-stretched budgets. But they were not designed with DPDP Act compliance in mind, and the way they tend to be used creates real exposure:
- Shared folders can have access permissions that are too broad, because restricting them takes time nobody has.
- Files don’t get deleted when they should, because there is no retention policy and nobody is responsible for enforcement.
- Orphaned access permissions accumulate quietly due to staff transitions or consultant contracts ending.
- There is no audit trail of who accessed what, from where, and when.
By the time beneficiary data reaches a funder’s dashboard, it has typically passed through multiple personal devices, unsecured networks, shared links that nobody revoked, and at least one external consultant’s laptop entirely outside the organisation’s visibility. And if the data is later imported into a CSR compliance portal, the portal does not clean the trail behind it.
A Scenario You Will Recognise
A large Indian conglomerate, let’s call them NovaCorp, allocates ₹2.5 crore under their CSR mandate for a rural women’s health initiative across three districts in Madhya Pradesh.
NovaCorp’s CSR team partners with Sahayata Foundation, a grassroots NGO, to run the program. The scope: screen 10,000 women for anemia and malnutrition, link them to government health schemes, and report impact quarterly.
Sahayata’s field workers go village to village with paper forms. Every evening, a data entry team at the district office digitises the forms into Excel sheets and uploads them to a shared Google Drive folder that both NovaCorp and Sahayata can access.
NovaCorp’s CSR head has always assumed Sahayata “owns” the data because they collected it. No data processing agreement exists. No consent forms mention NovaCorp. No access controls govern the shared Drive.
Under the DPDP Act, NovaCorp is the Data Fiduciary. They commissioned the project. They defined what data to collect, why, and how. They determined the purpose and means of processing. The Act holds them primarily accountable.
Sahayata Foundation is the Data Processor, executing data collection on NovaCorp’s instructions. They chose the field methodology and managed the volunteers, but the what and why were NovaCorp’s decisions. Sahayata has obligations under the Act, but primary accountability sits with NovaCorp.
The health screening data for 10,000 women, including names, Aadhaar numbers, and haemoglobin levels has passed through volunteers’ phones, a district office network, a Google Drive with no expiry on its sharing link, and an external consultant’s laptop. NovaCorp’s CSR dashboard shows the summary. But the Act holds NovaCorp accountable for the entire chain.
Three Assumptions Worth Revisiting
With the DPDP Act moving toward enforcement, it is worth revisiting three assumptions that have quietly shaped how the sector operates, assumptions most organisations have never had reason to examine, because until now, nothing forced them to.
Assumption 1: “The NGO holds the data, so they’re responsible.”
The Act introduces the concept of a Data Fiduciary, the entity that determines the purpose and means of data processing. Accountability is tied to decision-making authority, not physical possession of the records.
A funder that specifies what data to collect for a health programme is the Fiduciary. The implementing NGO, executing those instructions, is the Processor. Both have obligations, but primary accountability sits with whoever designed the data collection and in most funded arrangements, that is the CSR team, the foundation, or the grant-maker.
An MOU with a clause about “data ownership” does not change this. If NovaCorp’s shared Drive is breached, NovaCorp carries the exposure to Sahayata.
Assumption 2: “Our collection is paper-based, so the Act doesn’t apply.”
The Act covers digital personal data. But it does not exempt paper-based collection; the moment paper surveys are entered into a spreadsheet, which they almost always are, at the district office before being emailed to the M&E team, they are covered.
For organisations with significant paper-based operations, this means the paper-to-digital handoff is not a routine administrative step. It is a compliance event, the point at which the Act’s obligations begin. That needs to be planned for from the start of programme design, not addressed retroactively.
Assumption 3: “We use Google Workspace. We’re covered.”
Cloud services like Google Workspace and Microsoft 365 offer strong infrastructure security. But the security of individual implementations is entirely on you. Folder permissions, access controls, retention policies these are organisational responsibilities.
Several of the biggest data exposures in India have been due to configurations left wide open: an API endpoint with no authentication, a database still running default settings, and a shared link that was never restricted. In the impact sector, where beneficiary data routinely moves through Sheets, Drives, and messaging apps, the Act requires a demonstrable audit trail. Enterprise-grade infrastructure only matters if it is configured with the discipline the Act demands.
Penalties
The penalties under the DPDP Act are significant enough to warrant board-level attention:
- Up to ₹250 crore per incident for failure to implement adequate security safeguards resulting in a breach.
- Up to ₹200 crore for failure to notify the Data Protection Board of India or affected individuals following a breach.
For most NGOs and even mid-sized foundations, a fraction of either figure would be existential.
Two additional obligations are particularly relevant in this sector. First, collecting data on beneficiaries under 18 routine in education, health, and livelihood programmes requires verifiable parental consent and explicit safeguards under the Act. This is not a footnote; it affects programme design at the level of beneficiary registration.
Second, beneficiaries now have legal rights under the Act: the right to access data held about them, correct inaccuracies, withdraw consent, and in many circumstances, request erasure. A beneficiary in a rural district asking “what data do you hold about me?” is an obligation the Act creates. For organisations that have never mapped where their beneficiary data sits, being operationally ready to respond is currently not possible.
What We Built at Relific
In building our platform, we ran into these problems firsthand. We saw how much NGOs, foundations, CSR programmes, and investment portfolios wanted to do the right thing by their data and how often the infrastructure simply was not there to support them. Consumer tools had filled the vacuum, but they were built for general use, not for the demands of sensitive beneficiary data or the regulatory environment now taking shape.
ProGran is our grant and programme management platform for proposals, approvals, disbursements, and reporting in one system, with a full audit trail of who accessed what and when. Embedded within ProGran is a robust data collection tool (Surve-R) that allows organizations to fully comply with all regulatory requirements when it comes to dealing with Personal Data. And our powerful analytics tool within ProGran filters our sensitive and restricted data so that it is not accessible without explicit rights to the same.
AI-R enables analysis and reporting in a contained environment, so organisations can use AI without their sensitive data reaching external models.
We include this because we think organisations evaluating their options should know what purpose-built infrastructure looks like. If you would like to see how these tools map to your specific compliance gaps, visit relific.io
May 2027 Is Closer Than It Looks
Building compliant infrastructure is not about avoiding penalties alone. It is about laying the groundwork for a better operational future. Mapping data flows, reworking partner agreements, designing consent processes, and training teams all take more time than a last-minute scramble allows.
Frequently Asked Questions
1. What is India’s DPDP Act?
The Digital Personal Data Protection (DPDP) Act, 2023, is India’s first comprehensive law governing digital personal data. It received Presidential assent in August 2023, with Rules notified in November 2025 and full enforcement expected from May 2027.
2. Who is a Data Fiduciary under the DPDP Act?
Any person or organisation that determines the purpose and means of processing personal data. In the impact sector, this is typically the funder, CSR team, or grant-maker that specifies what beneficiary data to collect not necessarily the NGO that physically collects it.
3. Are NGOs required to comply?
Yes. NGOs that collect, store, or process digital personal data in India are covered. When executing a funder’s programme, NGOs typically act as Data Processors. When running independently designed programmes, they become Data Fiduciaries with full accountability.
4. Does the Act apply to CSR programmes and corporate foundations?
Yes. CSR teams and corporate foundations that specify what beneficiary data to collect are likely Data Fiduciaries, regardless of whether an NGO physically handles the data. This applies to both India-headquartered and foreign companies.
5. What are the penalties?
Up to ₹250 crore per incident for inadequate security safeguards resulting in a breach. Up to ₹200 crore for failure to notify the Data Protection Board or affected individuals. For most NGOs and mid-sized foundations, either figure would be existential.
6. Does the Act apply to paper-based data collection?
Yes. The Act covers digital personal data, which includes any information collected on paper and subsequently digitised. Since virtually all paper forms eventually enter a spreadsheet or MIS, paper-based collection is not outside the Act’s scope.
7. What does the Act require for children’s data?
Verifiable parental or guardian consent before collecting personal data from anyone under 18. Education, health, and livelihood programmes that register minor beneficiaries must redesign their consent and onboarding workflows before enforcement begins.
8. What rights do beneficiaries have?
Beneficiaries (Data Principals) can access their personal data, request correction of inaccuracies, withdraw consent, and in many circumstances, request erasure. Organisations must be operationally ready to fulfil these requests.
9. Does the Act apply to AI tools?
Yes. AI vendors handling personal data must be contracted as Data Processors. Open-web AI tools receiving beneficiary data without proper controls create significant compliance exposure. Cross-border data flows must be secured or de-identified.
10. How should organisations begin?
Start with a personal data mapping exercise: identify where beneficiary, partner, and staff data exists across all systems, devices, and vendors. Then clarify Fiduciary and Processor roles, design consent journeys, implement access controls and audit trails, and establish retention and deletion policies.
