The enactment of the Digital Personal Data Protection (DPDP) Act in 2023 signifies a substantial transformation in India’s legislative landscape. This act introduces a comprehensive national framework for the processing of personal data, supplanting the previously limited data protection provisions outlined in the Information Technology Act of 2000.
The DPDP Act is applicable to the processing of digital personal data within India, extending its reach to data collected outside the country when offering goods or services to Indian residents. It incorporates key data protection principles such as purpose limitation, data minimization, storage limitation, and accountability. Additionally, the act enshrines various rights for data subjects (individuals whose data is being collected), including access, data correction, deletion, and avenues for grievance redressal.
However, beyond its legal implications, the passage of the DPDP Act prompts the philanthropic community to engage in introspection. The act’s focus on data protection and privacy rights serves as a timely reminder for philanthropic organizations and their beneficiaries, underlining the evolving responsibilities and challenges they face.
While the DPDP Act addresses a wide range of data-related issues, this article specifically examines its impact on impact measurement within the philanthropic sector. It is important to acknowledge that, like any evolving legislation, the act will continue to elicit further interpretations as we delve into this aspect.
The emphasis of CSR (Corporate Social Responsibility) on impact measurement through data analysis has been a consistent feature in India’s regulatory landscape. Companies are urged to adopt a data-driven approach to showcase their social and environmental impact, requiring meticulous tracking of both user data and the measurement of outcomes. This requirement holds true irrespective of the CSR model chosen, whether companies directly implement social and environmental projects or allocate grants to nonprofits for project execution.
For example, if a company directly engages in an education initiative, it may need detailed student profiles to illustrate the concrete outcomes of its interventions. Similarly, nonprofits funded by companies are frequently required to provide comprehensive reports demonstrating impact. This involves gathering data such as medical histories, personal narratives, or academic progress, depending on the nature of the project.
However, the rigorous demand for data and impact evidence in both approaches now conflicts with the stringent provisions of the DPDP Act, particularly concerning the collection, storage, and reporting of user data. This clash holds significant implications for funders and civil society organizations involved in impact measurement and evaluation, prompting crucial considerations regarding user data collection, reporting, and compliance.
What is set to change?
The ethical dilemma of collecting personal details without informed consent existed even before the introduction of the DPDP Act. The act essentially solidifies these ethical concerns into explicit legal requirements. For instance, under Sections 3 and 4 of the new legislation, gathering intimate personal information such as health records or financial data without explicit consent could pose legal risks.
Furthermore, the act’s focus on data security, minimization, and the requirement of explicit consent introduces complexities to the previously uncomplicated reporting procedures that are integral to CSR. Adhering to the data security and minimization stipulations outlined in Sections 8 and 11 might impose significant administrative challenges, particularly for organizations with limited resources.
Moreover, nonprofits aiming to meet these requirements will face heightened legal responsibilities and increased administrative burdens. This cost is not merely financial; it detracts from resources that could otherwise be directed towards impactful initiatives.