Disclaimer: This article is educational and does not constitute legal advice. Consult a qualified legal professional for advice specific to your organisation.
India's Digital Personal Data Protection Act 2023 (DPDP Act) is now in force. For field researchers — NGOs running surveys, universities conducting longitudinal studies, government M&E teams — the Act creates real obligations around how you collect, store, and use personal data about respondents.
Most guidance written about DPDP targets tech companies. This article is written specifically for field research contexts: household surveys, health studies, livelihood assessments, and impact evaluations. It focuses on what actually changes for your data collection workflow.
Non-compliance penalties under DPDP can reach ₹250 crore for significant breaches. Even smaller infractions — like failing to respond to a Data Principal's erasure request — carry penalties up to ₹10 crore per instance. "We didn't know" is not a defence.
What Is the DPDP Act, in Plain Terms?
The Digital Personal Data Protection Act 2023 governs how organisations process "digital personal data" — any information that can identify a living individual, stored or processed in digital form. If your survey collects a respondent's name, phone number, Aadhaar number, health information, income, caste, or location — that is personal data, and the DPDP Act applies to how you handle it.
The Act establishes two key roles:
- Data Fiduciary: The organisation that decides why and how personal data is processed. In field research, this is your NGO, university, or government department.
- Data Principal: The individual whose data is being collected — your survey respondent.
A third role — Data Processor — covers entities that process data on behalf of a Data Fiduciary. Your survey software vendor (including FieldGovern) is a Data Processor.
5 Things That Change Immediately for Field Research Teams
1. Consent Must Be Free, Specific, Informed, and Unconditional
Generic consent — a signature on a paper form that says "I agree to participate" — is no longer sufficient for the purposes of the DPDP Act. Consent must be specific to each purpose for which you are processing data. If you are collecting health data for a livelihood study, consent for "research purposes" is too broad. You need separate consent for each distinct processing purpose.
Critically, consent must be withdrawable. A respondent must be able to withdraw consent at any time, and withdrawal must be as easy as giving consent. This has major implications for longitudinal studies — see below.
2. You Must Tell Respondents Exactly What You Will Do With Their Data
Before collecting data, you must provide a Privacy Notice that clearly states: what personal data is being collected, the specific purposes, who it will be shared with (including your software vendor), how long it will be retained, and how the respondent can exercise their rights. This notice must be in simple language and, where practicable, in the language the respondent understands.
3. Data Minimisation Is Now a Legal Requirement
You may only collect personal data that is necessary for your stated purpose. Collecting respondent phone numbers "just in case we need to follow up" — when you have no concrete follow-up plan — is now a legal risk. Review your form and remove fields you don't actually use in analysis.
4. Data Principals Have the Right to Erase and Correct Their Data
Respondents can request correction of inaccurate data and erasure of their data. You must have a mechanism to receive, process, and respond to such requests — and you must do so within a reasonable time (rules are expected to specify exact timelines). For organisations running multi-wave panel studies, this creates a genuine operational challenge: if a respondent requests erasure mid-study, you must comply, which may create missing-data problems. Build this possibility into your study design from the start.
5. Children's Data Requires Verifiable Parental Consent
If your study includes respondents under 18 — common in education, nutrition, and child development studies — you must obtain verifiable parental or guardian consent before collecting any personal data from or about the child. Simply having a parent present during enumeration is not sufficient; consent must be verifiable and documented.
What a Compliant Survey Form Looks Like
A DPDP-compliant survey form for field research should include, before any data-collection questions:
- Privacy Notice screen — displayed in the respondent's preferred language, covering purpose, data sharing, retention, and rights.
- Explicit consent question — "Do you consent to participate in this study and to your responses being used for [specific purpose]?" with Yes/No options. If No, the form should end immediately without recording any personal data.
- Consent timestamp — automatically recorded by the survey tool, not entered manually by the enumerator.
- Consent ID — a unique identifier linking this consent record to the respondent's data, stored separately and securely.
- Withdrawal information — a plain-language statement of how the respondent can withdraw consent (e.g., SMS/call to a specific number, or contact with the field supervisor).
| Element | Non-Compliant Practice | Compliant Practice |
|---|---|---|
| Consent capture | Paper signature, entered retrospectively | Digital, timestamped at point of collection |
| Language | English-only privacy notice | Local language (Hindi, Tamil, etc.) available |
| Purpose statement | "Research purposes" | "To evaluate the impact of [Programme X] on household income, shared with [Funder Y], retained for 5 years" |
| Withdrawal mechanism | Not mentioned | Clear instructions in the consent screen |
| Children's data | Child present, parent nearby | Verifiable parental consent recorded separately |
| Data sharing | Not disclosed | All third parties (software vendor, funder, partner NGOs) named |
Data Principal Rights — Explained Plainly
Under the DPDP Act, every survey respondent has the following rights regarding their personal data:
- Right to information: Know what data you hold about them and how it is being used.
- Right to correction: Request correction of inaccurate personal data.
- Right to erasure: Request deletion of their personal data (with some exceptions for legal or public-interest purposes — your legal counsel should advise whether a research exemption applies to your context).
- Right to grievance redressal: Lodge a complaint with you (the Data Fiduciary) and, if unsatisfied, with the Data Protection Board of India.
- Right to nominate: Nominate another person to exercise these rights in the event of death or incapacity.
The Data Protection Officer (DPO) Requirement
The DPDP Act requires "Significant Data Fiduciaries" to appoint a Data Protection Officer. While the government is yet to publish the final list of Significant Data Fiduciaries (which will likely be defined by sector and data volume), organisations processing health data, children's data, or large volumes of biometric data should expect to be included.
Even if your organisation is not classified as a Significant Data Fiduciary, best practice is to designate someone internally — a DPO equivalent — who is responsible for data protection decisions, handles Data Principal requests, and liaises with your software vendors on data processing agreements.
Penalties — How Serious Is This?
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards (data breach) | ₹250 crore |
| Failure to notify Data Principals and Board of a breach | ₹200 crore |
| Non-compliance with Data Principal rights | ₹10 crore |
| Failure to observe children's data protections | ₹200 crore |
| Failure to comply with Board orders | ₹150 crore |
For most NGOs and academic research units, the most realistic risk is not the maximum penalty — it is reputational damage, funder loss, and the administrative burden of a Board inquiry. Getting compliant now is far cheaper than responding to a complaint later.
Does a Research Exemption Exist?
The DPDP Act does provide that the government may exempt certain processing — including for research, archiving, and statistical purposes — from some provisions. However, as of early 2026, these exemptions are not fully defined in secondary rules. Do not assume an exemption applies to your work without legal advice. The consent and security obligations are unlikely to be exempted even for legitimate academic research.
Getting Compliant in 30 Days: A Practical Checklist
FieldGovern Has DPDP Controls Built In
Timestamped consent capture, audit logs, Data Principal request management, and a signed DPA — everything you need to demonstrate compliance. Start your free trial or contact us for an institutional walkthrough.
Explore Compliance Features