What the DPDP Act means for your school's data data

A class teacher creates a WhatsApp group for 40 parents. Over the year it fills up: a child's full name and admission number, a photo from Sports Day, a screenshot of the fee-defaulter list, a scan of a birth certificate someone forwarded "for records". Nobody meant any harm. But every one of those messages is a child's personal data, sitting on dozens of phones the school does not control — and as of late 2025, there is a law that treats that exactly as seriously as it sounds. Most principals have heard the name "DPDP Act". Very few have been told what it actually demands of a school.

Here is the short version. The Digital Personal Data Protection (DPDP) Act, 2023 makes your school legally responsible for every student's data you collect, store or share. Because your students are children, the law puts you in its strictest category. The good news: the fixes are not exotic. They are mostly about consent, locking down who can see what, and choosing software that stores data in India and signs a proper agreement. This is an explainer to help you understand the law — not legal advice; for your school's specific compliance, talk to a qualified professional.

What does the DPDP Act actually mean for a school?

The DPDP Act is India's first real data-protection law for personal information. In its language, your school is a Data Fiduciary — the body that decides why and how children's data is processed — and every student and parent is a Data Principal with rights over their own data. The Act was passed in 2023; the rules that operationalise it (the DPDP Rules) were notified on 13 November 2025, and the substantive obligations become enforceable on 13 May 2027, after an 18-month runway for organisations to get ready. A school does not need to wait until 2027 to start; the schools that begin now will not be scrambling later.

Why is children's data treated so strictly?

This is the part that catches schools off guard, because a school is almost entirely a children's-data operation. The DPDP Act singles out children for extra protection in two ways. First, before you process a child's data, you must obtain verifiable parental consent — not a tick-box on an admission form, but consent where you have taken reasonable steps to confirm the person giving it really is the parent or guardian. Second, and this is absolute, the Act bars tracking, behavioural monitoring and targeted advertising directed at children. No parental consent can unlock those — they are simply off-limits. For a school that means no profiling a child's activity to push anything at them, and serious caution about any "free" app that monetises student attention.

There is one nuance worth stating plainly so you don't over- or under-react. The rules carve out narrow situations where parts of the children's-data obligations are relaxed — for example, data processed to keep a child safe, to confirm a real-time location for safety, or to provide a benefit the child is entitled to. These exemptions are specific and limited; they are not a blanket pass for schools to skip consent. The safe reading for a principal is simple: assume verifiable parental consent and strict handling are the default for everything you do with student data, and treat any exemption as something to confirm with an advisor, not assume.

What's your DPDP checklist as a school?

You do not need a compliance department to make real progress. Work through these in order — most are organisational habits, not technology projects.

1. Map what data you hold, and where. List every place a child's data lives: the ERP, the attendance register, the biometric device, the transport app, the photo drive, teachers' personal phones, the front-office Excel sheet. You cannot protect what you have not mapped.

2. Get verifiable parental consent — and write it down. Add a clear consent step at admission and re-admission that says what data you collect, why, and how a parent can withdraw it. Keep a record of who consented and when, so you can prove it.

3. Lock access by role. A class teacher does not need the fee ledger; the accountant does not need medical notes. Give every staff member only the data their job requires, with their own login — proper role-based access is the single highest-impact fix most schools skip.

4. Pick a vendor that stores data in India and signs an agreement. Ask where the data physically sits and get a written data-processing agreement that commits the vendor to the same duties. A handshake is not a contract.

5. Have a breach plan before you need one. Decide now who gets told, in what order, and how you would notify families and the Data Protection Board without delay. A breach handled fast and honestly is a very different event from one that is hidden.

6. Honour deletion and access requests. When a child leaves, or a parent asks what you hold or wants old data removed, have a way to actually do it — not a promise that dies in an inbox.

7. Kill the WhatsApp-group habit for sensitive data. Move admission documents, defaulter lists and health information out of open groups and into access-controlled software. This one change closes most of a school's everyday exposure.

What should you ask any ERP or app vendor?

Most schools run on a stack of tools — an ERP, a communication app, a biometric system, a bus tracker — and each one is a place student data can leak. You don't need legal training to vet them; you need a short list of blunt questions. Ask where the data is physically stored, and get "in India" in writing. Ask whether they will sign a data-processing agreement that binds them to the same obligations the law puts on you. Ask how access is controlled — can you give a teacher a login that sees only their class? Ask what happens to your data if you leave: can you export it and have it deleted? Ask how they would tell you about a breach. The names you'll run into — Teachmint, Vidyalaya, Fedena, Entab, MyClassboard, Campus 365, Edunext, and Inkwelly among them — should all be able to answer these without flinching. If a vendor is vague about where data lives or won't sign an agreement, that is your answer.

What does non-compliance actually cost?

The headline numbers are large on purpose. The DPDP Act sets a penalty ceiling of up to ₹250 crore for failing to maintain reasonable security safeguards, and up to ₹200 crore for mishandling a breach or the children's-data rules. Those ceilings are aimed at the biggest data handlers, and a single school is unlikely to face the top of the scale — but the framing matters, because it tells you how the regulator views the duty. The more realistic cost for a school is closer to home: a leaked defaulter list or a circulated child's photo becomes a parent's complaint, a WhatsApp screenshot, and a trust problem that no refund fixes. Set against that, the compliance work is cheap — a consent step, role-based logins, an India-hosted vendor, and a habit change cost far less than one bad incident.

Where does Inkwelly fit?

Inkwelly is built so that the boring-but-important parts of the DPDP Act are handled by the software, not by your front office. Access is governed by role-based permissions — a teacher sees their class, the accountant sees fees, nobody sees everything by default. Consent for student information is captured and recorded at admission rather than assumed, so you can show who agreed to what. And your school's data is stored on infrastructure in India, with a clear processing agreement, so the "where does our data live?" question has a straight answer. School-to-parent updates go through structured communications instead of open WhatsApp groups, which is exactly the habit the law nudges you away from. We won't claim Inkwelly makes you compliant on its own — compliance is people and process too — but it removes the parts schools most often get wrong.

“The DPDP Act doesn't ask a school to become a tech company. It asks you to know what data you hold, get real consent for it, decide who can see it, and choose a vendor you can trust with it.”

You don't have to solve all of this in a week, and you don't have to wait until 2027 either. Pick the two changes with the biggest payoff — a clear, recorded consent at admission and role-based logins instead of shared ones — and do them this term. Then map your data, get your vendor agreement in writing, and write down a one-page breach plan. Schools that start now will treat 2027 as a date on the calendar, not a deadline they're racing. And because this is an explainer rather than legal advice, run your final compliance plan past a qualified professional before you rely on it.

See how role-based access and recorded consent work in practice

Book a free, no-pressure demo and we'll show you exactly how Inkwelly handles access control, consent at admission, and India-hosted student data.