DPDP Overview
The Digital Personal Data Protection (DPDP) Act 2023 was passed on 11 August 2023. In simple terms, this data protection law emphasizes the necessity for lawful processing of data while striking a balance to protect personal data. Getting the balance right with respect to reducing friction, collecting the necessary data, and simultaneously ensuring fairness and transparency in the processing of customer data form the crux of this law. This guide is for those who are keen on grasping the DPDP law and initiating the necessary steps to ensure compliance.
Note that while there are nine chapters in the DPDP Act 2023, we will only be covering the key tenets of the law with regards to the personal data collected from prospects, customers, employees, partners, suppliers etc and processed, shared and stored by data fiduciaries and data processors. In other words, this guide will enable data fiduciaries to ensure transparency in data collection and define an affirmative purpose for which the data is collected and processed. In addition, the guide will cover the process related to registering systems, creating policies, designing multilingual consent, registering them and automating customer requests and grievances.
Key DPDP Concepts
Data Principal – This refers to the person who owns and shares personal data with others such as a Bank for opening a Bank Account.
Data Fiduciary – This refers to the organisation such as a Bank that receives personal information from Data Principals to process and provide the required services.
Data Processor – This refers to organisations that are appointed by Data Fiduciaries to help with processing the data. For instance, capturing and verifying customers prior to onboarding them.
Consent – This refers to a transparent notice of the data collected, processed, shared, stored and sold by Data Fiduciaries. Consents are usually taken at the point of onboarding a customer.
Notice – Notices are a way to intimate to a customer of the data that has already been collected, processed and stored and allow the customer to make changes to preferences if any.
Policy – A policy model refers to the data that is collected, processed, shared, stored and sold by the Data Fiduciaries. The policies are applied to systems collecting data to create the right consents to be presented to Data Principals.
Purpose – Purpose refers to the reason for collecting and processing the data, as explained in the consent or notice given by the Data Fiduciary to the Data Principal. A purpose is applied along with a Policy to a System in order to generate the right consent to be presented to the Data Principal.
Request – Refers to the request for changes, corrections, erasure or change of preferences to consents provided by Data Principals.
Grievance – Refers to the complaints raised by Data Principals to Data Fiduciaries to make corrective actions with respect to handling their personal data.
Implementation Steps
The entire DPDP solution implementation can be categorised into three major milestones. Data Discovery, Data Registry and Data Residency. The vast majority of this article covers the central and most important layer – Data Registry or Consent Manager. However, we will cover the data discovery and the data residency concepts as well, which are already well known in the industry.
Data Discovery
This refers to an inventory of systems deployed in an organization that collects, processes, shares, or stores personal data. While identifying the systems and the data they collect is relatively straightforward, pinpointing the various processes that utilize this data can be time-consuming.
For large organizations (with several hundred million customers) and several thousand distributed endpoints, we recommend using data discovery tools that can scan endpoints (laptops, destops, mobiles etc), files, and other local repositories, providing a detailed analysis of the types of data present and their details such as type, policy violation etc. We provide a data discovery scanner that can also double up as a DLP tool or you can use any tool of your choice and we can import the discovery logs into our registry and build the systems map, data map and consent layers. We usually complement the data scanning step with our data survey step to ensure that those tasked with managing systems (both internal and external vendors) complete a DPDP assessment. Once the inventory and the assessment is ready, it can be mapped into the Atlas DPDP registry, either using APIs or file templates.
For medium to smaller-sized organisations (up to a few million customers), we recommend using our semi-automated data discovery process and data discovery tools (for automatically scanning files, databases and images in servers and assessments for endpoints). This involves working with your teams to identify the sources of data, profiling the data sources to classify and categorize personal and non-personal data, adding the data policies that define the collection, processing, sharing, and storing of data, and specifying the purpose for which the data will be used. Data minimisation steps ensures that the systems process data only for the purpose for which it was granted.
Our data discovery process also includes regular audits of the systems to ensure adherence to the consents and purposes shared by customers, as well as ensuring that data processing logs are accurately recorded in the Atlas registry by design.
Atlas Registry templates, assist in defining systems, data, and the classification of data into specific categories. This categorisation can then facilitate the formulation of policies and purposes. Consequently, it enables your front-end data collection and data processing applications to present the appropriate consent pages for obtaining consent.
Data Residency
Data residency refers to securing the data collected, processed, and stored in the best interest of the data principal so as not to allow data to be breached. This can take the form of various security measures, including data encryption, data vaults, access controls, and privileged access for the most sensitive data, among other methods.
While this has already been mandated as part of prevailing regulations such as IT Act 2000 and various rules from regulatory bodies such as UIDAI, RBI, SEBI, TRAI and IRDAI, the DPDP law mandates that there are no lapses in the processes and that data storage, transfer and sharing is as per prevailing laws and in line with the consent received from the customer.
Data Registry
The data registry serves as the central processing unit of the DPDP law. It functions as the central console orchestrating the entire data protection lifecycle among the data principal, data fiduciary, and the data processor.
After completing the data discovery process, it is essential to define the systems, processes, and purpose for which personal data is collected by these systems.
Once the systems are defined, policies will need to be configured so as to ensure that the correct data attributes and their purpose for processing is defined by the data owners.
Central to the DPDP solution is the Consent Manager, which ensures that the correct consent is presented to the user and perpetually stored in the consent registry. The Consent Manager ensures diligent adherence to all data processing procedures, respecting the user given consents, and ensuring thorough logging of consent checks and data processing by fiduciaries and processors. Additionally, the Consent Manager orchestrates customer requests and changes to preferences and purposes previously shared by the user.
Once the policies are defined, consents need to be generated from the policy. Consent must be clear and unambiguous—free, specific, informed, unconditional, clear, and affirmative—and presented in the customer’s language of choice.
Registering all consents given by the data principal is crucial, serving as proof as mandated by the DPDP Act. The Consent Manager forms a crucial component of the overall DPDP solution.
The Registry will ensure that the captured data will only be used and processed in accordance with the law for legitimate purposes and the explicit consent given by the customer.
The registry should then facilitate servicing customer requests and provide a workflow to handle customer grievances.
A summary of the Atlas Data Protection and its functions are specified here:
- Discovery – Use our semi-automated process to identify data sources, classify and categories your data, build the policies and purposes to adhere to the law.
- Policy and Purpose – Following the Discovery phase, register all systems/vendors and the data policy (data collection, processing, sharing etc) and their Purpose in the Atlas registry – essential for consent management compliance.
- Design Consent – Automatically generate the consent pages based on the systems and policies. The consent pages can be customised and generated in 10 Indian languages.
- Consent Manager – Record all of the customer consents in one central place with all of the audit details needed for DPDP compliance. Initiate consents right from your data collection systems with simple APIs or no code links.
- Consent Search – Where consent is recorded. Search for a customer record and view consent provided as Proof of Consent (essential for DPDP compliance).
- Consent Checks – Ensure that every system intending to process personal data is approved in the registry and invokes the APIs for consent checks prior to processing data.
- Processing Logs – Ensure that every system processing data logs the details before processing. The system registry and consent checks will verify compliance or raise a flag for policy violation.
- Customer Requests – Review all changes requested by customers—automate requests using a set of rules or assign them to system owners for completion. Ensure the system sends notifications of progress throughout the process.
- Customer Request Forms – Enable standard customer request forms that can be handled centrally within the Atlas Registry. The forms can be invoked from anywhere such as your website, QR codes and your net and mobile banking applications.
- Customer Grievances – Manage all DPDP complaints in one place with Workflow for assignment/completion and reporting. This will, in future, include APIs that connects to the central data protection board for periodic reporting of grievances received and serviced by the organisation.
- Reports – A 360-degree view of customer data, consent %, compliance %, systems accessing data, complaints, redressals, reports for auditors etc
- Admin – Org management, User management, role management, logs etc
- APIs – APIs for integrating the Atlas Registry with internal and external data processors: register processing requests, check for consent permissions, invoke consent pages to the User, automate customer requests; reminders and alerts. There are over a 100 APIs that helps in orchestrating the DPDP compliance within your organisation.
About
We are your friends at frslabs
FRSLABS is an award-winning research and development company specialising in customer onboarding, identity verification and fraud prevention solutions for businesses. Whether you are a big bank, insurance, telco or a small investment broker, we help you onboard and verify your customers with greater flexibility, compliance and reliability.
Built for you, not for investors
We do what is right for you (and only you) at scale. Nothing is off-limits for us when it comes to innovation, a culture best reflected in the array of patents we have filed. We want to be your trusted partner, to build the solutions you need, and to succeed when you succeed.
Priced for success
We are driven by our mission to touch a billion lives with our tools and not beholden by venture capital or mindless competition. We therefore have the freedom to do the right thing, and price our products sensibly, keeping your success and our staff in mind. We succeed only when you succeed.
Supported by humans
Whatever it takes, we are here to help you succeed with our products and services. For a start, you get to talk to a human for help, not bots, to figure things out one-to-one. Whatever your needs, however trivial or complex it may seem, we have you covered.