DPDP – Get started with data protection compliance

FRSLABS DPDP - Atlas DPDP Solution
Atlas DPDP Solution – Photo by Christina Morillo: Pexels.

DPDP Overview

The Digital Personal Data Protection (DPDP) Act 2023 was passed on 11 August 2023. In simple terms, this data protection law emphasizes the necessity for lawful processing of data while striking a balance to protect personal data. Getting the balance right with respect to reducing friction, collecting the necessary data, and simultaneously ensuring fairness and transparency in the processing of customer data form the crux of this law. This guide is for those who are keen on grasping the DPDP law and initiating the necessary steps to ensure compliance.

Note that while there are nine chapters in the DPDP Act 2023, we will only be covering the key tenets of the law with regards to the personal data collected from prospects, customers, employees, partners, suppliers etc and processed, shared and stored by data fiduciaries and data processors. In other words, this guide will enable data fiduciaries to ensure transparency in data collection and define an affirmative purpose for which the data is collected and processed. In addition, the guide will cover the process related to registering systems, creating policies, designing multilingual consent, registering them and automating customer requests and grievances.

Implementation Steps

The entire DPDP solution implementation can be categorised into three major milestones. Data Discovery, Data Registry and Data Residency. The vast majority of this article covers the central and most important layer – Data Registry. However, we will cover the data discovery and the data residency concepts as well, which are already well known in the industry.

Data Discovery

This refers to an inventory of systems deployed in an organization that collects, processes, shares, or stores personal data. While identifying the systems and the data they collect is relatively straightforward, pinpointing the various processes that utilize this data can be time-consuming.

For large organizations, we recommend using data discovery tools that can scan databases, files, and other repositories, providing a detailed analysis of the types of data present and their locations. While this, in itself, is not foolproof, it can be a good starting point to create an inventory of the system and the data captured by these systems. Once the inventory is ready, it can be mapped into the Atlas registry, either using APIs or file templates.

For smaller organizations, we recommend using our Atlas Registry templates, which can assist in defining systems, data, and the classification of data into specific categories. This categorization can then facilitate the formulation of policies and purposes. Consequently, it enables front-end applications to present the appropriate consent pages for obtaining consent.

Data Residency

Data residency refers to securing the data collected, processed, and stored in the best interest of the data principal so as not to allow data to be breached. This can take the form of various security measures, including data encryption, data vaults, access controls, and privileged access for the most sensitive data, among other methods.

While this has already been mandated as part of prevailing regulations such as IT Act 2000 and various rules from regulatory bodies such as UIDAI, RBI, SEBI, TRAI and IRDAI, the DPDP law mandates that there are no lapses in the processes and that data storage, transfer and sharing is as per prevailing laws and in line with the consent received from the customer.

Data Registry

The data registry serves as the central processing unit of the DPDP law. It functions as the central console orchestrating the entire data protection lifecycle among the data principal, data fiduciary, and the data processor.

After completing the data discovery process, it is essential to define the systems, processes, and purpose for which personal data is collected by these systems.

Once the systems are defined, policies will need to be configured so as to ensure that the correct data attributes and their purpose for processing is defined by the data owners.

Once the policies are defined, consents need to be generated from the policy. Consent must be clear and unambiguous—free, specific, informed, unconditional, clear, and affirmative—and presented in the customer’s language of choice.

Registering all consents given by the data principal is crucial, serving as proof as mandated by the DPDP Act.

The Registry will ensure that the captured data will only be used and processed in accordance with the law for legitimate purposes and the explicit consent given by the customer.

The registry should then facilitate servicing customer requests and provide a workflow to handle customer grievances.

FRSLABS DPDP - Atlas DPDP Registry Functions
Atlas DPDP Registry Functions

A summary of the Atlas Data Protection and its functions are specified here:

  1. Registry – Where consent is recorded. Search for a customer record and view consent provided as Proof of Consent (essential for DPDP compliance)
  2. Policy – Register all systems/vendors and the data policy (data collection, processing, sharing etc) and their Purpose – essential for consent management compliance
  3. Consent – Build new consent layers automatically from policy templates – Consent designer with version control for current and future data capture
  4. Requests – View all of the changes made by customers – Auto Approve, Manual Approve (Ongoing) (essential for DPDP compliance)
  5. Grievances – Manage all DPDP complaints in one place with Workflow for assignment/completion and reporting
  6. Reports – A 360-degree view of customer data, consent %, compliance %, systems accessing data, complaints, redressals, reports for auditors etc
  7. Admin – User management, role management, logs etc
  8. APIs – APIs for integrating the Atlas Registry with internal and external data processors: register processing requests, check for consent permissions, invoke consent pages to the User, automate customer requests; reminders and alerts.

Talk to a data protection expert today.

About

We are your friends at frslabs

FRSLABS is an award-winning research and development company specialising in customer onboarding, identity verification and fraud prevention solutions for businesses. Whether you are a big bank, insurance, telco or a small investment broker, we help you onboard and verify your customers with greater flexibility, compliance and reliability.

Built for you, not for investors

We do what is right for you (and only you) at scale. Nothing is off-limits for us when it comes to innovation, a culture best reflected in the array of patents we have filed. We want to be your trusted partner, to build the solutions you need, and to succeed when you succeed.

Priced for success

We are driven by our mission to touch a billion lives with our tools and not beholden by venture capital or mindless competition. We therefore have the freedom to do the right thing, and price our products sensibly, keeping your success and our staff in mind. We succeed only when you succeed.

Supported by humans

Whatever it takes, we are here to help you succeed with our products and services. For a start, you get to talk to a human for help, not bots, to figure things out one-to-one. Whatever your needs, however trivial or complex it may seem, we have you covered.

You Might Also Like
Battle tested technology.
Use it just the way you want it.

Whether you are just starting out or you are miles ahead and want to optimise your customer experience, you can use our technology just the way you imagine it. In multiple ways for multiple use cases.

Native Mobile SDKs

Offline Android and iOS components for identity capture. Works without internet connection. Quick integration into your native Apps. Tested in over 1000+ mobile devices.

View SDK Documentation video kyc
Cloud APIs

Restful APIs that can be integrated instantly without worrying about infrastructure or auto scaling. Our battle tested AWS environment is ISO 27001:2013 certified and monitored 24x7.

View API Documentation video kyc
On-Premise

Use our technology deployed as Docker containers in your own servers. In this set up there are no external calls outside your servers giving you total control over your data.

Contact Sales video kyc
Cloud Dashboard (no-code)

Get started instantly and begin your identity verification projects. The dashboard provides you with everything you need to onboard your customers as per prevailing regulations.

Book a demo video kyc

Trusted technology platform.

Trust is hard to earn. We certainly do not earn them through paid advertising. Instead, we earn your trust by providing a high-quality product and reliable service that you can count on. Every single day.

Award winning technology
Patent pending technologies matured over ten years with proven accuracy, quality and scale.
Support that truly supports
Whatever it takes, we are here to help you succeed with our tools and services.
Secure enterprise platform
Use our cloud platform to get started now. Or deploy this within your own premises.
Pricing that makes sense
Pay per transaction with discounts as you scale. Or annual subscription with unlimited usage.

Trusted by 150+ customers worldwide

Book a free demo

Built for flexibility, compliance and reliability to serve multiple industry segments.

Banks
Insurance
Telco
Ecommerce
Fintech
Healthcare
Delivery
Gig Economy
Governments