DPDP Consent Management for Indian Fiduciaries

One of the crucial parts of the DPDP Act is the DPDP Consent Management. The law mandates explicit consent to be obtained from the end user before attempting to process their data. Without consent, no data processing is allowed beyond certain legitimate usage, such as enabling the opening of a bank account. It’s as simple as that.

DPDP Consent Managemen

The law states that every request made to the Data Principal must comprise a DPDP consent with the following details:

1. The personal data collected and the purpose for which the data is collected can include data that is collected, processed, shared, stored, and sold to third parties.

2. Users must be informed about how they can exercise their rights under the law to ensure that organizations collecting data do not process it beyond its intended purpose. Users should also have the option to update their previously provided preferences.

3. Additionally, users should be informed about how they may file a complaint if they find that the organization has exceeded the DPDP consent mandate provided to them.

Just as an illustration: X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.

If you would like to see how this works in real life, please book a demo so we can show you our all-in-one Video KYC and DPDP Consent Management dashboard. This demo will display a consent notice to the customer before starting the Video KYC process.

There is one other crucial task for organizations regarding DPDP consent management. Notices must be issued to customers who provided their consent before this Act came into force. This means the organization should issue the following notice:

A notice confirming the personal data that has already been collected and the purpose for which the data has been processed. Additionally, the organization (Data Fiduciary) must provide an option to access the contents of the notice—this includes the data collected, processed, shared, stored, and sold—along with the full purpose for which the data is being used. Customers should also be given the option to modify the DPDP consent they provided earlier.

The manner in which the user can exercise their rights under the law ensures that organizations collecting data do not process it beyond its intended purpose. Users should have the option to make changes to their previously provided preferences. Additionally, users must be informed about how they can file a complaint if they find that the organization has exceeded the DPDP consent mandate provided to them.

An important note that often gets overlooked in the Act is that once the notice has been issued, the Data Fiduciary can continue to process the data until the customer withdraws their DPDP consent. This does not mean that the Data Fiduciary can use the data beyond the purpose for which it was collected, but it does provide some leeway to continue processing customer data for lawful purposes.

How should the DPDP consent look like?

As per Section 6(1), The law states that the DPDP consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

There are quite a number of terms to unpack from the above statement. One is that the consent can no longer be hidden in a link with an express tick box. Instead, it has to be detailed and should cover the whole gamut of the purpose for which the data is collected in the first place.

The second is that the consent shall signify an agreement. This is subject to debate at the moment as there is no clear way the law states what signifies an agreement. For instance, should there be a signed agreement between the Principal and Fiduciary on presenting the DPDP consent, or can a detailed description of the consent and an option for the customer to accept it be sufficient? Most fiduciaries may take the OTP route to ensure that the customer’s consent is affirmed with a mobile OTP as acceptance of DPDP consent. But this can add additional cost and additional layer of friction.

The third is the purpose for which the data is collected. First, the data collected should be minimal to fulfill the purpose. Anything beyond is essentially considered null and void. For instance, if a customer downloads an app to order groceries and provides their name, phone, and address, that in itself will be sufficient for the organization to accept an order and deliver the goods. If, however, the app takes DPDP consent for reading SMS messages and phone contacts, which are not needed for making the delivery (specified purpose), such DPDP consent obtained will now be limited to just the delivery, and the additional consent taken is considered a violation.

Where the customer has given their consent, they have the right to withdraw their consent anytime. This again forms a crucial part of the law that all systems processing customer data to ensure that DPDP consent is available prior to processing their data.

As per Section 6(6): If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.

As per Section 6(10): Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.

Therefore, it is incumbent upon the Data Fiduciary to ensure that a notice is served and proof of DPDP consent is obtained for processing the data. At frslabs, we provide a full feature Atlas DPDP solution that addresses the needs of DPDP Consent Management. Furthermore, the Atlas DPDP solution covers data discovery, system and data mapping, policies and purposes, consent management, requests and grievances. Please book a demo today so we can walk you through the features and how it can complement your Data Protection strategy.

Putting it together

The Data Fiduciary may use a consent artifact for the purpose of giving the notice to seek consent. This would mean that the Data Fiduciary can use a predefined, structured format (the consent artifact) to provide the necessary information to individuals about data processing activities.

This artifact ensures that the notice is clear, consistent, and contains all the required information as per legal requirements.

By using a consent artifact, the Data Fiduciary can effectively demonstrate that they have sought and obtained informed consent from the individual for processing their personal data.

Practical Implementation

Creating a Consent Artifact:

The Data Fiduciary prepares a document or digital record that outlines the details of data processing activities, including purposes, data categories, data sharing practices, and individual rights.

This document is presented to the individual in a clear and understandable manner.

Seeking Consent:

The Data Fiduciary provides the notice (in the form of the consent artifact) to the individual before collecting their data.

The individual reviews the notice and gives their consent, usually by signing the document or clicking an agreement button if it’s digital.

Storing the Consent Artifact:

The consent artifact is stored securely as a record that the individual has been informed and has agreed to the data processing terms.

This artifact can be referenced in the future to prove compliance with data protection regulations.

Here’s a full list of our Atlas DPDP Registry features:

  • Data Discovery – Use our semi-automated process to identify data sources, classify and categories your data, build the policies and purposes to adhere to the law.
  • Reference Data – Build reference data to categorise and classify personal data. Include reference data for purposes and frequency to apply processing uniformity across all your systems.
  • Systems – Manage systems by registering them in the Atlas registry. Systems are classified in the Primary (the ones that collects personal data) and Secondary (the ones that processes and stores personal data).
  • Data Mapping – Data mapping forms the bedrock of compliance. With the data maps, you will have full visibility of your systems collecting, processing and sharing data with other systems and their purpose and frequency.
  • Policies – Polices refers to the reason why the personal data exists in an organisation. It defines the data that is collected, processed, shared, stored or sold to third parties.
  • Purposes – Purposes define the reasons for collecting personal data from data principals. The purposes can be categorised into necessary and optional functions. Only with consent can the data fiduciary process data collected from data principals.
  • Consent Design – Automatically generate the consent pages based on the systems and policies. The consent pages can be customised and generated in 10 Indian languages.
  • Consent Management – Record all of the customer consents in one central place with all of the audit details needed for DPDP compliance. Consents can be initiated right at the point of data collection with simple APIs or no-code links.
  • Consent Search – Where consent is recorded, search for a customer record and view consent provided as Proof of Consent (essential for DPDP compliance).
  • Consent Checks – Ensure that every system intending to process personal data is approved in the registry and invokes the APIs for consent checks prior to processing data.
  • Notices Design – Design notices that can be sent out to customers who have previously provided their consents so they can view how their data is processed and provide informed consent to continue to process data.
  • Notices Management – Manage all of the notices issued to customers from the dashboard. The
  • Processing Logs – Ensure that every system processing data logs the details before processing. The system registry and consent checks will verify compliance or raise a flag for policy violation.
  • Customer Requests – Review all changes requested by customers—automate requests using a set of rules or assign them to system owners for completion. Ensure the system sends notifications of progress throughout the process.
  • Design Forms – Enable requests and grievances through a standard form. The forms can be invoked through an API or provided as a link in your website or as QR codes to allow people to complete the form across multiple channels.
  • Customer Grievances – Manage all DPDP complaints in one place with workflow for assignment/completion and reporting. This will, in future, include APIs that connects to the central data protection board for periodic reporting of grievances received and serviced by the organisation.
  • Reports – A 360-degree view of customer data, consent %, compliance %, systems accessing data, complaints, redressals, reports for auditors etc
  • Admin – Org management, User management, role management, logs etc
  • APIs – APIs for integrating the Atlas Registry with internal and external data processors: register processing requests, check for consent permissions, invoke consent pages to the User, automate customer requests; reminders and alerts. There are over a 100 APIs that helps in orchestrating the DPDP compliance within your organisation.

Talk to a DPDP Consent Management expert today

About

We are your friends at frslabs

FRSLABS is an award-winning research and development company specialising in customer onboarding, identity verification and fraud prevention solutions for businesses. Whether you are a big bank, insurance, telco or a small investment broker, we help you onboard and verify your customers with greater flexibility, compliance and reliability.

Built for you, not for investors

We do what is right for you (and only you) at scale. Nothing is off-limits for us when it comes to innovation, a culture best reflected in the array of patents we have filed. We want to be your trusted partner, to build the solutions you need, and to succeed when you succeed.

Priced for success

We are driven by our mission to touch a billion lives with our tools and not beholden by venture capital or mindless competition. We therefore have the freedom to do the right thing, and price our products sensibly, keeping your success and our staff in mind. We succeed only when you succeed.

Supported by humans

Whatever it takes, we are here to help you succeed with our products and services. For a start, you get to talk to a human for help, not bots, to figure things out one-to-one. Whatever your needs, however trivial or complex it may seem, we have you covered.

,
You Might Also Like
Battle tested technology.
Use it just the way you want it.

Whether you are just starting out or you are miles ahead and want to optimise your customer experience, you can use our technology just the way you imagine it. In multiple ways for multiple use cases.

Native Mobile SDKs

Offline Android and iOS components for identity capture. Works without internet connection. Quick integration into your native Apps. Tested in over 1000+ mobile devices.

View SDK Documentation video kyc
Cloud APIs

Restful APIs that can be integrated instantly without worrying about infrastructure or auto scaling. Our battle tested AWS environment is ISO 27001:2013 certified and monitored 24x7.

View API Documentation video kyc
On-Premise

Use our technology deployed as Docker containers in your own servers. In this set up there are no external calls outside your servers giving you total control over your data.

Contact Sales video kyc
Cloud Dashboard (no-code)

Get started instantly and begin your identity verification projects. The dashboard provides you with everything you need to onboard your customers as per prevailing regulations.

Book a demo video kyc

Trusted technology platform.

Trust is hard to earn. We certainly do not earn them through paid advertising. Instead, we earn your trust by providing a high-quality product and reliable service that you can count on. Every single day.

Patented technology
Patented technologies matured over 14 years with proven accuracy, quality and scale.
Support that truly supports
Whatever it takes, we are here to help you succeed with our tools and services.
Secure enterprise platform
Use our cloud platform to get started now. Or deploy this within your own premises.
Pricing that makes sense
Pay per transaction with discounts as you scale. Or annual subscription with unlimited usage.

Trusted by 200+ customers worldwide

Book a free demo

Built for flexibility, compliance and reliability to serve multiple industry segments.

Banks
Insurance
Telco
Ecommerce
Fintech
Healthcare
Delivery
Gig Economy
Governments