After several years of debate and consultation, the Personal Data Protection (PDP) Bill in India was finally enacted as the Digital Personal Data Protection Act (DPDP) in August 2023.
The genesis of the DPDP Act can be traced back to the landmark 2017 Supreme Court case of Justice K.S. Puttaswamy v. Union of India, which recognised the “right to privacy” as one the fundamental rights of Indian citizens as guaranteed by the Constitution of India.
Specifically created to safeguard the digital personal data of Indian citizens, the DPDP Act places special emphasis on the role of explicit consumer consent in the processing of their personal data.
The Mandatory Role of Explicit Consumer Consent
Section 6 of the DPDP Act exclusively deals with the process required to be followed by the organisations that collect and process consumers’ personal data (referred as ‘Data Fiduciaries’) for capturing and processing the digital personal data of the customer (referred as ‘Data Principal’) in accordance with the consent given.
This section asserts that “The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.”
Here are some key points of this section:
1. Consent as the Primary Basis for Processing
The DPDP Act requires Data Fiduciaries to obtain the free, specific, informed, unconditional, and unambiguous consent of the Data Principal before processing their Digital Personal data.
2. Granular and Explicit Consent
Consent must be obtained for each specified purpose of data processing, and the consent should be limited to only the personal data necessary for that specific purpose.
3. Ease of Withdrawal
Data Principals have the right to withdraw (revoke) their consent at any time, with the process for withdrawal being as easy as the process for giving consent.
4. Consent for Minors
For processing the personal data of children under 18 years, the DPDPA mandates obtaining verifiable consent from the child’s parent or guardian.
5. Prohibition on Certain Processing of Children’s Data
The DPDP Act prohibits tracking, behavioural monitoring, and targeted advertising directed at children, even with parental consent.
6. Consent Manager and Consent Management Platforms
The DPDP Act recognises the role of consent managers and consent management platforms in enabling organisations to obtain and manage consent from Data Principals effectively and permits them to process the underlying data only in accordance with the same.
In a nutshell, the DPDP Act places the Data Principal’s consent at the center of personal data processing, in line with global data privacy regulations like the European Union’s General Data Protection Regulation (GDPR) and the United States’ California Consumer Protection Act (CCPA).
DPDA Compliance With ECS’s Consent and Data Management Solution (CDMS)
ECS’s CDMS is an integrated suite of consent and data management modules that provide a cohesive framework to comply with DPDP Act’s stringent mandates.
1. Consent Management Module
ECS Consent Management module efficiently captures, stores, and manages Data Principal (consumer)’s consents as mandated by the DPDP Act.
- Consent Capture & Logging: Supports capturing, logging, and storing the consumer’s consent along with the consent expiry date as chosen by the consumer (Data Principal).
- Seamless Integration with Frontend Apps: Supports integration with frontend interfaces (e.g., Mobile App, Website) of the Data Fiduciaries and facilitates instant consent capture directly from consumers.
- Auto-Generated Consent Notice: Automatically generates consumers’ digital consent notices detailing the purpose of data usage and is capable of capturing the customers eSignature on the same before sending to the customer.
- Ease of Consent Withdrawal: Enables easy revocation or modification of the consumer’s consent through legitimate and secure mechanisms like OTP or eSign.
- Generates Unique Consent ID and Data Reference ID: For each element of the Digital Personal Data.
2. Data Encryption Module
This optional module secures consumers’ digital personal data through:
- Real-Time Encryption: Leverages industry-leading Hardware Security Modules (HSMs) to encrypt consumers’ digital personal data through HSM keys or public-private key pairs.
- Restricted Access: Ensures that the consumers’ encrypted personal data is accessible only to authorised applications for cohesive data confidentiality and integrity.
3. Data Storage Module
Data Fiduciaries can opt to use the Data Storage module which is designed to securely store consumers’ encrypted digital personal data.
- Mapped Storage: Stores the combination of Data Reference IDs, consent IDs and encrypted data in secure databases.
- Adherence to Storage Best Practices: Ensures that data storage practices adhere to DPDP Act requirements, maintaining data security throughout its end-to-end lifecycle.
4. Data/Info Sharing Module
Enables the sharing of personal data with external entities as allowed under the DPDP Act’s guidelines.
- Integrated Data Sharing: Facilitates real-time exchange of consumers’ digital personal data with external Data Fiduciaries and processors based on the consumer’s explicit consent.
- Transaction Logging: Ensures end-to-end traceability and accountability by storing access logs for all data-sharing transactions.
5. Grievance Module
Provides an interface to efficiently handle consumer complaints and all issues related to the processing of their personal data.
- Capture Grievances: Captures grievances raised by the consumer and presents them to the Data Fiduciary’s internal team (Consent Manager / Data Protection Officer) for fast redressal.
- Integration with Front-End Apps: Allows consumers to raise grievances through multiple channels, facilitating easy accessibility.
- Redressal Tracking: Provides a single-window interface for displaying the status of all grievances, ensuring transparency in the redressal process.
6. Module for Data Protection Officer
Specifically designed to meet the complex operational needs of Data Protection Officers (DPOs).
- Unified Dashboard: Displays details of all grievances, consent logs, and data-sharing activities.
- Integrated with E-Office of DPDP Board: DPDP Board (reporting to Ministry of Electronics and Information Technology – MeitY) shall function as a regulator for Data protection ecosystem. DPDP Board is in the process of setting up a e-Office for managing the customer grievances. ECS CDMS platform shall be integrated with this e-Office to facilitate exchange information on a real-time basis.
- Integrated with Internal Systems: Seamless integration with internal platform modules and APIs of external services to share required information with consumers.
7. Management Information System (MIS) Module
The MIS Module serves as an intuitive dashboard for the internal and external stakeholders of Data Fiduciaries and Processors.
- Instant Information Retrieval: Displays details of data capture, sharing transactions, consent logs, and more.
- Real-time Status Updates: Provides real-time updates on the status of data processing activities and grievances.
Summing Up
DPDP Act places significant emphasis on consumer consent and data security, aligning with global data privacy standards.
ECS’s Consent and Data Management Solution (CDMS) offers a comprehensive, integrated platform to help organisations meet these stringent requirements by streamlining consent management, data protection, and timely grievance redressal.
To learn more, please feel free to reach our colleague Amit Joshi on 9820875525 / 7208155528 or email him at amit@eastcs.com.