Grounded in consent, the new digital data privacy regime in India is epoch-making in several ways, the foremost of which is the consent mechanism. Situating the agency of the data principal as the key factor, all data processing can take place only with the specific consent of the data principal. Section 6 of the DPDP Act addresses Affirmative Consent, clearly indicating that consent must be precise, freely provided, informed, unconditional and unambiguous. This underpins all endeavours to collect and process data in line with the DPDP Act. This blog post explains the duties of a consent manager in India, as established under and governed by the Digital Personal Data Protection Act, 2023.
A new consent-based regime for a consent manager
Consent is fundamental to data processing. The law specifies that no data can be processed without the express and specific consent of the data principal. This means that consent once given for data processing for a specific purpose can be revoked at any point in time and cannot be extended to cover data processing for any other purpose. Data fiduciaries collect consent through a consent notice that informs the user about all the purposes for which data processing shall be conducted.
Who is a consent manager in the DPDP Act?
To ensure compliance with these requirements, the DPDP Act establishes a mechanism in the form of a consent manager. According to the Act, a consent manager is…
“A person registered with the Data Protection Board of India who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.”
They are:
- Required to obtain registration from the Data Protection Board,
- Subject to technical, operational, financial, and other conditions as may be prescribed by law, and
- Accountable to data principals.
Their obligations are to be specified under the rules to be issued under the DPDP Act. The office of the consent manager is intended to create a fast and efficient means of ensuring that consent is specific, informed, unconditional, unambiguous, and inclusive of a clear affirmative action. This authority bridges a gap between the data fiduciary and the principal.
Consent managers support data fiduciaries by enabling easier compliance with statutory requirements, and data principals by offering them an efficient means to grant and manage their consent. Consent managers also support data principals with grievance redressal. In sum, they serve as single points of contact to enable a data principal to give, manage, review, and withdraw their consent with the support of an accessible, transparent, and usable platform. This makes the consent manager a facilitator and custodian of the data principal’s consent.
Effectively doing for data what a banker does for a customer’s money, consent managers hold a data principal’s consent in trust. They typically work through a consent manager software or technology interface. Should a data principal desire to withdraw, modify, or issue consent, they would typically route the action through a consent manager.
What does a consent manager do?
The DPDP Act requires consent managers to function as independent third parties. They are not involved in the actual processing of data but handle the consent for such data processing. This is intended to ensure that they invest in an unbiased approach to consent management and commit to maintaining trust and integrity in the process from start to finish.
The role and responsibilities of a consent manager begin with the securing of free, specific, informed, unconditional, and unambiguous consent from a data principal – which calls for clear and cogent communication on part of the consent manager, who must disclose the precise purpose for which data will be processed. Along with this, the consent manager must also ensure that the consent itself is obtained in line with the DPDP Act. The consent obtained will be evaluated for validity, obligations, and permissions, and this will decide how the data shall be processed in line with the law. Consent managers should also ensure that data fiduciaries are able to access the attributes of consent so provided, and are fully aware of the scope of consent – specifically, the purpose for which data processing may be performed.
Consent managers are also expected to record and manage all consents received – including the timing of securing consent, the method used to do so, and the period and purpose for which consent is provided. This also implies having a finger on the pulse for current and relevant permissions from a data principal in order for their data to be processed. They may also have to facilitate essential data rights and enable data principals to access, rectify, or delete their personal data, which will ensure that there is a modicum of control and transparency over personal data.
How can a consent manager conduct a gap analysis?
To effectively align your organization with the Data Protection and Digital Privacy (DPDP) Act, it’s essential to conduct a detailed gap analysis. This entails evaluating your current data practices against the prescribed standards and identifying areas for enhancement. Here’s a more in-depth approach to addressing these gaps:
1. Map Your Personal Data Journey
Begin by thoroughly mapping all the touch points where personal data is collected, processed, stored, or shared. This involves documenting each step of the data journey to gain a clear understanding of how information flows through your organization. Identifying these processes helps highlight potential vulnerabilities and ensures compliance at every stage of the data lifecycle.
2. Review and Update Privacy Policies
Reassess your organization’s privacy policies and user agreements to ensure they meet DPDP standards. These documents should not only be comprehensive but also written in clear, accessible language. They need to specify the nature of data collected, the purpose behind it, and how it is processed, stored, and shared. Policies should be regularly reviewed to reflect changes in data processing activities or legal updates.
3. Enhance Your Data Minimization Framework
Data minimization is a key principle under the DPDP Act, requiring businesses to limit the amount of data they collect to what is strictly necessary for the intended purpose. Reevaluate your data collection practices to ensure you’re only capturing what’s essential, thus reducing the risk of over-collection. Streamlining customer data inputs helps improve efficiency while ensuring compliance.
4. Develop a Robust Incident Response Strategy
Prepare for potential data breaches by crafting a strong incident response plan. This should include clear procedures for identifying, reporting, and managing data breaches swiftly and effectively. Regularly test your security systems and gateways to ensure they are resilient against unauthorized access or cyberattacks. This proactive approach helps mitigate damage in the event of a security lapse.
5. Train Employees on DPDP Compliance
Foster a culture of compliance by implementing regular and comprehensive training programs for employees at all levels. These sessions should cover the core tenets of the DPDP Act, ensuring that employees understand their responsibilities when handling personal data. Training should be ongoing to keep staff updated on new regulations or organizational policies.
6. Document and Review Data Processing Activities
Maintain detailed documentation of all data processing activities within your organization. This includes not only recording how and why data is processed but also reviewing this information regularly to ensure it aligns with the stated purposes. Regular evaluations can help pinpoint inefficiencies or unnecessary data handling, allowing you to streamline operations while remaining compliant with the DPDP Act.
To understand how a data principal’s consent can be managed between data processors and data fiduciaries, watch the video below!
DPDP-compliant notices consent managers should know about
A. Notice to Seek Consent
Under the DPDP Act 2023, the “Notice to Seek Consent” is a key part of the consent management framework. It is designed to ensure that individuals (data principals) are fully informed before their personal data is collected or processed. This notice must be provided in an electronic format that is independent, easy to understand, and can be saved by the data principal for future reference.
The notice must clearly outline the personal data being collected, specify the reasons for processing the data, and confirm that only the necessary data will be used for these stated purposes. It should also mention how long the data will be retained and processed. Furthermore, the data principal must be informed of their rights, including the right to withdraw consent at any point. The notice should include straightforward instructions on how to exercise these rights or file a grievance. This ensures transparency, allowing data principals to make well-informed choices about their personal data, thus building trust between the individual and the organization (data fiduciary).
B. Notice of Processing Done
The “Notice of Processing Done” is another requirement under the DPDP Act 2023, applicable when a data principal has already given consent for data processing before the Act came into effect.
This notice, which must be issued by the data fiduciary as soon as possible, should follow the same format as the “Notice to Seek Consent.” It must be clear, independent, and easy to comprehend. The notice should provide important details that help the data principal understand their rights under the new law. Additionally, it should explain how the prior processing of their data has contributed to the provision of goods or services. This type of notice is essential for keeping individuals informed about how their data has been used in the past, even before the Act was enacted, and ensures they can still exercise their rights regarding this prior data processing.
FAQs
1. Who is a consent manager?
A consent manager is a person registered with the Board who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform
2. Why is a consent manager important?
The office of the consent manager is intended to create a fast and efficient means of ensuring that consent is specific, informed, unconditional, unambiguous, and inclusive of clear affirmative action. This authority bridges a gap between the data fiduciary and the principal.
3. What roles does a consent manager play?
Under the DPDP Act, a consent manager handles (a) Registration of consents and compliance with the DPDP Act in relation to obtaining and recording consent (b) Collecting and managing consents provided through granular details (c) Ensuring transparency and accountability in relation to data processing practices and offering data principles access to their consent as well as the freedom to edit, update, or withdraw their consent at any point in time and (d) Implement grievance redressal mechanisms to ensure that all concerns raised by data principals are appropriately addressed in line with the law.
4. How does a consent manager support a data principal?
Consent managers support data fiduciaries by enabling easier compliance with statutory requirements.
5. How does a consent manager support a data fiduciary?
Consent managers by offering them an efficient means to grant and manage their consent and with grievance redressal. In sum, they serve as single points of contact to enable a data principal to give, manage, review, and withdraw their consent with the support of an accessible, transparent, and usable platform. This makes the consent manager a facilitator and custodian of the data principal’s consent.
Effectively doing for data what a banker does for a customer’s money, consent managers hold a data principal’s consent in trust. They typically work through a technology interface. Should a data principal desire to withdraw, modify, or issue consent, they would typically route the action through a consent manager.