Turn data protection compliance
into competitive advantage.

The digital personal data protection (DPDP) act states the need for lawful processing versus the right to protect personal data. Personal data collected ‐ of prospects, customers, employees, partners, suppliers ‐ will need to be done so with clear and plain consent and processed only for the purpose stated.

DPDP

Indian Data Protection

Complying with DPDP Act 2023 is now a breeze. We have done the heavy lifting, so you can remain compliant. You can login to our dashboard and get started with your data protection compliance in minutes. You can complete discovery surveys. create consent pages; register systems collecting personal data; and enable data registry through simple APIs across all your touchpoints collecting personal data.

Learn more

Steps to comply with Indian DPDP law?

You can start your data protection compliance with simple steps. The Atlas DPDP solution will guide you through discovery, consent management, handling processing activities, requests, and grievances, all in a single unified dashboard.

Learn more

1

Discovery ‐ Use our semi-automated process to identify data sources, classify and categories your data, build the policies and purposes to adhere to the law.

2

Policy and Purpose ‐ Following the Discovery phase, register all systems/vendors and the data policy (data collection, processing, sharing etc) and their Purpose in the Atlas registry.

3

Design Consent ‐ Automatically generate the consent pages based on the systems and policies. The consent pages can be customised and generated in 10 Indian languages.

4

Consent Manager ‐ Record all of the customer consents in one central place with all of the audit details needed for DPDP compliance.

5

Consent Initiation ‐ Initiate consents for any system and any version right from your data collection systems with simple APIs or no code links.

6

Consent Search ‐ Search for a customer record and view consent provided as Proof of Consent ‐ an essential compliance requirement.

7

Consent Checks ‐ Ensure that every system intending to process personal data is approved in the registry and invokes the APIs for consent checks prior to processing data.

8

Processing Activities ‐ Ensure that every system processing data logs the details before processing or raise red flags for non-compliance.

9

Customer Requests ‐ Review all changes requested by customers—automate requests using a set of rules or assign them to system owners for completion.

10

Customer Request Forms ‐ Enable standard customer request forms that can be handled centrally within the Atlas Registry.

11

Customer Grievances ‐ Manage all DPDP grievances in one place with workflow for assignment/completion and reporting.

12

Reports ‐ A 360-degree view of customer data, consent %, compliance %, systems accessing data, complaints, redressals, reports for auditors etc.

13

Admin ‐ Org management, User management, role management, logs, general settings and more to have more control over your data.

14

APIs ‐ APIs for integrating the Atlas Registry with internal and external data processors: register processing requests, check for consent permissions, invoke consent pages to the User, automate customer requests; reminders and alerts.

Key Concepts of Indian DPDP Act

Some core concepts and their descriptions are provided for greater understanding of the DPDP law.

  • Data Principal ‐ This refers to the person who owns and shares personal data with others such as a Bank for opening a Bank Account.
  • Data Fiduciary ‐ This refers to the organisation (any organisation of any size) that receives personal information from Data Principals digitally to process and provide the required products or services.
  • Data Processor ‐ This refers to organisations that are appointed by Data Fiduciaries to help with processing the data. For instance, capturing and verifying customers prior to onboarding them.
  • Consent ‐ This refers to a transparent notice of the data collected, processed, shared, stored and sold by Data Fiduciaries. Consents are usually taken at the point of onboarding a customer or immediately thereafter in cases where physical forms and digitised later.
  • Consent Manager ‐ Record all of the customer consents in one central place with all of the audit details needed for DPDP compliance. Note that this can also be served through registered Consent Managers who act on behalf of the Data Principals.
  • Notice ‐ Notices are a way to intimate to a customer of the data that has already been collected, processed and stored and allow the customer to make changes to preferences if any. Note that consent and notices can be used interchangeably depending on the point at which consents are presented to the Data Principal.
  • Purpose ‐ Purpose refers to the reason for collecting and processing the data, as explained in the consent or notice given by the Data Fiduciary to the Data Principal. A purpose should be clear and specific so the Data Principal and view and consent to processing unambiguously.
  • Request ‐ Refers to the request for changes, corrections, erasure or change of preferences to consents provided by Data Principals.
  • Grievance ‐ Refers to the complaints raised by Data Principals to Data Fiduciaries to make corrective actions with respect to handling their personal data.
  • Processing Logs ‐ These are logs of systems processing data for the said purpose. Data principals have the right to request for processing logs anytime to understand how their data is processed by fiduciaries.
Learn more

Key Features of Atlas DPDP Solution

Data Discovery
Discover your system inventory, scan and classify data, report and remediate for DPDP compliance.
System Maps
Visualise how data flows within your systems and how data is shared between systems.
Policy Manager
Apply policies to ensure that the data collected, processed and shared is accordance with DPDP law.
Purpose Manager
Ensure data collected is adequate, relevant and usage is not excessive for those purposes.
Consent Manager
Design and build multilingual consent that is clear and affirmative stating its purpose and its use.
Custom Design
Design your consents, notices, forms, requests and surveys using our no code dashboard.
Requests and Grievances
Automate customer requests and grievances through a simple workflow and notification engine.
Processing Activities
Automated requests for processing activities that are aligned with the rights of data principals.
DPDP Console
A central registry to manage all of your DPDP compliances activities in a single unified console.

Discover Data

Discovery of what you have is the first step towards your DPDP compliance. We help you with a semi-automated process to identify core systems, profile and classify personal data, apply policy models and define the purpose for which the data is collected.

Learn more
DPDP
DPDP

Register Systems

Register your systems and data protection policy, encompassing data collection, processing, purpose, transfer, and storage across internal and external systems. Ensure that every system requiring access has sufficient privileges and processes data in accordance with customer consent.

Learn more

Multilingual Consent

Enable transparent and clear customer consent for data processing as per DPDP law. Ensure users understand and agree to how their data will be collected, processed, shared and stored across your systems. Configure multi lingual consent pages automatically (to be available in 9 Indian languages) to build trust with your customers.

Learn more
DPDP Multilingual Consent
DPDP Consent Management

Consent Management

Provide consent notices to your customers across all touchpoints using our no-code dashboard. Allow customers to view and provide their consent in the language of their choice. Once the consent is submitted, it is stored within the central consent management dashboard.

Learn more

Custom Design

Design and customise your consents, notices, request forms, and survey assessments using our easy-to-use no-code dashboard. Use a template and customize the details to meet your exact DPDP needs. It's that simple.

Learn more
DPDP Custom Design
DPDP Processing Activities

Processing Activities

Log every processing activity undertaken on a customer record. This will ensure that your organization complies with data processing limits and that data is processed only for the purposes for which consent was granted.

Learn more

Requests Workflow

Empower customers to modify their data processing preferences across all your channels (Web, Mobile, Branch) through simple APIs or no-code Dashboard. Seamlessly process change requests ensuring swift updates to how customer data is handled.

Learn more
DPDP Requests Workflow
dpdp_address_grievances

Address Grievances

Allow customers to submit and track their grievances. Use our standard pre-built forms for collecting grievances and sending notifications. You can assign system owners to address and resolve grievances on time to remain fully compliant with DPDP law.

Learn more

The Seven Principles of Indian DPDP Act 2023

Personal Data must be

1

Processed fairly, lawfully and in accordance with the DPDP Act.

2

Obtained with clear and plain consent stating its purpose and its use.

3

Adequate, relevant and usage is not excessive for those purposes.

4

Complete, accurate, consistent and, where relevant, and kept up-to-date.

5

Kept for no longer than is necessary for the purposes it is being processed.

6

Processed in line with the rights of individuals and periodically audited to ensure compliance.

7

Secured against accidental disclosure, loss, destruction, unauthorised or unlawful processing.

The five forces of DPDP Solution

five forces of DPDP Solution
  • Data Principal ‐ Data principal reviews and provides informed consent for sharing and processing data. The data principal can also request for changes to their personal data and raise complaints for violations to their personal data processing by data fiduciaries.
  • Data Fiduciary ‐ The fiduciary is ultimately responsible for protecting the personal data and processing them strictly in accordance with the law and the consent received from the data principal. Fiduciaries will also need to have processing agreements if data is shared with third parties for processing data.
  • Data Processor ‐ The processor works on behalf of the data fiduciary to process data as per the consent provided by the data principals. The processors should also ensure that all of the processing activities are logged in the Atlas registry.
  • Data Protection Board ‐ The regulatory and supervisory board is responsible for laying down the rules and ensuring that the fiduciaries and data processors are processing data in accordance with the consent received from the Data Principal.
  • Atlas DPDP Registry ‐ The DPDP registry orchestrates and manages the entire lifecycle of data, systems, policies, purposes, consents, processing activities, requests, grievances and reports.
Book demo

Data Protection law of India
Frequently Asked Questions

What is Digital Personal Data Protection Act of India?

The new data protection law of India (DPDP Act) that was passed in August 2023 will affect every business entity in India, and affect every aspect of a business in India. At its core, it states the need for lawful processing and the right to protect personal data. Therefore, all of the data collected ‐ of prospects, customers, employees, partners, suppliers etc ‐ will need to be collected with explicit and clear consent and provide full rights to the data owners to update or revoke processing of data beyond the most essential within the ambit of the data protection laws of India.

What is personally identifiable information (PII) or personal data?

Any data about an individual, when used alone or in conjunction with other relevant information, can identify that individual.

Is the DPDP act similar to the GDPR act in Europe?

Much like the GDPR there are four key pillars to the data protection law:

Data Principal ‐ The data owner (or data subject as in GDPR) who has ultimate control over their personal data and how its processed.

Data Fiduciary ‐ The data controller takes ultimate responsibility for usage and processing of personal data strictly in accordance with the consent received from the data principal.

Data Processor ‐ The data processor helps with the processing and storage of personal data. In most cases the data processer will be data fiduciary themselves but can appoint a third-party organisation to process data on their behalf.

Informed Consent ‐ A clear, unambiguous consent presented to customers before collecting and processing data. Note that the consent can be corrected or revoked at any time by the data principal.

What does the law mean by Data Processing?

Data processing refers to all things that can be done with data such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. In short it refers to anything you do with personal data in your hands.

How does organisations go about protecting personal data as per the Indian Data Protection law?

While this will take an organisation wide change, at the most fundamental level, the key questions that every business need to ask when collecting personal data is:

  • What data are we capturing?
  • How do we use and process data?
  • Where is data getting stored?
  • Who has access to data?
  • Is the consent plain and clear?
  • Do we provide a way to address grievances?

A clear set of answers to the above will keep the organisations compliant with the digital personal data protection law. And the Atlas Dashboard Data Registry helps with the process to get started immediately.

What is Atlas Data Registry and how can it help?

Atlas Data Registry is a set of APIs, SDKs and no code GUI to help you get started on your data protection journey without any delays. You can add your systems and the data they collect and data they share into the data registry. You can create consent pages and enable them during onboarding of your customers across all your channel touch points. Every system capturing personal data will make a registry entry of the consent and the system capturing personal data. Note that no personal PII data is ever stored in the Data Registry. Your systems can query the Data Registry for the consent provided prior to processing data legally. All the requests raised by Data Principals can also be viewed and approved in a single place. In addition, you will have comprehensive reports to ensure you are fully compliant with the data protection law.

Does Atlas Data Registry store any of the personal data?

NO. The Data Registry simply registers the metadata (data about data) when capturing personal data. Your data will reside where they normally reside. The Data Registry will ensure that all of the data processing is done as per the consent given by the customer. So systems registered in the Registry can request for permission to enrol and query the registry to obtain the permission granted prior to processing data. For instance, if a System wants to send you personalised advertisement to your mobile, the system can first query the Registry for the permission granted by you. If you have denied permission for advertisement, the system cannot use your data for the same. Simple as that.

How do I get consent from my existing customers to process data?

This is poised to be the most challenging task for businesses in India. Nonetheless, we have significantly simplified the process. Utilize our consent designer in the Atlas Dashboard to easily create consent pages for various stakeholders—customers, employees, vendors, etc. Simply share the link via email or registered mobile to obtain their informed consent. The consent page allows users to review the collected and processed data shared with third parties. Users can provide informed consent, and this information will be securely stored in the data registry. It's essential to note that this is a one-time exercise to ensure ongoing compliance. And then you use our APIs for real time consent capture.

Will I as a small business have to comply with the Indian Data Protection Law?

Absolutely. The law to protect personal data is not only meant for large organisations such as Banks, Insurance and Telecoms. It applies to every company, big or small, that collect personal data from anyone such as customers, employees, suppliers and so on. If the data is held digitally, then it is incumbent on you to comply with the law. The good news is, it is not scary to get started. With some simple steps, you can get started for free using our Atlas Dashboard. Book a demo to see how you can be on your way to turn compliance into competitive advantage.

If you are a very small entity with few customers and few employees then you can manage with simple email-based consent letters. However, if you are a growing company with many new customers, then its best to use a technology solution such as ours right from the start.

How will organisations be judged by customers for protecting their personal data?

Organisations will be judged not just for their brand value and instead judged by how they safeguard their privacy without the ad bombs and SMS hinderances and more recently wading into our private WhatsApp communications disrupting every aspect of our lives from getting life done.

  • What data does the organisation collect?
  • Is the consent provided to me clear?
  • Is the data collected only for the purposes informed in the consent?
  • Is the data adequate (not more) for the product/service I am choosing?
  • How does the organisation secure my data?
  • What data does the organisation share with others for legitimate processing?
  • Is my data sold to third parties (other than the purpose for which it was obtained)?
  • What rights do I have to my data?
  • Can I control the use of my data? ‐ e.g. restrict access to third parties, erase etc
  • Can I download use of my data?
  • How easy it is for me to control my data?
  • Is there a grievance officer that I can complain if my queries are not heard?

How do I start the DPDP process?

Migrating to the new DPDP regime is not easy. While a reasonable amount of effort was added to protect data, the DPDP law mandates user consent at the centre of data processing which is a step change in how data was handled thus far. Migrating to DPDP regime requires a concerted effort to identify all of the source systems collecting PII data, storage systems, data processors handling PII data, purpose for which PII data is handled and fresh data consent from data owners. A massive effort is needed to get the required consent before going ahead with processing of data from here on which will impact every system handling PII data at the moment. We have largely simplified the process with the system enrolment, consent designer and simple plug and play APIs. Please book a demo so you can see for yourself how you can begin the journey towards lifelong data protection compliance.

What control do data principals have over their data?

Citizens ‐ data principals, have ultimate right to view how their data is being processed and change or revoke their preferences anytime. In particular, data principals have the following rights under the current data protection law.

  • Right of access
  • Right to correction
  • Right to erasure
  • Right to withdraw consent
  • Right to grievance redressal
  • Right to nominate any other individual who, in the event of death or incapacity of the data principal, can exercise their rights under the Act.
Talk to an expert
Battle tested technology.
Use it just the way you want it.

Whether you are just starting out or you are miles ahead and want to optimise your customer experience, you can use our technology just the way you imagine it. In multiple ways for multiple use cases.

Native Mobile SDKs

Offline Android and iOS components for identity capture. Works without internet connection. Quick integration into your native Apps. Tested in over 1000+ mobile devices.

View SDK Documentation video kyc
Cloud APIs

Restful APIs that can be integrated instantly without worrying about infrastructure or auto scaling. Our battle tested AWS environment is ISO 27001:2013 certified and monitored 24x7.

View API Documentation video kyc
On-Premise

Use our technology deployed as Docker containers in your own servers. In this set up there are no external calls outside your servers giving you total control over your data.

Contact Sales video kyc
Cloud Dashboard (no-code)

Get started instantly and begin your identity verification projects. The dashboard provides you with everything you need to onboard your customers as per prevailing regulations.

Book a demo video kyc

Trusted technology platform.

Trust is hard to earn. We certainly do not earn them through paid advertising. Instead, we earn your trust by providing a high-quality product and reliable service that you can count on. Every single day.

Patented technology
Patented technologies matured over 14 years with proven accuracy, quality and scale.
Support that truly supports
Whatever it takes, we are here to help you succeed with our tools and services.
Secure enterprise platform
Use our cloud platform to get started now. Or deploy this within your own premises.
Pricing that makes sense
Pay per transaction with discounts as you scale. Or annual subscription with unlimited usage.

Trusted by 200+ customers worldwide

Book a free demo

Built for flexibility, compliance and reliability to serve multiple industry segments.

video KYC
Banks
video KYC
Insurance
video KYC
Telco
video KYC
Ecommerce
video KYC
Fintech
video KYC
Healthcare
video KYC
Delivery
video KYC
Gig Economy
video KYC
Governments