{"id":1732,"date":"2024-07-10T07:55:02","date_gmt":"2024-07-10T07:55:02","guid":{"rendered":"https:\/\/frslabs.com\/frsblog\/?p=1732"},"modified":"2026-01-25T07:12:21","modified_gmt":"2026-01-25T07:12:21","slug":"dpdp-consent","status":"publish","type":"post","link":"https:\/\/www.frslabs.com\/frsblog\/2024\/07\/10\/dpdp-consent\/","title":{"rendered":"DPDP Consent Management for Indian Fiduciaries"},"content":{"rendered":"\n

One of the crucial parts of the DPDP Act is the DPDP Consent Management<\/strong>. The law mandates explicit consent to be obtained from the end user before attempting to process their data. Without consent, no data processing is allowed beyond certain legitimate usage, such as enabling the opening of a bank account. It’s as simple as that.<\/p>\n\n\n\n

Read the main DPDPA Article here<\/a><\/span><\/strong> <\/p>\n\n\n\n

\"DPDP<\/a><\/figure><\/div>\n\n\n\n

The law states that every request made to the Data Principal must comprise a DPDP consent with the following details:<\/strong><\/p>\n\n\n\n

1. The personal data collected and the purpose for which the data is collected can include data that is collected, processed, shared, stored, and sold to third parties.<\/p>\n\n\n\n

2. Users must be informed about how they can exercise their rights under the law to ensure that organizations collecting data do not process it beyond its intended purpose. Users should also have the option to update their previously provided preferences.<\/p>\n\n\n\n

3. Additionally, users should be informed about how they may file a complaint if they find that the organization has exceeded the DPDP consent mandate provided to them.<\/p>\n\n\n\n

Just as an illustration: X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.<\/p><\/blockquote>\n\n\n\n

If you would like to see how this works in real life, please book a demo<\/a> so we can show you our all-in-one Video KYC<\/a> and DPDP Consent Management dashboard. This demo will display a consent notice to the customer before starting the Video KYC process.<\/span><\/p><\/blockquote>\n\n\n\n

There is one other crucial task for organizations regarding DPDP consent management. Notices must be issued to customers who provided their consent before this Act came into force. This means the organization should issue the following notice:<\/p>\n\n\n\n

A notice confirming the personal data that has already been collected and the purpose for which the data has been processed. Additionally, the organization (Data Fiduciary) must provide an option to access the contents of the notice\u2014this includes the data collected, processed, shared, stored, and sold\u2014along with the full purpose for which the data is being used. Customers should also be given the option to modify the DPDP consent they provided earlier.<\/span><\/p><\/blockquote>\n\n\n\n

The manner in which the user can exercise their rights under the law ensures that organizations collecting data do not process it beyond its intended purpose. Users should have the option to make changes to their previously provided preferences. Additionally, users must be informed about how they can file a complaint if they find that the organization has exceeded the DPDP consent mandate provided to them.<\/p>\n\n\n\n

An important note that often gets overlooked in the Act is that once the notice has been issued, the Data Fiduciary can continue to process the data until the customer withdraws their DPDP consent. This does not mean that the Data Fiduciary can use the data beyond the purpose for which it was collected, but it does provide some leeway to continue processing customer data for lawful purposes.<\/span><\/p><\/blockquote>\n\n\n\n

How should the DPDP consent look like?<\/strong><\/p>\n\n\n\n

As per Section 6(1), The law states that the DPDP consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous<\/strong> with a clear affirmative action, and shall signify an agreement<\/strong> to the processing of her personal data for the specified purpose<\/strong> and be limited to such personal data as is necessary for such specified purpose<\/strong>.<\/span><\/p><\/blockquote>\n\n\n\n

There are quite a number of terms to unpack from the above statement. One is that the consent can no longer be hidden in a link with an express tick box. Instead, it has to be detailed and should cover the whole gamut of the purpose for which the data is collected in the first place.<\/p>\n\n\n\n

The second is that the consent shall signify an agreement. This is subject to debate at the moment as there is no clear way the law states what signifies an agreement. For instance, should there be a signed agreement between the Principal and Fiduciary on presenting the DPDP consent, or can a detailed description of the consent and an option for the customer to accept it be sufficient? Most fiduciaries may take the OTP route to ensure that the customer\u2019s consent is affirmed with a mobile OTP as acceptance of DPDP consent. But this can add additional cost and additional layer of friction.<\/p>\n\n\n\n

The third is the purpose for which the data is collected. First, the data collected should be minimal to fulfill the purpose. Anything beyond is essentially considered null and void. For instance, if a customer downloads an app to order groceries and provides their name, phone, and address, that in itself will be sufficient for the organization to accept an order and deliver the goods. If, however, the app takes DPDP consent for reading SMS messages and phone contacts, which are not needed for making the delivery (specified purpose), such DPDP consent obtained will now be limited to just the delivery, and the additional consent taken is considered a violation.<\/p>\n\n\n\n

Where the customer has given their consent, they have the right to withdraw their consent anytime. This again forms a crucial part of the law that all systems processing customer data to ensure that DPDP consent is available prior to processing their data.<\/p>\n\n\n\n

As per Section 6(6): If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.<\/span><\/p><\/blockquote>\n\n\n\n

As per Section 6(10): Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.<\/span><\/p><\/blockquote>\n\n\n\n

Therefore, it is incumbent upon the Data Fiduciary to ensure that a notice is served and proof of DPDP consent is obtained for processing the data. At frslabs, we provide a full feature Atlas DPDP solution<\/a> that addresses the needs of DPDP Consent Management. Furthermore, the Atlas Privacy Manager<\/a> covers data discovery, system and data mapping, policies and purposes, consent management, requests and grievances. Please book a demo<\/a> today so we can walk you through the features and how it can complement your Data Protection strategy.

Putting it together<\/strong><\/p>\n\n\n\n

The Data Fiduciary may use a consent artifact for the purpose of giving the notice to seek consent. This would mean that the Data Fiduciary can use a predefined, structured format (the consent artifact) to provide the necessary information to individuals about data processing activities. The data fiduciary can also use the services of Consent Manager under DPDPA<\/a> for the management of consents. <\/p>\n\n\n\n

This artifact ensures that the notice is clear, consistent, and contains all the required information as per legal requirements.<\/p>\n\n\n\n

By using a consent artifact, the Data Fiduciary can effectively demonstrate that they have sought and obtained informed consent from the individual for processing their personal data.<\/p>\n\n\n\n

Practical Implementation<\/strong> <\/p>\n\n\n\n

Creating a Consent Artifact:<\/span><\/p>\n\n\n\n

The Data Fiduciary prepares a document or digital record that outlines the details of data processing activities, including purposes, data categories, data sharing practices, and individual rights.<\/p>\n\n\n\n

This document is presented to the individual in a clear and understandable manner.<\/p>\n\n\n\n

Seeking Consent:<\/span><\/p>\n\n\n\n

The Data Fiduciary provides the notice (in the form of the consent artifact) to the individual before collecting their data.<\/p>\n\n\n\n

The individual reviews the notice and gives their consent, usually by signing the document or clicking an agreement button if it’s digital.<\/p>\n\n\n\n

Storing the Consent Artifact:<\/span><\/p>\n\n\n\n

The consent artifact is stored securely as a record that the individual has been informed and has agreed to the data processing terms.<\/p>\n\n\n\n

This artifact can be referenced in the future to prove compliance with data protection regulations.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\n\n\n\n

Here’s a full list of our Atlas Privacy Manager<\/a> features:<\/strong><\/p>\n\n\n\n