Your DPO’s Guide to Consent Governance - Navigating DPDP Act 2023

Consent Governance: What does this mean for the organisation?

The DPDP Bill, 2022, officially became the Digital Personal Data Protection Act after receiving the President's assent on August 11, 2023. This marked a watershed moment in India’s privacy and consumer protection landscape.

As data fiduciaries grapple with trying to comprehend their obligations under the Act and take measures both quick and long-term to avoid penalties, there emerges a need for an enterprise-wide digital transformation.

The pathway to DPDP Act compliance, although complex, provides organizations the opportunity to re-imagine their customer touch points and assess their personal data collection and processing methods. This serves as a means not only to become compliant but also to build user trust and confidence in the brand.

Navigating the Complexity: The Plumbing Problem

Complying with the Act is generally misunderstood.

Organizations may feel that making minor tweaks to their UI screens will suffice, but that is just a surface-level problem. On digging a little deeper, what appears is a complex web of M:N relationships between data fiduciaries and data processors, sitting behind even the simplest of customer interactions.

In the diagram below, we understand this complexity with respect to a popular product offering: a co-branded credit card onboarding experience.

<insert diagram>

As we track the ‘personal data’ being collected and processed across the value chain of data fiduciaries and processors, the problem of managing a user’s consent becomes real.

Rethinking Compliance: Beyond the Checkbox ✅

It is critical for enterprises to think beyond minor UI tweaks and explore how the concept of “Consent Governance” could aid in Act compliance.

In simple words, Consent Governance is the management of user consent across the consent lifecycle, which can be broken down into 4 key themes:

Key Components of Consent Governance:

1. Clear and Transparent Notice Orchestration:
2. We foresee the infamous “privacy policy” links that house vague and very broad purposes to evolve into compliant “notices” that shall be presented to the data principals as they interact with any product offering in both physical and digital contexts.
3. The process of orchestrating the appropriate notices based on customer interaction shall be critical for enterprises to both comply with the Act.
4. Granular Consent Collection:
5. India’s population has varied levels of digital literacy. It will be important for fiduciaries to present the notice in a manner where consent is collected for “specific purposes” while also ensuring minimal cognitive load on the user.
6. For example, collecting a user’s phone number for sending a transactional OTP and sending marketing material are two clearly distinct purposes.
7. Updation and Withdrawal of Consent:
8. The data principal has the right to review, update and withdraw their consent as per the Act. It is important to ensure that these user rights are protected. Accounting for an update of consent in the customer's life is a new challenge for enterprises, which could be as simple as an update of the POA (proof of address document) provided earlier.
9. Honoring withdrawal requests poses an even bigger challenge, as fiduciaries need to ensure that not just them but all the data processors have also taken the necessary steps to honour the withdrawal. Setting up technology and processes for these data access requests shall be critical for Act compliance.
10. Documentation and Records:
11. As the consents are managed throughout their lifecycle, it’ll be the DPO's responsibility to ensure the transparency and auditability of this process. Maintaining the right records at the appropriate granularity and proving evidence during Impact Assessments and Data Privacy Audits shall be the norm.

Challenges Foreseen:

The path to compliance shall involve alignment between multiple stakeholders, including Legal and Compliance, Enterprise Risk, Business,  Product and Technology. It would involve orchestrating change management and re-imaging not just customer interactions but also current ways of treating and managing personal data.

Role of Leadership

As DPOs for enterprises who may also qualify as “significant data fiduciaries”, it would be prudent to -

1. Promote a privacy-centric culture: This would entail thinking of privacy as a key organizational tenet,  ensuring “data minimization” as a theme to augment people, process and technology. Approval of a relevant budget for these activities is a pre-cursor to embarking on this transformation exercise.
2. Harness the capabilities of a Consent Management Platform: Challenges such as presenting the notice in multiple languages and enforcing techno-legal measures with data processors are key here.
3. Problem Prioritization: Attacking the new data collection problem first and then thinking about older consents later could be a way to gain traction and trust with both internal and external stakeholders.

Consent Governance serves as a guiding light for enterprises navigating the compliance landscape. DPOs play a crucial role in ensuring the correct and rigorous illumination of this pathway.

‍