Welcome to the future (of data)

Hey there,

The talk of the town today is data protection, the DPDP Act, and the need for enterprise-wide digital transformation as entities grapple with the new norms.

Every organization today is talking about staying compliant with DPDP to ensure that their users’ data is managed correctly.

And while navigating the DPDP Act may be complex, it provides organizations with an opportunity to not just be compliant, but also redesign journeys to provide a better, seamless user experience.

In this newsletter, we talk about what the future looks like when it comes to data privacy and the DPDP Act.

First, let’s understand the problem

While organizations feel that making a few tweaks to their journey will make them compliant with the DPDP Act, it couldn’t be farther from the truth.?

Here's why.

At IDfy, we’re building a full-stack consent management platform called Privy ; and the first thing we did when we started, was break down user journeys to see the relationships between data fiduciaries and data processors.?

That’s when we realized that the consent journey is more complex than it seems.

Take a simple onboarding journey for a co-branded credit card, for example. Here’s how it looks:

While there are just 1 or 2 customer-facing entities while issuing a credit card, the data is actually shared with 8 different entities!

And it’s not just credit card issuance. The more journeys we saw, the more insights emerged. The problem of managing a user’s consent was now real.

Now that we knew the problems, we started thinking about how to solve them. After weeks of research, and numerous meetings with consultants and government officials, we observed that essentially 4 key themes will prevail when it comes to consent management.

Let’s look at them one by one.

Key components of consent governance

Theme 1: Clear & transparent Notice orchestration

The first theme we foresee is a clear consent notice provided to users. The infamous “Privacy policy” and “I accept terms & conditions” links will no longer be prevalent.

They’ll evolve into clear, unambiguous and easy to understand consent notices that will be presented to data principals. This process of orchestrating the appropriate notice based on customer interaction will be critical for enterprises to comply with the Act.

Theme 2: Granular consent collection

India’s population has varied levels of digital literacy. Going forward, it will be important for fiduciaries to present the notice in a manner where consent is collected for “specific purposes” while ensuring minimal cognitive load on the user.

For example, collecting a user’s phone number for sending a transactional OTP and then sending promotional messages, are two distinct purposes, and will therefore require the user to provide consent for both.

Theme 3: Updation and withdrawal of consent

According to the Act, the data principal has the right to update, review, and withdraw their consent. Honoring these requests is a big challenge, because fiduciaries need to ensure that not just they, but all the data processors, have taken the necessary steps to update, review, or withdraw the principal’s consent.

We’ll see fiduciaries setting up separate processes and software for these data access requests, since these are crucial to comply with the Act.

Theme 4: Documentation & records

Maintaining detailed records of consents taken, and providing evidence during audits/Impact Assessments will soon become the norm, as the DPO will be responsible for ensuring transparency and auditability of the process.

The path to compliance though, will not be without challenges. It will involve alignment between multiple stakeholders - Legal/Compliance, Enterprise Risk, Business, Product, and Technology, just to name a few.

It will also involve orchestrating change management and re-imagining not just customer interactions, but also current ways of treating and managing personal data.

So how should the DPO ensure compliance with the DPDP Act?

As DPOs for enterprises who may also qualify as “significant data fiduciaries”, it would be prudent to:

1. Prioritize problems: Since we’re at a nascent stage of data compliance, focusing on newer data collection problems is a better way to gain traction and trust with both internal and external stakeholders. Older consents can be reworked once processes are in place.
2. Harness the capabilities of a Consent Management Platform: By now, we all know that consent management is not a piece of cake - managing multiple consents, updation, review and withdrawal of consent, and presenting the notice in multiple languages are some key challenges. It is therefore advisable to evaluate consent management platforms that can handle the tech piece of consent management, while you focus on the processes.
3. Promote a privacy-centric culture: Lastly, being compliant is not just about tech and processes, but also about people. DPOs should think of privacy as a key value of the organization, ensuring “data minimization” as a company-wide key theme.

All of this would require budgets, and it’s time to have these discussions with the management if you’re not already doing so.

While the rules are expected to come soon, the DPDP Act has clear actionables that need to be followed by all entities within the ecosystem. Given the government’s priority at the moment, it’s about time the industry starts implementing the Act without further delay.

And during your journey, we’re here to keep you updated. ??

We’ve started a monthly newsletter exclusively for consent management, data privacy, and all things DPDP, where we’ll talk about what the industry is doing to manage data compliance. If you’d like to stay updated, subscribe to it here .

Well, that’s it for today. Do let us know in the comments or write to us at [email protected] if you have any questions or would like to discuss anything on DPDP, privacy, or consent management. Our team is always excited to talk compliance!