Digital Personal Data Protection (DPDP) Act: New Rules and Implications

The newly notified administrative rules under the Digital Personal Data Protection (DPDP) Act are set to significantly impact the demand and functionality of consent managers, who act on behalf of users.

Consent Managers and Compliance

• India-incorporated companies with a minimum net worth of ~20 million must apply to be consent managers within 12 months.
• Such companies need to register with the Data Protection Board (DPB) and adhere to its obligations.
• Consent managers must maintain a log of consents given, denied, or withdrawn and track notices related to data processing.
• User data records should be kept for at least seven years, or longer if required.

Business Operations and Technological Overhaul

• Businesses will require dedicated consent management platforms to handle consents across all user interactions.
• Platforms must support one-click consent withdrawal, periodic audits, and re-consent mechanisms.
• Firms face a choice: pursue transformative business redesign for compliance or risk penalties by incremental adjustments.

Role of Consent Managers and Data Protection Officers

• Consent managers must not subcontract or assign any obligations under the DPDP Act.
• The role of Chief Information Security Officer (CISO) now integrates with consent and governance, not just security.
• Training staff and redesigning processes for compliance will be crucial.
• Each company entity requires a Data Protection Officer (DPO) for consent and data governance.

Data Governance and Management

• Entities collecting personal identifiable information (PII) must specify retention duration explicitly.

Verifiable Parental Consent for Children's Data

• Users below 18 are considered children, requiring parental consent for data processing.
• Identity of the parent must be verified through a voluntarily provided ID or via Digital Locker.