As indicated in previous blogs, we are covering commonly-held misconceptions to provide clarity over what's important to those embarking upon their DPDPA compliance journey. Our particular focus here is on compliance with India’s new Digital Personal Data Protection Act, but it is worth reiterating that the lessons are globally applicable.
Misconception 3: it's all about consent
The DPDPA is very much a consent-first law, but this comes with several challenges. First of all, there are other reasons for collecting, processing, storing and – crucially – sharing personal data, including for the purposes of employment; meeting legal requirements imposed by the state; and complying with legal judgements. There are provisions for public health and the saving of life, and processing by the State and its instrumentalities is legitimised without the need for consent but within a strict framework.
More importantly, consent is not as simple as you might think. Consent under DPDPA is granular – that is to say, specific to each individual act of collection and processing – and must be fully informed, freely given, separated from any contract and as easy to withdraw as it is to provide. “By ticking this box you consent to our processing of your personal data” is not good enough.
The crucial question, though, is what you do when consent is withdrawn. Consider a simple example: a customer opens a bank account. In doing so, they provide consent for a number of different purposes of processing from initial due diligence and anti-money-laundering to day-to-day transactional banking through use of their data for internal process improvement and finally consent to receive marketing materials. Each of those consents can separately be withdrawn, and each will have different consequences for which your systems and processes must provide. You will need to think about how you deal with each possible combination of valid and withdrawn consents, and how you inform the data principal of the consequences of any withdrawal. The law provides some examples of how you may continue service of a contract after consent has been withdrawn, but this is open to challenge and will be interpreted strictly. In the context of this bank account example, ask yourself: “if the customer withdraws consent for day-to-day processing, on what basis am I allowed even to look up their balance so I can return their money? And do I want to allow them to close their account just by withdrawing consent?” Ask yourself “If they withdraw consent for the use of their data for process improvement, how do I ensure that their data is not included in our analytics when we look at account usage patterns?” There are answers to these questions; the point we are making here is that you need to consider them, and that therefore consent is by no means as simple as one tick box and you’re done.
Rather watch as a video? Click below.
-----------------------------------------------------
Setting off on your DPDPA compliance journey?
If you’d like us to help you achieve DPDPA compliance and transform your data from a risk into an asset, you can Contact Us.
If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.