At the heart of the DPDP Act 2023, lies its most intriguing and distinctive facet — the concept of the Consent Managers. It will be a little early to say, but this aspect could be THE innovation in the data paradigm that will make data management real! It stands alone, without parallel in any other country.
This article embarks on the journey to unravel this aspect of Consent Manager.
This article is a part of 4 blog series,
- Part 1: DPDP Act, Key Terms, Consent & Some examples
- Part 2: Introduction to Consent Manager, Challenges with using Forms & Survey Tools
- Part 3: Complying to DPDP Act as a Nonprofit
- Past 4: Concerns and Red Flags by Data Activists, Nonprofits
Here is a good video to set context for the argument that follows.
Understanding the Consent Manager
A Consent Manager, as defined by the DPDP Act 2023, is a person or an entity registered with the Data Protection Board of India that serves as a single point of contact for Data Principals. Its primary role is to facilitate Data Principals in giving, managing, reviewing, and withdrawing their consent. Interestingly, through a platform that is accessible, transparent, and interoperable. In essence, it acts as a guardian of user consent, ensuring that individuals have control over how their personal data is utilized.
Trust Deficit Between Data Principal, Data Fiduciary
Within the intricate framework of the DPDP Act, the astuteness of the MeitY becomes apparent as it foresaw the inevitable trust deficit between Data Principals and Data Fiduciaries. In response, Data Protection Board of India (DPBI), mirroring the ethos of other regulatory boards such as RERA or Ombudsman – that champions the interests of Digital Citizens. And Consent Manager is a crucial tool for the DPBI to operate efficiently.
In essence, the Consent Manager, by acting as an intermediary, it facilitates a seamless connection between the Data Principal and the Data Fiduciary, ensuring that the principles of consent are not only upheld but also easily navigable – seemingly through an app, API, or a support contact number.
The act lays out key responsibilities of the Consent Managers,
- Empowerment of Data Principals: As opposed to managing Consents with hundreds of service providers, there’ll be one (or few) agencies that will help give, manage, review, or withdraw consent.
- Accountability and Registration: Consent Managers are not mere intermediaries; they are accountable entities responsible for acting on behalf of the Data Principal.
- Grievance Redressal Mechanism: The DPDP Act mandates that Consent Managers provide first point of grievance redressal.
What is means for your users and your app
For the user’s perspective, consider you are signing up with a new climate awareness app and you are prompted with the infamous “I agree to platform terms … ” statement, except that your consent is now managed by a DPBI appointed Consent company that will keep a record of your consent, the purpose & duration for which it is taken, and other important aspects.
For the app developer’s perspective, consider this as an API you’ll call and passing on the relevant consent information to the Consent agency. The agency shall dictate the terms of consent on behalf of the Data Principal, such as what to store, until when, and when to stop processing one’s data.
Take aways for the NonProfit Leaders
A stark contrast exists between those leveraging technology for streamlined operations and those relying on on-the-ground services who capture data using forms like Google Forms, AppSheets, Survey CTO, Survey Monkey, etc to assess their impact. We all know, the data collected through surveys and forms is not foolproof. There’s always a chance of unauthorized access or data breaches. There are limitted access controls within and outside your organization, and employees download excel sheets on drop of a hat!
For nonprofits with a tech-savvy approach, where beneficiaries are configured as entities (Data Principals) in the database, integrating a Consent Service becomes a viable option. Configuring beneficiaries as Data Principals allows for the creation and integration of consent services, ultimately exposing these consents to the Consent Manager appointed by the Board. This way, beneficiaries will also have an option to know where-all they have offered their data & manage their consent.
On the flip side, smaller and younger nonprofits often engage in data-capture-through-field-staff, a favored method to showcase the impact made to donors. However, when Data Principals only exist as records in spreadsheets in laptops of employees and on google sheets – without links to consent services, challenges arise! There 3 big challenges
- The initial hurdle is to capturing data with a verifiable consent.
- Followed by the complexities of exposing stored consents to external Consent Manager Agencies.
- Lastly letting beneficiaries manage their consent through the Consent Managers and respecting their choices back into your spread sheets.
Are you infringing upon your beneficiary’s fundamental rights?
Irrespective of the DPDP Act, nonprofits are inadvertently putting the personal data of their beneficiaries at risk by capturing personal data in Google forms. This jeopardizes their fundamental right to privacy, a concern that is further heightened with the enactment of the DPDP Act 2023. Capturing personal data in forms, surveys, or spreadsheets without a robust consent framework is a definite recipe for disaster waiting to happen.
In an era where data breaches and privacy infringements are rampant, one must recognize the gravity of mishandling personal information, especially of the underpriviledged who are more at risk when it comes to Data frauds and phishing. Beyond compliance, ethical data management practices not only protect beneficiaries but also fortify the trust with your nonprofit.
———————————————–
For further reading