Any person may process the personal data of a Data Principal only in accordance with the provisions of The Digital Personal Data Protection Act, 2023. This is an Act to provide for the processing of digital personal data in a manner that recognises both the right of the individuals to protect their personal data and the need to process such personal data for lawful purposes.
It introduces six key entities into the digital ecosystem:
1. Data Principal – you and me as the common consumer
2. Data Fiduciary – an entity to which the Data Principal gives his/her personal data
3. Data Processor – an entity appointed by the Data Fiduciary for processing personal data
4. Consent Manager – an entity that secures consent from the Data Principal on behalf of the Data Fiduciary
5. Data Protection Officer – an individual appointed by the Data Fiduciary
6. Data Protection Board – a cabinet level Search Cum Selection Committee
1. Data Principal now has the right to obtain from the entity to whom she has given consent for processing of personal data upon request in such a manner as may be prescribed such as, both as a summary of personal data being processed and the record of processing of activities undertaken from all the entities. Data Principal also has the right to correct, complete, update and erase her personal data for the processing for which she has prior consent from a central point. Data Principal will also have readily available means of grievance redressal.
2. Data Fiduciary is now obliged to clearly spell out the consent with itemized description of personal data (read attributes), purpose (read personalization), security, with ease of revoking these obligations as easier as it is has been taken. The updated rules have clearly spelt out the purpose to include offering subsidies, benefits, services, certificates, licenses and permits and the time period. It has also specified certain additional obligations by types of fiduciaries across E commerce companies, Gaming Intermediaries, Social Media Intermediaries, Clinical establishments, Healthcare professional, educational institutions and so on.
3. Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf or any activity related to offering goods or services to Data Principal only under a valid contract. Data Fiduciary must offer sufficient safeguards to their data through Encryption, Obfuscation, Tokenization, controlling accessing to the computer/server, visibility to logs of accessing the data, detection of unauthorized access and intimation.
4. A new entity called Consent Manager is now being introduced in the ecosystem. A company with net worth of less than 2 crores are qualified to apply for this. The main role of a consent manager is to offer an interoperable platform for Data Principals to give, manage, review and withdraw consent, who maintains a record of processing of consent, for at least seven years and act in a fiduciary capacity with the data principal. The consent manager must have a website with a proper grievance redressal system and keep it updated.
5. Data Protection Officer. It is now mandatory for the Data Fiduciary to appoint a Data Protection Officer if they are identified as a Significant Fiduciary. A Data Fiduciary is deemed significant basis the volume and sensitivity of personal data processed, risks to the rights of Data Principal, potential impact to security of the State and public order. The Data Protection Officer will represent the Data Fiduciary to the Data Protection Board.
6. A Data Protection Board will be formed through a Search-cum Selection Committee with the Secretary to the Government of India in the Ministry of Electronics and Information as a Digital Office. The Board shall exercise, perform and direct any urgent or remedial measures in the event of a personal data breach in observance of a Data Fiduciary or Consent Manager and impose penalty as provided by the Act.
The DPDP Act 2023 is not new for most of us. The industry has been analyzing this and preparing itself for its implementation for more than year. The rules that were released early this week, just clarifies and makes some execution points very clear. Now there is abundant clarity on the need and relevance for a new entity in the digital advertising ecosystem. A Consent Manager.
Ever since the first announcement on the deprecation of cookies way back in 2019, AdTech ecosystem has been trialing and piloting many different solutions and approaches, without any success. Across the digital advertising supply chain from the demand side as an advertiser on one side to the supply side till the publisher, we have at the least three to four entities in between like, Demand Side Platforms, Ad Exchanges, Supply Side Platforms, Verification Partners and Attribution Research entities.
When a personal data is being used for the purpose of discovery, engagement, activation or recommendation across these entities in the supply chain, there is a need for each of them to capture and carry consent with them, which they could not perform with compliance. Privacy regulations forced these entities to collaborate or acquire each other. DSPs and SSPs tried to disintermediate each other.
In my view, Indian DPDP is the first such privacy regulation which has clearly articulated the need and a role for Consent Manager. This solves very many problems that is plaguing the current ad tech ecosystem. Introducing Consent Manager as a new entity solves this problem and opens new opportunities for the AdTech ecosystem. It is important to note that Consent Manager is might or might not be sector agnostic. One should wait and see how this unfolds.
There are two possibilities. When a consent manager is sector agnostic, it will collapse AdTech with MarTech with FinTech with HealthTech and ConsumerTech paving the way for a truly integrated digital ecosystem, where advertising or marketing joins the stream. Consent Manager can also be sector specific, for example a new breed of companies who offer customized consent management solutions that are built for advertising and marketing across loyalty management, rewards, influencer marketing, advertising and measurement. The jury is still out on this.
As an advertising, marketing and media professional, who has been in the industry for 30 years and now pioneered and launched a unique modern audience platform, that is privacy compliant, I couldn’t have asked for a better time to be in media. It is an altogether different matter, that I keep saying every five years or so; those of you who know me, know what I mean!
Read More: DPDP Rules: Stakeholders seek extension of consultation period
Gowthaman Ragothaman is a 30-year media, advertising and marketing professional and CEO of Aqilliz, a blockchain solutions company for the marketing industry.