Phase 2: Consent Management & Legal Framework

Redesign consent mechanisms, draft compliant privacy notices, update contracts with data processors, and establish the legal framework that underpins all data processing. This is where you fix the gaps identified in Phase 1.

🎯 Objectives

✓ Implement DPDP-compliant consent collection across all channels
✓ Draft and publish privacy notices in English and scheduled languages
✓ Update all data processor agreements to include DPDP obligations
✓ Establish lawful basis documentation for all processing activities
✓ Set up consent records management

Consent Mechanism Redesign

Redesign all consent collection points to meet DPDP requirements. Implement granular, purpose-specific consent with clear opt-in mechanisms. Ensure withdrawal is as easy as giving consent. For each processing purpose, create a separate consent toggle or checkbox. Build a consent preference centre where Data Principals can manage their consents.

🎓 Beginner's Note

Imagine a settings page where users see all the things the company uses their data for, each with an on/off switch. That is what a consent preference centre looks like. It must be easy to find and easy to use.

💡 Consultant Tips

● Use layered notices: brief summary first, detailed information one click away
● Each consent must map to exactly one purpose — no bundled consents
● Make the 'Withdraw Consent' button as prominent as the 'Give Consent' button
● Test the UX with real users — if it confuses them, it is not 'informed' consent

Privacy Notice Drafting

Draft DPDP-compliant privacy notices that include: identity and contact details of the Data Fiduciary, what personal data is collected, the purpose of each processing activity, rights of Data Principals (access, correction, erasure, grievance, nomination), details of the grievance officer, and the right to complain to the DPBI. Notices must be available in English and all 22 languages listed in the Eighth Schedule of the Constitution.

🎓 Beginner's Note

A privacy notice (sometimes called privacy policy) is the document that tells people what you do with their data. Under DPDP, it is not optional — it is a legal requirement that must precede consent collection.

💡 Consultant Tips

● Write at an 8th-grade reading level — avoid legal jargon completely
● Use tables and bullet points rather than dense paragraphs
● For multi-language support, engage professional translators — do not rely on machine translation for legal documents
● Include a version number and date so you can track when notices were updated

Data Processor Agreement Updates

Review and update all contracts with Data Processors (vendors, cloud providers, outsourced service providers) to include DPDP obligations. Key clauses: processing only on instructions of the Fiduciary, security obligations, breach notification requirements, sub-processor restrictions, audit rights, and data return/deletion on contract termination.

🎓 Beginner's Note

When your client sends personal data to a vendor (like a cloud hosting provider or a payroll company), the contract must say the vendor will protect that data and follow your client's instructions. Without this, your client is liable for anything the vendor does wrong.

💡 Consultant Tips

● Create a standard Data Processing Agreement (DPA) template and adapt for each vendor
● Prioritise high-risk vendors: cloud providers, payment processors, marketing platforms
● Include penalty pass-through clauses — if a vendor's negligence causes a penalty, they share liability
● Set breach notification timelines: vendors should notify you within 24-48 hours of discovery

Lawful Basis Documentation

For every processing activity in the ROPA, document the lawful basis: either consent (with evidence of valid consent collection) or a specific legitimate use under Section 7. Ensure that no processing activity lacks a documented legal basis. This documentation is your defence in case of a complaint or investigation.

🎓 Beginner's Note

For every piece of personal data you process, you need to answer: 'Why are we legally allowed to process this?' The answer is either 'The person consented' (with proof) or 'It falls under Section 7 because...' (with documentation). No other answers are acceptable.

💡 Consultant Tips

● Create a 'Lawful Basis Register' linked to the ROPA
● For consent-based processing, maintain evidence: timestamp, consent text shown, IP address, user action taken
● For Section 7 legitimate uses, document which specific sub-section applies and why
● Review quarterly — new processing activities must have a lawful basis before they begin

Consent Records Management System

Implement a technical system to record, store, and manage consent transactions. Every consent given, modified, or withdrawn must be logged with a timestamp, the Data Principal's identity, the specific purpose, the notice shown, and the action taken. This consent log is your audit trail.

🎓 Beginner's Note

Think of this as a ledger that records every time someone says 'yes' or 'no' to their data being used. If the regulator asks 'Prove this person consented,' you pull up the record showing exactly when, how, and to what they consented.

💡 Consultant Tips

● Consider commercial Consent Management Platforms (CMPs) or build an in-house solution
● Store consent records separately from personal data — they should survive data deletion
● Implement APIs for consent status checks so processing systems can verify consent in real time
● Plan for integration with Consent Managers when they become operational

📦 Phase Deliverables

☐ Redesigned consent collection UIs and preference centre

☐ DPDP-compliant Privacy Notice in English and scheduled languages

☐ Standard Data Processing Agreement (DPA) template

☐ Updated vendor contracts with DPDP clauses

☐ Lawful Basis Register for all processing activities

☐ Consent Records Management System (operational)

← Back to DPDP Act 2023 (India)