Skip to main content

FAQ

This FAQ answers common questions about the Digital Personal Data Protection Act (DPDPA), 2023 and the Business Requirement Document for Consent Management System (BRD-CMS).

1. About DPDPA

Q1: What is the Digital Personal Data Protection Act (DPDPA), 2023?

Answer:
DPDPA is India’s primary data protection law that governs how organizations collect, process, store, and manage personal data of individuals (Data Principals). It emphasizes purpose limitation, lawful processing, individual rights, consent-based data usage, and grievance redressal mechanisms.

Q2: Who are the key entities under DPDPA?

Answer:

  • Data Principal: The individual whose personal data is processed.
  • Data Fiduciary: Entity determining the purposes and means of processing personal data.
  • Data Processor: Entity processing personal data on behalf of a Data Fiduciary.
  • Data Protection Officer (DPO): Individual overseeing compliance with DPDPA and grievance handling.

Answer:
Consent is the cornerstone of lawful processing under DPDPA. It must be free, informed, specific, unambiguous, affirmative, and revocable. Organizations must provide a simple mechanism for Data Principals to grant, withdraw, and manage consent.

Q4: What rights do Data Principals have under DPDPA?

Answer:

  • Access, correction, and erasure of personal data.
  • Portability of data.
  • Right to withdraw consent at any time.
  • Right to grievance redressal.
  • Right to be informed of data processing activities.

2. About BRD-CMS

Answer:
It is a Business Requirements Document defining how a Consent Management System should be designed to comply with DPDPA. It outlines objectives, modules, functional requirements, and operational workflows.

Answer:
A CMS ensures:

  • Transparent and efficient consent lifecycle management.
  • Compliance with legal requirements under DPDPA.
  • Real-time updates and notifications to all stakeholders.
  • Immutable logging for audits and dispute resolution.

Q7: What are the core modules of the BRD-CMS?

Answer:

  • Consent Lifecycle Management (Collection, Validation, Update, Renewal, Withdrawal).
  • Cookie Consent Management.
  • User Dashboard (view history, modify/revoke consent, raise grievances).
  • Notifications (User alerts and Fiduciary/Processor alerts).
  • Grievance Redressal Mechanism.
  • System Administration (User role management, data retention configuration).
  • Logging and Audit Trails.

Answer:
CMS provides:

  • Clear cookie banners on first visit.
  • Granular preferences (essential, analytics, marketing, etc.).
  • Auto-expiry and logging of cookie preferences.
  • Multi-language support for inclusivity.

3. Consent Lifecycle & User Control

Answer:

  • Displays purpose-specific consent notices.
  • Requires explicit, affirmative action (no pre-checked boxes).
  • Logs consent metadata (user ID, timestamp, purpose ID, language).
  • Supports multi-language interfaces and accessibility standards.

Answer:

  • Real-time API checks before data processing.
  • Confirms consent status (active, expired, withdrawn).
  • Ensures processing does not exceed the originally agreed purpose.
  • Logs validation events for compliance.

Answer:
Yes.

  • Update: Modify existing consents when purposes change or new ones are added.
  • Renew: Reaffirm time-limited consents before expiry.
    Both actions generate updated consent artifacts and notify stakeholders.

Answer:

  • Users can withdraw consent via dashboard or app.
  • CMS stops all related data processing immediately.
  • Notifies all Fiduciaries and Processors.
  • Logs withdrawal events immutably for audit.

4. User Dashboard, Notifications & Grievances

Q13: What features does the User Dashboard provide?

Answer:

  • View complete consent history.
  • Modify or revoke consent instantly.
  • Raise grievances or data requests.
  • Track status of complaints or requests in real time.
  • Export consent history securely.

Q14: How are notifications managed?

Answer:

  • User Notifications: Renewal reminders, withdrawal confirmations, and data request updates.
  • Fiduciary/Processor Alerts: Secure API-based alerts for consent changes and compliance actions.
  • Multi-Channel Support: Email, SMS, in-app notifications.
  • Acknowledgment Tracking: Logs user and stakeholder acknowledgment of notifications.

Q15: How does CMS handle grievances and data requests?

Answer:

  • Simplified complaint forms with predefined categories.
  • Unique reference number for each grievance.
  • Real-time status updates and escalation workflows.
  • Integration with consent records for contextual handling.
  • Feedback collection on resolution quality.

5. Administration & Compliance

Q16: How does CMS manage user roles and permissions?

Answer:

  • Role-Based Access Control (RBAC) for admins, auditors, DPOs.
  • Multi-factor authentication and Single Sign-On (SSO) for admin accounts.
  • Logs all role assignments and modifications.
  • Supports real-time access revocation.

Q17: What about data retention and deletion?

Answer:

  • Configurable retention schedules for personal data and consent artifacts.
  • Automated secure deletion of expired data using cryptographic erasure.
  • Exception handling for data retained under legal mandates.
  • Full audit trail of retention and deletion activities.

Q18: How does CMS ensure auditability?

Answer:

  • Immutable audit logs capturing every action (grant, withdraw, update, validate).
  • Metadata includes user ID, purpose ID, timestamp, source IP, and cryptographic hash.
  • Role-based access to logs.
  • Audit-ready reports for regulators.

Q19: How secure is the CMS?

Answer:

  • TLS 1.3 encryption for all data transfers.
  • Cryptographically hashed audit logs to detect tampering.
  • MFA for administrative accounts.
  • Secure APIs and authentication for third-party integrations.

6. Business & Compliance Benefits

Q20: What benefits does CMS bring to organizations?

Answer:

  • Demonstrates regulatory compliance with DPDPA.
  • Builds trust with users by empowering them to manage their data.
  • Reduces risk of fines and penalties for unlawful processing.
  • Creates a single source of truth for all consent-related activities.

Q21: How does CMS help with regulatory audits?

Answer:

  • Provides structured, immutable audit logs.
  • Exports consent history and grievance records easily.
  • Enables quick response to regulatory requests.

Q22: Can CMS scale with growing user bases?

Answer:
Yes. The BRD specifies performance and scalability requirements:

  • Real-time APIs for millions of consent checks.
  • Efficient database and retention mechanisms.
  • Modular architecture to integrate with multiple services.

7. Key Takeaways

Q23: How does BRD-CMS align with DPDPA principles?

Answer:
It operationalizes the DPDPA’s requirements by:

  • Providing lawful, transparent, and revocable consent mechanisms.
  • Supporting data minimization and purpose limitation.
  • Enabling user rights and grievance mechanisms.
  • Ensuring audit readiness and secure data handling.

Q24: Where can I learn more about DPDPA compliance?

Answer:

  • Review the full text of the Digita