Glossary
This glossary defines important terms used across SAHAJ and the DPDPA (Digital Personal Data Protection Act, 2023) compliance ecosystem.
The terms are organized alphabetically.
π ±οΈβ
Breach Managementβ
Processes and procedures for detecting, reporting, investigating, and mitigating personal data breaches. Under DPDPA, data fiduciaries must notify the Data Protection Board of India and affected data principals promptly.
π ²β
Collection Pointβ
The specific interface or touchpoint (web form, mobile app, call center, IoT device, etc.) where personal data is first collected from the data principal.
Consentβ
A freely given, specific, informed, and unambiguous indication of a data principalβs agreement to the processing of their personal data for a stated purpose.
Consent Artefactβ
A digital or physical record that evidences consent given by a data principal. Includes timestamp, purpose, scope, and revocation details.
Consent Management Platform (CMP)β
A commercial or open-source platform providing tools for obtaining, storing, and managing consent across different systems and jurisdictions.
Consent Management System (CMS)β
The technical and organizational infrastructure enabling organizations to collect, store, and process consent in compliance with privacy regulations.
(SAHAJ is an open-source CMS built for DPDPA compliance.)
Consent Purposeβ
The clearly defined objective for which a data fiduciary collects and processes personal data (e.g., billing, marketing, fraud detection). Consent must be purpose-specific.
Cookie Consentβ
A mechanism to inform users and obtain consent for cookies or similar tracking technologies on websites or apps.
π ³β
Data Elementsβ
Individual units of personal information collected or processed (e.g., name, email address, Aadhaar number). Each element may have its own sensitivity and legal implications.
Data Fiduciaryβ
The entity (person, company, state body, or organization) that determines the purpose and means of processing personal data. Similar to βdata controllerβ under GDPR.
Data Processorβ
Any person or entity that processes personal data on behalf of a data fiduciary. They cannot process data beyond the fiduciaryβs instructions.
DPAR (Data Principal Access Request)β
A request made by the data principal to access, correct, delete, or port their personal data held by a data fiduciary.
π Άβ
Grievanceβ
Any complaint or issue raised by a data principal regarding the processing of their personal data, including misuse, unauthorized access, or lack of response to DPARs.
π ½β
Noticeβ
The disclosure provided by a data fiduciary to a data principal before or at the time of data collection, explaining the purposes of processing, retention period, and rights available.
Notice Orchestrationβ
Coordinating, standardizing, and delivering notices across multiple channels (SMS, email, app notification, web UI) to ensure data principals are informed consistently.
π ΏοΈβ
Personal Data Breach Artefactβ
A digital record detailing the nature, scope, and impact of a personal data breach. Includes when and how the breach was discovered, affected data subjects, and remediation measures.