The concept of “Consent Manager” in DPDPA 2023 is not understood by many. It is obviously a registered Data Fiduciary with necessary infrastructure to get themselves appointed by data principals. The registration will require some conditions that Meity may prescribe.
Such conditions may include the Capital and Networth consideration, expertise, information security etc. The ownership of the consent manager as a company, whether it can be owned by foreign interests, will there be a “Fit and Proper Criteria” will there be a minimum period for withdrawal from business, the distance to be kept with Data Fiduciaries etc need to be specified or factored.
One of the recommendations we have is to encourage Consent Managers as sector specific experts so that they will be able to provide better assurance to the data principals.
DGPSI will be working on such sector specific compliance guidelines as part of its development of detailed guidelines.
In the process FDPPI may also develop Consent Manager-DTS or CM-DTS as an indicator of the maturity of compliance as a Data Fiduciary engaged in the service of a C0nsent Manager.
It is possible that the Meity may come up with its own version of rules without taking into account all the requirements that we may suggest. But we hope that the guidance developed by the DGPSI team being the experts in Data Protection will eventually be a “Best Practice”.
To enable this it is better if MeitY does not come up with rigid rules and leave flexibility for compliance.
Naavi