Currently, data processing activity done by data processors are subject to things defined in Data Sharing Agreement and data fiduciary has lot of checklists.
Post DPDPA, data processors are also mandated to process data when consent is collected and here trouble starts. When my data fiduciary passess me data then do I blindly trust them and assume that consent is there with them or should I verify the consents prior to processing of data? What do you recommend and why?
The world we live in today is a result of misplaced trust in data fiduciaries—organizations that collect and manage our personal data. Think about how often you receive unwanted calls about loans, credit cards, or other services. Ever wondered how they got your number?
Here’s how it works:
Data Brokers Sell Your Information - Companies or marketing agencies obtain personal data from brokers. Most of the time, this data is either illegally sourced or leaked.
No Consent Verification - These agencies then use this data to send marketing messages through WhatsApp, SMS, IVR calls, emails, and other platforms. The problem is that none of these service providers check whether the person actually gave consent for their data to be used.
Legal or Illegal? No One Cares - The companies processing this data don’t verify whether it was collected legally or illegally. They simply act on it, leading to a cycle of spam, privacy violations, and data misuse.
How DPDPA Fixes This Problem
The Digital Personal Data Protection Act (DPDPA), 2023 introduces a major change: machine-readable consents. That means:
Instead of blindly trusting the data fiduciary (the company collecting your data), data processors must now verify consent in real-time before using any personal data.
Companies cannot just rely on the data they receive; they must ensure that explicit consent has been given for its use.
The Bottom Line: Do Not Trust Data Fiduciaries
Given the current state of data misuse, my answer to whether you should trust data fiduciaries is a big NO. Moving forward, data processors must take responsibility for verifying consent instead of assuming that the data fiduciary has done the right thing. This is the direction we are heading with DPDPA, and it is a necessary step toward true data privacy and accountability.
