Redacto designs to protect your privacy
DT Next speaks to Amit Kumar, Vaibhav Sharma and Shashank Karincheti of Redacto, one of 6 firms selected by the IT Ministry to pilot the blueprint for system based on Digital Personal Data Protection Act.
Vaibhav Sharma, Amit Kumar and Shashank Karincheti of Redacto
CHENNAI: With only 18 months of compliance window in place for India’s Digital Personal Data Protection Act (DPDP), the tech-privacy ecosystem is preparing for significant changes. From fintechs and lenders to hospitals, and delivery apps – every business that handles personal information must be able to show why it collects that data, how long it retains it, and whether the user clearly agreed to it. Redacto is a one-year old company selected by the Ministry of Electronics and IT (MeitY) as one of six firms to pilot such a blueprint for a privacy architecture that could be adopted nationwide. Excerpts follow...
What parts of DPDP compliance does Redacto actually automate?
Every enterprise takes personal information, stores it and eventually has to remove it when the purpose ends. We automate that entire journey. If either a regulator or a user asks where a particular name or phone number came from, why it was taken and where it is stored now, our system can show it. We record consent at the point of entry, track how data spreads across an organisation and help purge it when it is no longer needed. Our products cover consent management, data governance and third-party oversight. They ensure that data coming in, moving inside and going out is all accounted for.
How does this work inside a company’s system?
When someone signs up through a website or an app, Redacto becomes part of that flow and captures consent. Once that data moves into the company’s cloud or internal systems, our data governance tool identifies what information has come in and where it sits. If the data flows to an external vendor, our third-party risk tool tracks it. So the entire life cycle is visible.
How did you get shortlisted under the Code for Consent challenge?
MeitY asked companies to bring a blueprint for a privacy architecture that could be adopted across the country. They wanted working designs and code. From 50 applicants, 6 were shortlisted. Our design was scalable and secure enough to work at a national level. We’re not a government intermediary. It only means our approach met their criteria for the pilot.
How does the relationship between companies and the government change after DPDP?
Over the last decade, digitisation has expanded across payments, insurance, health records and almost every sector. But privacy was not given enough attention and that’s why data leaked frequently. Under the DPDP, citizens now have rights over their own data. They can ask why it’s being collected, they can choose to give or refuse consent and they can ask for deletion. That did not exist earlier in any meaningful way. Even basic things like giving your mobile number at a shop or restaurant had no transparency. You had no control over where it went. Now the business is responsible for stating clearly why they need it and cannot force you to agree unless it’s essential for the service.
Who is a third party under DPDP? How are they monitored?
A third party is anyone the company uses to process data. For example, when you open a savings account, your information goes to a video-KYC provider. That provider is a third-party processor. Earlier, if a vendor leaked data, nobody took responsibility. Under DPDP, if a breach happens at the vendor, the penalty still comes to the main company. That forces businesses to monitor their vendors more closely. Redacto detects which vendors receive what data and can send deletion requests to them when a user invokes the right to be forgotten.
Will this make data-sharing journeys more complicated for end users?
It actually makes them simpler. Instead of a long terms-and-conditions link that nobody reads, businesses now have to clearly spell out how they plan to use your phone number or email. If you do not want that, they cannot force you. For users, the change will show up in clearer checkboxes and the ability to revoke permissions.
What are the top DPDP requirements that startups are unprepared for?
Consent management, data audits and the right to be forgotten. These are the biggest gaps. Companies now have to understand not just future data but everything they collected in the past and why they still have it.
What misunderstandings do you see among founders about DPDP?
Many think the law is just control or just compliance but the goal is to give citizens more protection. Businesses now have a duty to honour that. There will also be a learning curve for consumers who will now see consent options that never existed before.
What happens next as companies begin implementing DPDP?
Once businesses adopt the technology, there will be a period where consumers also have to learn what consent means and what choices they have. That awareness will grow over time. The last decade was about digitising everything. The next one will be about doing it in a way that keeps the citizen in control of their information.