Every organisation in India holds two types of capital it does not measure. The first is trust capital — the accumulated goodwill from how it handles personal data. The second is Consent Capital.
Consent Capital is the documented, verifiable, legally defensible record of every consent collected from every data principal. It includes the timestamp, the specific purpose, the mechanism used, the language presented, and the withdrawal pathway provided.
Most organisations treat consent as a compliance checkbox. It is not. It is a financial instrument.
Why consent is capital
Consent enables processing. Processing enables revenue. Without valid consent, the processing is unlawful. Without lawful processing, the revenue is built on a liability.
A SaaS company with 500,000 users and no documented consent register does not have 500,000 customers. It has 500,000 potential complainants to the Data Protection Board.
The same company with a documented, Rule 3 compliant consent register has something its competitors do not: legal certainty that every processing activity is authorised. That certainty is an asset. It survives M&A due diligence. It passes enterprise procurement. It defends against Board proceedings.
How to measure Consent Capital
Consent Capital has three dimensions:
- Completeness: what percentage of your data processing activities have valid, documented consent? If the answer is less than 100%, the remainder is unconsented processing — a DPDPA violation.
- Currency: when was each consent last reviewed against current processing activities? Consent obtained 18 months ago for "service improvement" does not cover the AI model training your data science team started six months ago.
- Defensibility: if the Board examined your consent register tomorrow, would every entry satisfy Rule 3? Specific purpose? Clear language? Withdrawal mechanism? Timestamp?
Consent Capital = Completeness × Currency × Defensibility. If any dimension is zero, the product is zero. Zero Consent Capital means zero legal defence.
"Your data map is your defence map. If you do not have one, you do not have a defence."
— Anandaday Misshra
Do this now
Pull your consent register. If you do not have one, that is the answer. If you do, check three things: does it cover every processing purpose? When was it last updated? Does the format satisfy Rule 3? Score yourself on each dimension from 0 to 10. Multiply. That is your Consent Capital score.