Naavi.org

To all those who are associated with FDPPI as Members, Registrants for any paid services

Dear Friends

It is the desire of FDPPI/Naavi that all those who are associated with FDPPI during the last 7 years of its existence should consider themselves to be forming an  eco-system to drive DPDPA compliance culture in the country.

We have all entered a new era of DPDPA implementation and hence all those who are now  preparing themselves to be DPOs and Data Auditors are considered as the “NextGen DPOs” and “NextGen Data Auditors” for whom DPDPA implementation is a certainty from 13th May 2027.

We ideally want  all our members and associates to be actually “Certified” for C.DPO.DA. But we are aware that this may not be practical. Hence we want them to be  at least carry a participation certificate for our latest training program even if they want to avoid the challenge of passing of the examination. We are therefore trying to provide a free upgrade of knowledge to all our previous certified professionals or those who have paid and registered in the National Register of Data Protection Professionals by giving them an opportunity to attend our next Virtual program on request. Every such complimentary pass is worth Rs 25000/- which we are donating to the creation of this NextGen data protection professionals.

I hope some will make use of this opportunity.

I wish all these persons will represent the future of DPDPA compliance in India. Some of them may look at generating revenue and building their career and some may continue their pro-bono work as “Privacy Mitra” s.

Naavi/FDPPI however want the country to be full of empowered and  knowledgeable Data Protection Professionals so that we stand out as one country which  transforms itself into a DPDPA compliant society in the next decade.

Let us therefore look forward to the emergence of this new eco system.

Reference: Also see here 

Naavi

An Indian DPO often works  in an environment where the organization encounters both personal data coming under the jurisdiction of DPDPA as well as under GDPR.

DGPSI recommends that data is classified with a “Jurisdiction Tag” so that  data to which DPDPA is applicable is separated from data to  which  GDPR (or any other country’s  law is applicable).

Once this segregation is done, we will have different data  buckets  one for each jurisdiction making application of controls easy.

While compliance for DPDPA is  recommended to be built under the DGPSI-Full (with DGPSI-AI)  or DGPSI-Lite frameworks, the bucket of GDPR data needs to be covered only under GDPR. Currently one framework option for this purpose is ISO 27701:2025.

However, DGPSI which is basically a principle based framework is itself capable of being extended to meet the compliance requirements under GDPR.

To help professionals in being GDPR compliant along with DPDPA compliance, DGPSI has now been expanded to DGPSI-GDPR. It is still a 50 specification framework and includes some AI aspects also. Some of the specifications in the current version have been combined to keep the specification number count to 50.

This DGPSI-GDPR therefore becomes a “Made in India for the EU” framework which we recommend Indian companies to get certified from DGPSI auditors along with DTS maturity assessments.

The framework is being refined and will soon  become a DPDPA-GDPR  combo offer for implementation for  companies who are Data Fiduciaries under DPDPA and Data Controller/Data Processor under GDPR. The first version of this framework will be discussed in the forthcoming C.DPO.DA. Certification program (Virtual) on December 20/21.

(P.S: The program will also discuss Digital Omnibus Proposal of November 19 and proposed GDPR Amendments. )

Interested persons may rush to register themselves asap. (The Early bird discount expires today.)

Check here for Registration

When we last conducted a C.DPO.DA. program on November 1 and 2 at Mumbai, we called it an “Elite DPO” program because we had added DGPSI-AI into the curriculum which otherwise included the basic DPDPA law and Implementation challenges along with the implementation framework of DGPSI Full and DGPSI-Lite. We also briefly added the ISO 27701:2025 version to update the “Elite” Curriculum.

Before the examination for the candidates were due, the DPDPA Rules came into place on November 13. We conducted a supplementary session and included it in the examination that followed.

Now on November 19, GDPR has brought in several changes through the Digital Omnibus Rule which becomes relevant to DPOs who are also handling GDPR data in their organizations in India.

We have therefore decided that in the December 20-21 program, we shall “Enrich” the “Elite” curriculum with

a) DIGITAL Omnibus GDPR modifications
b) A brief coverage of DGPSI-GDPR as a framework

This will be in addition to the

1.Legal Nuances of DPDPA 2023 and DPDPA Rules

2.Implementation Challenges for DPDPA including Classification, ROPA, Governance Structure, DPIA etc

3.Role of DPO and Data Auditor

4.DGPSI as a tool for compliance implementation and audit

We do anticipate time shortage within 12 hours of time allocated. We may therefore need to supplement the 12 hours of interaction with additional material for study in the form of Videos.

Hope participants would see the value of these enrichment which only FDPPI can give .

The “Enriched, Elite C.DPO.DA program” comes with a price of Rs 25000/- till tomorrow EOD. There after the price would be Rs 29500/- including the GST.

It is your right of choice to miss out this special program…

Register today here 

Naavi

On 19th November 2025, the EU has proposed some amendments to GDPR through the “Digital omnibus Regulation” package which could be effective later in the year after necessary approval formalities.

The Digital omnibus package includes the Data Act which introduces  a unified  framework for data regulations. It merges and streamlines certain rules for enabling free flow of non personal data regulation.

Following  proposals are meant to amend  GDPR and they address simplification of compliance to smaller businesses and clarify AI development.

1. Redefining “Personal Data”

he Package proposes two amendments to clarify the concept of “personal data” under the GDPR (references to the “Amended GDPR” relate to the GDPR as it would be amended under the proposals set out in the Package).

• Definition of “personal data” (Art.4(1) Amended GDPR) – The definition of “personal data” under the Amended GDPR would be amended, effectively codifying the recent decision of the CJEU.(Court  of Justice of EU)
  • The revised definition would clarify that information is not personal data for a given entity if that entity cannot identify the natural person to whom the information relates, taking into account “the means reasonably likely to be used” to achieve identification.
• Pseudonymisation (new Art.41a Amended GDPR) – The Package also introduces the possibility that pseudonymised data may, in certain circumstances, no longer be considered personal data for certain entities.
  • The details of such circumstances would be specified through implementing acts adopted by the Commission.

2. Artificial Intelligence

Two additional proposals in the Amended GDPR addresses the processing of personal data when developing and deploying AI systems and models.

• Processing for AI development (new Art.88c Amended GDPR) –
  • The Package includes a new provision to clarify that controllers can rely on legitimate interests under Art. 6(1)(f) Amended GDPR to process personal data for the development and operation of an AI system.
    • Such reliance would remain subject to the usual balancing test for legitimate interests, appropriate safeguards, and any EU or Member State laws that expressly require consent for the relevant processing.
• Special category personal data (“SCD”) and AI systems (Art.9(2) & new Art.9(5) Amended GDPR) –
  • The proposed amendments would allow residual processing of SCD in the context of developing and deploying AI systems and models, provided that the controller “effectively protect[s] without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties”.
    • The proposed addition of Art.9(5) in the Amended GDPR also makes clear that, as a general rule, SCD should not be used for the development or operation of AI systems.

3. Key Operational Amendments

The Package also proposes to revise several practical data protection obligations, including data subject access requests (“DSARs“), personal data breach notifications, and data protection impact assessments (“DPIAs“).

• (a) DSARs (Art.12(5) Amended GDPR) –
  • The proposed amendment introduces a new ground for refusing (or charging a reasonable fee for responding to) a DSAR where “the data subject abuses the rights conferred by [the Amended GDPR] for purposes other than the protection of their data” (emphasis added).
    • The scope of this exemption remains uncertain, including whether it could assist organisations in responding to a DSAR submitted in litigation, where the purpose of the DSAR appears to be to obtain information for use in that litigation.
• (b) Personal data breach notifications (Art.33 Amended GDPR) –
  • The proposed amendment would:
    • (i) raise the threshold for notifying data protection supervisory authorities (“SAs“) regarding personal data breaches, aligning the threshold in the Amended GDPR with the threshold for notifying data subjects (i.e., only where a breach “is likely to result in a high risk to the rights and freedoms of natural persons”);
    • (ii) extend the deadline for notifying SAs from 72 to 96 hours; and
    • (iii) introduce a single-entry point for incident reporting (once established), which would also act as the single-entry point for various other related notifications (e.g., under NIS2 / DORA).⁴
    • In addition, the European Data Protection Board (“EDPB“) would be mandated to prepare a common notification template and a list of circumstances in which a breach is likely to result in a high risk to an individual’s rights and freedoms, with both instruments subject to review at least every three years and updates where necessary.
• (c) DPIAs (Art.35 Amended GDPR) –
  • The proposed amendment would harmonise DPIA requirements across the EU through EU-wide guidance.
    • Under this approach, the EDPB would compile unified lists of processing activities that do or do not require a DPIA, and create a standard DPIA template and methodology.
    • Once approved by the Commission, these EU-wide lists would supersede national lists, ensuring that organisations face the same DPIA triggers across all Member States. Any national lists already published by SAs would continue to apply until the Commission adopts the relevant implementing act.

• • (d) ROPA exemption to SMCs (Small midcap companies* and SMEs
    • • The omnibus package extends exemption from SMCs, SMEs ( less than 250 employees) under Article 30(5)  to apply only to “high risk” processing such as AI profiling or biometrics and removes  disqualifiers like occasional processing or special category data (except employment-related under Article 9(2)(b))

(* SMCs are defined as ..fewer than 750 employees.,  total balance sheet not exceeding EUR 129 million, an annual net turnover not exceeding EUR 150 million. SMEs are currently defined as enterprises with under 250 employees, combined with an annual turnover up to 50 million euro or a balance sheet total up to 43 million)

• • (e) Cookie Banners and ePrivacy:
    • • The package integrates ePrivacy rules into GDPR; enable one-click accept/refuse for cookies, with choices respected for 6 months

It is observed from the suggested changes that EU authorities are correcting some of the stringent provisions in the earlier version .

In the DGPSI-GDPR version of the framework being developed by FDPPI, these changes will be used though they are legally effective subsequent to necessary clearances.

The changes to the definition of Personal Data to exclude data which cannot be reliably identified with a natural person is the principle already adopted under DGPSI where only a “Set of data elements” which together identify an individual is considered as “Personal Data” and not otherwise. Exclusion of “Pseudonymised  Data” from the definition aligns with the definition of “Anonymisation” where the user of the data cannot identify the individual.

The changes in the DSAR are similar to the RTI regulation in India where the Right to information is denied when  it is requested in support of an intended litigation.

Naavi

Reference:

Proposed Amendments to GDPR

All amendments:

Digital Omnibus Proposal

Annexes

The C.DPO.DA. program conducted by Naavi/FDPPI is unique since those who attend the program and get certified by passing the examination, will get a free membership of FDPPI for one year along with an opportunity for receiving ongoing mentoring to make your life as DPO more productive. During this period, short of consultancy, you can  get personal advice on issues that you may encounter during your DPO role.

We believe that an Expert DPO cannot be created in a day however good the training is. It requires the professionals to digest  the concepts, apply it in practice and refine their understanding.

Is there any organization that provides a similar handholding…?

Naavi

This is in continuation of my response to the question raised by a professional on why anybody should chose FDPPI Certification instead of other certifications available at a  lesser cost.

Naavi’s views on the commoditization of ” CDPO” as a  tag that can be acquired just by registering for an online webinar.

Being a “CDPO” does not end with only knowing DPDPA 2023. It should try to equip the professional the ability to take the responsibility of being a DPO.

We observe that there is a proliferation of “CDPO” courses to take advantage of the rush in demand for professionals to be “Certified as CDPO”.

While it is good that there are many organizations who are into the providing education related to Data Protection, just as it has happened in the ISO certification game, “CDPO” certificates have become a commodity on sale or close to being so.

This should stop.

If anybody can register themselves for a webinar and be called “Certified” DPO, it would dilute the quality of other DPOs who with years of experience and hours of effort try to understand the application of the law into the technical environment in a systematic manner.

There are three elements of being a good DPO. First they should understand the law. Second they should understand how technical architecture has to be re-built to meet the legal requirements. Third, there should be a handbook for guidance of how to meet the requirements.

Lastly, “Participation” in a program is necessary but not sufficient to consider a person “Certified”.

FDPPI therefore provides “participation Certificates” different from the final “Certificate” which is issued only after a successful completion of an examination. “Evaluation based certificates” are different from “Participation Certificates”, both of which have their values but Evaluation based certificates are distinctly superior to Participation certificates.

FDPPI does not end its Certification training with classes on DPDPA 2023 only but discusses the technical challenges and extends it with a “Framework” as a guideline. The “Framework of FDPPI” for DPDPA Compliance is DGPSI which is available as an open source framework both in “Lite” version as well as “Full Version” with an extension for AI Deployment.

At present there is no  other training program that discusses a DPDPA Compliance framework along with the DPDPA law and Implementation challenges.

We want professionals who are aiming to acquire “Knowledge and Skills” donot fall into the trap of picking up “Webinar Participation Certificates” and call themselves “Certified”.

I hope organizations who recruit DPDPA Trained professionals distinguish the two kinds of certificates and ask “Where were you Certified and How?” before accepting any body as a “Certified DPO”.

FDPPI’s C.DPO.DA. program is conducted in offline and online modes from time to time. The next program is being conducted online on December 20 and 21. for which registrations are now open. 

Fees for early birds upto 12th is Rs 25000/-. Subsequently it will be Rs 29500/- with GST.

It is a comprehensive program which covers the law, the technology challenges as well as the implementation framework. The 12 hour online session is supplemented with another 12 hours and 43 minutes of recorded videos which include GDPR coverage in detail. Reading material and recommended books make the kit of the “Certified” professional complete.

The C.DPO.DA. participants get 12 hours of CPE credit and a participation certificate which is different from the final certificate which is issued to those who pass a three hour online examination.

Yes..it is tough to be a C.DPO.DA. from FDPPI but we want “Certificates” to be earned.

All participants of the FDPPI course also get one year complimentary membership of FDPPI for continued interaction with likeminded professionals. This will enable the  participants to continue to be under mentorship of FDPPI/Naavi when they have to implement their acquired knowledge in practice.

So, think before you chose how you are to be “Certified” as DPO.

I hope my friend who asked the question “Why FDPPI” is satisfied.

Any other comment is welcome.

Naavi