The Evolving Landscape of Data Valuation

For years, the phrase “Data is the new oil” was thrown around as a vague corporate cliché. Today, that narrative has  shifted from an abstract marketing pitch into a measurable, techno-legal reality. Driven by incoming international accounting frameworks, local regulatory mandates, and indigenous governance models, India is establishing a structured environment where data is recognized not just as an operational by product, but as a quantifiable financial asset.

Evaluating the multi-layered initiatives across India reveals how different agencies are approaching data valuation, along with their current operational status.

1. Macro-Government & Policy Initiatives: The Public Sector Shift

The government has recognized that to build a true digital economy, the state must find a uniform way to measure digital assets.

  • MoSPI and SNA 2025 Adoption: The Ministry of Statistics and Programme Implementation (MoSPI) has actively engaged with the United Nations System of National Accounts (SNA 2025) guidelines. These standards formally recognize data as an economic factor of production. Government committees are currently outlining how public sector undertakings (PSUs) should officially categorize and track data assets.

  • The CAG Mandate: The Comptroller and Auditor General (CAG) of India has signalled a clear need to capture the intrinsic value of data repositories within public asset reporting.

  • Current Status: In Development/Policy Phase. Draft frameworks are under review to determine how state-owned data exchanges and infrastructure datasets can be accounted for without compromising national security or individual privacy.

2. Regulatory Compliance Drivers: The DPDP Act & Toxic Data

The rollout of the Digital Personal Data Protection Act (DPDPA) has upended traditional data accumulation strategies. Data valuation in India can no longer be evaluated through the lens of potential monetization alone; it must be balanced against statutory liability.

  • Asset vs. Liability Dynamics: With penalties reaching up to ₹250 crore per non-compliance instance, unconsented, poorly structured, or “zombie” data is no longer an asset—it is an active balance sheet liability.

  • Current Status: Active Enforcement Preparation. Organizations are actively filtering their datasets to compute their “clean data” volume. Under this model, data value dynamically depreciates the moment a Data Principal withdraws consent or the processing purpose expires.

3. Indigenous Institutional Frameworks: DGPSI and DVSI

While traditional accounting standards (like Ind AS 38) remain highly conservative about capitalizing internally generated data, pioneering frameworks within India have stepped forward to fill the gap.

  • Data Governance and Protection Standard of India (DGPSI): Developed by FDPPI, DGPSI has embedded financial data valuation directly into its governance specifications. Specifically, Model Implementation Specification 9 (MIS-9) explicitly requires organizations to establish a policy assigning a notional financial value to distinct datasets. This ensures the board has visibility into the economic worth of the data assets they oversee. DGPSI’s metric—the Data Trust Score (DTS)—serves as a core indicator of how compliance directly protects and enhances an asset’s baseline value.

  • Data Valuation Standard of India (DVSI): Operating alongside DGPSI, the DVSI model introduces a specialized two-stage valuation methodology. It calculates the intrinsic cost of data (using classic cost of acquisition or market parameters) and applies a dynamic multiplier index based on legal compliance, data accuracy, and cryptographic protection.

  • Current Status: Operational/Implementation Phase. The newly launched Association of Independent Data Auditors (AIDAI) is actively training and empanelling Certified Independent Data Auditors (CIDAs) to handle data audits that combine compliance testing with these advanced data valuation techniques.

4. Valuation in Insolvency and Distress: The IBC Track

The most concrete financial realizations of data value are currently occurring under distressed corporate conditions.

  • Insolvency and Bankruptcy Code (IBC), 2016: Resolution Professionals (RPs) and Registered Valuers regularly encounter scenarios where a failed startup, fintech platform, or e-commerce provider holds minimal physical assets, but possesses massive, highly structured user databases and proprietary transaction algorithms.

  • Current Status: Fully Functional Legal Practice. Courts and liquidators treat these data stacks as intangible corporate property under Section 36 of the IBC, utilizing Income or Market-driven slump sales to maximize recovery returns for creditors.

Reconciling Value and Responsibility: The “Data Balance Sheet”

The convergence of these initiatives points toward a inevitable destination: the Data Balance Sheet. Under a double-entry governance framework, personal data under management must be accounted for simultaneously as an economic asset and a corresponding contingent liability (accounting for potential data breaches, regulatory fines, and remediation costs).

Organizations that wait for standard accounting boards to hand down a rigid template will find themselves exposed to severe regulatory and financial risks. Relying on frameworks like DGPSI to understand exactly what data you possess, what value it generates, and what risks it carries is no longer just a compliance choice—it is a baseline requirement for modern corporate sustainability.

(To Be continued)

Naavi

Posted in Privacy | Leave a comment

Let us not be blind to the value of Data

We often discuss the concept of Data Processing under “Data Blind” conditions.  It essentially means that the processor does not have access to identifiable personal data which he is processing. The system is suggested for “Consent Managers”.

We are however discussing another aspect of “Being Blind to the Value of Data”.  There are two examples in India where an organization being “Data Value Blind” suffered adverse consequences. One was Net4India which was liquidated probably because NCLT was blind to the value of data in the organization. Second was the case of CIBIL which quietly transferred data worth around Rs 700000 crores to a foreign organization for a mere Rs 3800 crores.

On the other hand there are multiple examples in US where data valuation has been used to ward off bankruptcy proceedings.

If you are interested in this topic of “Data Valuation”, Please be present on July 17 at Palmgrove, Chennai where FDPPI/AIDAI will be discussing the issues on Data Valuation. (Check for details at www.aidai.org.in)

Naavi

Posted in Privacy | Leave a comment

What you will miss if you don’t attend this seminar in Chennai

FDPPI and AIDAI (Association of Independent Data Auditors” in association with the Society of Auditors, Chennai.

There are three important educative sessions planned for the seminar.

  1. The role of Independent Auditors as “Guardians of Accountability”
  2. Data Valuation
  3. Need for Chartered Accountants and Advocates to look at Data Audit as a professional add on service. (Panel Discussion involving industry veterans)

Interested persons may register immediately.

REGISTER HERE: 

(Registration fee: Rs 500/-: May be paid here: )

Naavi

 

Posted in Privacy | Leave a comment

Listen to this Explanation of the Karnataka High Court judgement..

 

A More detailed audio podcast is also available here:

Kannada Discussion:

The above podcasts are explainers of the blog post but would be useful for a deep dive. Kindly go through and let me know your comments.

These are produced using AI . However base content is from me and the audios/videos have been reviewed manually. Hence use of AI is only to assist me.  AI is only a software tool in this context.

Naavi

Posted in Privacy | Leave a comment

The Manipal Hospital Judgment: Every HR Document is an Electronic Record with Legal Consequences

The Karnataka High Court, in an important judgment delivered on July 2, 2026, has reminded organizations that employment disputes should not be converted into criminal prosecutions without adequate legal foundation.

(See: Indian Express : Medicaldiologues :  Court Proceedings in YouTube)

In a judgment delivered by Honourable Justice M. Nagaprasanna, the Court strongly criticized the decision of Manipal Hospital to pursue criminal proceedings against a distinguished oncologist who had served the institution for nearly nineteen years before moving to Aster Hospital in a higher position.

While the judgment provides relief to an individual doctor, its significance extends much beyond the parties to the dispute. It highlights an often-overlooked reality of the digital era—that employment records are no longer mere HR documents. They are electronic records capable of becoming crucial legal evidence.

The Background

According to the complaint filed by Manipal Hospital, the doctor resigned from service in 2022 after nearly two decades of association and was formally relieved with appreciation.

About three months later, Manipal Hospital reportedly received, through e-mail from the background verification agency DataFlow, a copy of an experience certificate purporting to have been issued by the Hospital and bearing what was alleged to be the signature of one of its officials.

The Hospital considered the signature to be forged and initiated criminal proceedings by filing a private complaint.

The Police investigated the complaint and submitted a B-Report, indicating that no criminal offence appeared to have been made out. Dissatisfied with this conclusion, the complainant filed a protest petition, following which the Magistrate took cognizance and issued summons to the doctor.

The doctor challenged these proceedings before the Karnataka High Court.

The High Court Restores Judicial Balance

Quashing the proceedings, the High Court observed:

“Such cases should not be even permitted to be tried; the concerned court has erred in taking cognizance of the offence against a doctor and issuing summons without even looking at the documents which were produced at the time when the B report was filed. Therefore, the further proceedings, if permitted to continue, would on the face of it be an abuse of process of law and result in miscarriage of justice.”

During the hearing, the Court also orally advised the Hospital:

“Allow doctors to treat patients. Do not drag them into your inter-hospital disputes.”

Equally noteworthy was the Court’s refusal to permit retaliatory proceedings for malicious prosecution. Thus, while protecting the doctor from an unwarranted criminal trial, the Court also discouraged unnecessary escalation of litigation.

This balanced approach deserves appreciation.

A Forgotten Lesson from the Satyam-UPaid Litigation

The facts of this case immediately reminded me of the well-known UPaid-Satyam controversy that surfaced nearly two decades ago.

UPaid had engaged Satyam Computer Services for software development that later became the subject matter of patent litigation involving Qualcomm and Verizon. During the proceedings, intellectual property assignment documents allegedly signed by software developers assumed great significance.

Two former Satyam employees, who had by then joined Qualcomm and Verizon respectively, denied that the signatures appearing on the assignment documents were theirs.

At that time, Business Standard reported:

“UPaid had filed this case against Satyam in 2007. Satyam had done a project between 1997 and 2002 for which it got $10 million, partly in shares due to UPaid’s inability to pay cash. When UPaid wished to patent the technology, Satyam needed to provide signatures of the people who worked on the technology. Though the company gave UPaid the signatures, some of these employees had moved out.

When UPaid received the patent, it filed a suit against Verizon Wireless and Qualcomm in 2005, as they were using the company’s patented technology. However, one of the former Satyam employees had moved out of the company and joined Verizon. He said the signature was not his.”

The litigation ultimately culminated in a settlement reportedly involving nearly USD 70 million.

Whether or not the disputed signatures were actually forged was less important than the governance lesson that emerged. Employment-related documentation, once produced before a Court, assumes enormous evidentiary significance. A document casually prepared today may become the deciding factor in litigation years later.

The Missing Governance Perspective

The High Court was rightly concerned with the sustainability of the criminal proceedings against the doctor. However, from a governance perspective, another question deserves academic consideration.

How did the disputed experience certificate originate?

If the investigation had proceeded from the standpoint of document governance, several questions might naturally have arisen:

    • Did an original signed experience certificate actually exist?
    • Was the document generated electronically for verification purposes?
    • How did the background verification agency obtain the document?
    • Was the signature reproduced from another legitimate record?
    • Was the document created by someone attempting to facilitate verification without appreciating its legal consequences?
    • Did the prospective employer specifically require such a certificate?

These questions are raised purely for academic discussion. There is no material presently available in the public domain to suggest wrongdoing by the background verification agency or any other participant.

The purpose of raising these questions is only to demonstrate how forensic examination of electronic records would ordinarily proceed.

Every HR Document Is an Electronic Record

More than twenty-five years ago, the Information Technology Act, 2000 recognized the legal validity of electronic records. Today, the Digital Personal Data Protection Act, 2023 reminds organizations that employee records are also personal data requiring appropriate governance.

Yet many organizations continue to treat HR documentation as routine administrative paperwork. That approach is no longer adequate.

Experience certificates…

Relieving letters…

Employment verification responses…

Background verification reports…

Promotion letters…

Digitally signed approvals…

Every one of these documents is an electronic record capable of becoming evidence before a Court. Every one of them carries legal consequences.

The DGPSI Perspective

From the standpoint of the Data Governance and Protection Standard of India (DGPSI), this case demonstrates why HR documentation deserves the same governance standards applied to financial records.

Organizations should implement documented controls covering:

    • Creation and authorization of employment records.
    • Digital authentication and approval mechanisms.
    • Version control and document integrity.
    • Audit trails for every modification.
    • Secure storage and transmission.
    • Formal procedures for responding to background verification requests.
    • Record retention and secure destruction.
    • Periodic Cyber Law awareness training for HR personnel.

Many cyber incidents are not failures of technology. They are failures of governance.Technology merely exposes them.

Hospitals Carry a Higher Fiduciary Responsibility

Hospitals are unlike ordinary commercial enterprises.  They occupy a fiduciary position in society because they deal with human life itself.

Professional differences between hospitals, doctors, recruiters and verification agencies should therefore be handled with restraint unless supported by compelling evidence of criminal misconduct.

The Court’s observations are therefore a timely reminder that criminal law should never become an instrument for resolving competitive employment disputes.

Naavi’s Governance Takeaway

This judgment offers several practical lessons for every organization.

First, every HR document should be treated as a legally significant electronic record.

Secondly, background verification processes should be governed by documented procedures identifying who may issue responses, how authenticity is verified and how audit trails are preserved.

Thirdly, organizations should progressively replace scanned signatures with stronger authentication mechanisms such as digital signatures, secure verification portals or verifiable electronic credentials.

Fourthly, Cyber Law awareness should extend beyond IT departments. HR personnel, recruiters, administrators and vendor managers routinely handle electronic records that may later become legal evidence.

Finally, Data Protection Officers, Chief Information Security Officers and HR Heads should work together. Employee records constitute personal data under the Digital Personal Data Protection Act and require governance over their integrity, confidentiality, authenticity and lawful disclosure.

The Larger Lesson

The importance of this judgment lies not merely in protecting one doctor from an unwarranted criminal trial. Its enduring value lies in reminding organizations that governance begins long before litigation.

Every experience certificate, relieving letter, employment verification response or digitally exchanged HR document becomes part of an organization’s trust architecture.

When questioned before a Court, the issue is no longer whether the document originated in the HR Department. The question is whether the organization can demonstrate its authenticity, integrity, provenance and accountability.

If the answer is uncertain, the governance process—not merely the document—requires strengthening.

That, in my view, is the enduring lesson emerging from the Karnataka High Court’s judgment.

Every HR document is also a Cyber Law document.

Naavi

Posted in Privacy | Leave a comment

The Emergence of the “Super Data Fiduciary” A DGPSI Governance Concept for Complex Enterprise Ecosystems under DPDPA By Naavi

In February 2025, Naavi.org first discussed the concept of a “Super Data Fiduciary” in the context of the hospitality industry such as property sharing. In February 2026, we also discussed the concept in the context of Education Industry”.  In this article we have taken the example of the Hospital industry and discussed how this concept is relevant.

One of the notable strengths of the Digital Personal Data Protection Act, 2023 (DPDPA) is its principle-based drafting. Instead of prescribing rigid organizational structures, the Act defines broad responsibilities and leaves organizations the flexibility to implement governance mechanisms appropriate to their business models.

This flexibility is particularly valuable because the architecture of modern enterprises has evolved far beyond the traditional “one company–one business–one customer relationship” model.

Today, organizations increasingly operate as enterprise ecosystems. A single trusted brand may represent dozens—or even hundreds—of legally independent entities connected through ownership, management agreements, franchise arrangements, joint ventures, shared digital platforms, centralized AI systems, and common governance structures.

To the customer, the enterprise appears to be one organization. To the Companies Act, it is many. This divergence creates one of the most significant governance challenges in implementing DPDPA.

The Data Governance and Protection Standard of India (DGPSI) addresses this challenge by introducing a governance concept known as the Super Data Fiduciary.

It is important to clarify at the outset that the Super Data Fiduciary is not a new statutory category created by DPDPA. Nor should it be confused with the Significant Data Fiduciary (SDF) notified by the Central Government under Section 10 of the Act.

Rather, it is a governance designation created within the DGPSI family of sector-specific compliance frameworks to establish enterprise-level accountability wherever multiple autonomous Data Fiduciaries operate under a common identity.

The Classical DPDPA Model

DPDPA recognizes two principal operational actors:

    • Data Fiduciary
    • Data Processor

A Data Fiduciary determines the purpose and means of processing personal data.

This model functions effectively where a single legal entity independently manages its processing activities. However, contemporary business organizations rarely fit this model. The digital economy increasingly consists of networks of legally distinct entities that collectively deliver a seamless customer experience.

The legal model remains fragmented. The customer experience is unified.

Trust is Reposed in the Brand, Not the Corporate Structure

Consider a nationally recognized healthcare brand such as Apollo Hospitals.

Apollo serves as an excellent illustration—not because it is unique, but because it reflects a governance model that is becoming common across industries.

Today, the Apollo ecosystem includes entities operating under a variety of legal arrangements:

    • wholly owned hospitals,
    • managed hospitals,
    • joint venture hospitals,
    • franchise hospitals,
    • diagnostic centres,
    • pharmacies,
    • home healthcare services,
    • telemedicine platforms,
    • centralized appointment systems,
    • digital health applications.

Many of these may be separate legal entities.

Yet no patient walks into a hospital asking,

“Which incorporated company owns this facility?”

The patient simply says,

“I am going to Apollo.”

The trust relationship exists with the brand. The privacy expectation also exists with the brand. The Data Principal neither knows nor reasonably expects to know the legal complexity behind the enterprise.

The Governance Challenge

Consider a common situation.

A patient undergoes treatment at one Apollo hospital. Several months later, the patient visits another Apollo hospital in a different city. The doctor accesses earlier medical records.

From the patient’s perspective, this continuity of care is expected. However, several governance questions immediately arise.

    • Which hospital is the Data Fiduciary?
    • Which entity obtained the original consent?
    • Which entity authorized inter-hospital data sharing?
    • Who must respond to a request for correction?
    • Who determines retention periods?
    • Who becomes accountable if data is disclosed improperly?

The answers are no longer confined to one organization.

Distributed Processing Means Distributed Responsibility

Modern healthcare is supported by interconnected digital infrastructure.

# Appointments may be booked centrally. Electronic Medical Records may be maintained on enterprise cloud platforms.

# Diagnostic laboratories may be located elsewhere.

# AI systems may analyse radiology images.

# Telemedicine consultations may be delivered from another city.

# Billing may be centralized.

# Patient relationship management may be managed by another company.

# Each participating entity processes personal data.

# Some determine purposes. Some determine means. Some merely process on behalf of others. Others establish governance policies affecting every participant.

The traditional distinction between Data Fiduciary and Data Processor is therefore insufficient to explain enterprise accountability.

The Missing Layer

Large enterprise ecosystems almost always contain an organization that performs functions extending beyond any individual operating company.

This organization may:

    • own or license the brand,
    • prescribe enterprise privacy policies,
    • establish cybersecurity architecture,
    • operate centralized digital platforms,
    • define AI governance,
    • standardize consent mechanisms,
    • govern cross-entity data sharing,
    • prescribe compliance standards,
    • conduct enterprise audits,
    • manage reputation risk.

Although it may not directly provide healthcare, retail services, education, hospitality, or banking, it exercises substantial influence over how personal data is governed throughout the ecosystem.

DGPSI identifies this governance layer as the Super Data Fiduciary.

What is a Super Data Fiduciary?

Within DGPSI, a Super Data Fiduciary is an enterprise-level governance entity that exercises strategic oversight, standardization, and accountability across multiple autonomous Data Fiduciaries operating under a common brand, platform, or governance structure.

The Super Data Fiduciary does not replace individual Data Fiduciaries.

Nor does it dilute their statutory responsibilities.

Instead, it provides enterprise governance wherever multiple organizations collectively create a unified customer experience.

The model introduces layered accountability rather than centralized liability.

A Layered Accountability Framework

Under the DGPSI model, accountability exists at two distinct levels.

Individual Data Fiduciaries

Each hospital, college, retail outlet, hotel, or financial institution remains responsible for:

      • complying with DPDPA,
      • obtaining consent where necessary,
      • protecting personal data,
      • responding to Data Principal requests,
      • implementing local security measures,
      • reporting personal data breaches,
      • maintaining statutory records.

Super Data Fiduciary

The enterprise governance layer becomes responsible for:

      • enterprise privacy governance,
      • common data governance architecture,
      • AI governance,
      • cybersecurity standards,
      • centralized digital infrastructure,
      • inter-entity data sharing protocols,
      • common consent architecture,
      • enterprise audit,
      • policy standardization,
      • governance assurance,
      • brand-level trust management.

The two responsibilities complement each other. One is operational. The other is strategic.

DGPSI-Hospital: Bridging the Governance Gap

One of the principal objectives of DGPSI-Hospital is to translate the broad principles of DPDPA into governance practices appropriate for healthcare institutions.

Healthcare differs fundamentally from many other sectors because data is inseparable from patient safety. Clinical information supports diagnosis, treatment, emergency intervention, medication management, continuity of care, and increasingly, AI-assisted healthcare delivery.

In healthcare, therefore, Data is Life.

DGPSI-Hospital recognizes that while individual hospitals remain statutory Data Fiduciaries, enterprise-wide governance frequently resides with the organization controlling the healthcare ecosystem.

Accordingly, DGPSI-Hospital designates that enterprise governance entity as the Super Data Fiduciary.

The Super Data Fiduciary establishes:

    • enterprise privacy policies,
    • EMR governance,
    • interoperability standards,
    • AI governance frameworks,
    • cybersecurity architecture,
    • centralized appointment systems,
    • patient portals,
    • telemedicine governance,
    • enterprise incident response,
    • consent management standards,
    • audit programmes,
    • vendor governance,
    • enterprise risk management.

Every participating hospital continues to remain independently responsible for complying with DPDPA. The Super Data Fiduciary simply provides coordinated governance across the enterprise.

This approach does not require any amendment to DPDPA. It merely implements good governance within the flexibility already available under the Act.

Beyond Healthcare

Although healthcare provides perhaps the clearest illustration, the governance challenge exists across numerous sectors.

Hospitality

International hotel brands frequently combine owned hotels, managed properties, franchise hotels, centralized reservation platforms, loyalty programmes, and common customer databases.

Retail

Large retail chains operate through company-owned stores, franchise outlets, warehouses, logistics companies, e-commerce platforms, and centralized CRM systems.

Education

University systems often include autonomous colleges, online learning platforms, research centres, examination authorities, alumni organizations, and international campuses functioning under one institutional identity.

Financial Services

Banking groups commonly consist of banks, NBFCs, insurance companies, payment service providers, mutual funds, wealth management entities, and technology subsidiaries sharing customer onboarding, KYC infrastructure, fraud monitoring, and analytics.

Aviation

Airline groups operate code-share arrangements, loyalty programmes, reservation systems, airport services, cargo operations, and alliance partnerships while presenting a unified customer experience.

E-commerce

Marketplace ecosystems integrate merchants, logistics providers, payment gateways, customer service centres, advertising platforms, and recommendation engines.

Technology Platforms

Digital platform companies increasingly operate cloud services, messaging platforms, identity systems, AI assistants, payment services, and advertising ecosystems through multiple corporate entities under one trusted brand.

In every one of these sectors, the customer trusts the brand rather than the underlying legal entities.

Sectoral DGPSI Frameworks as Laboratories of Governance

Law evolves more slowly than technology. Waiting for legislative amendments whenever new organizational models emerge would impede innovation and delay effective compliance. Sector-specific compliance frameworks therefore perform an important jurisprudential function.

The DGPSI family—including DGPSI-Hospital, DGPSI-Bank/BFSI, DGPSI-Education, DGPSI-Retail, DGPSI-Hospitality, and future sectoral variants—provides governance mechanisms that address operational realities while remaining faithful to the existing provisions of DPDPA.

The concept of the Super Data Fiduciary is one such governance innovation.

It enables organizations to demonstrate enterprise-wide accountability without altering the statutory responsibilities of individual Data Fiduciaries.

Rather than waiting for Parliament to recognize every emerging organizational model, governance frameworks can evolve first. Over time, judicial interpretation, regulatory guidance, industry practice, and legislative refinement may adopt these concepts where they prove effective.

This is how jurisprudence develops.

Looking Ahead

The future of data governance will not be defined solely by individual organizations.

It will increasingly be shaped by enterprise ecosystems—networks of legally independent entities operating under common brands, shared technologies, integrated AI platforms, and unified governance structures.

DPDPA provides the legal foundation for protecting personal data. Frameworks such as DGPSI build upon that foundation by translating statutory principles into governance models suited to specific sectors and operational realities.

The Super Data Fiduciary is one such model.

It preserves the statutory autonomy and accountability of every Data Fiduciary while recognizing that enterprise-wide governance often resides at a higher organizational level. By introducing layered accountability, DGPSI aligns legal compliance with the expectations of Data Principals, who place their trust not in corporate charts but in the integrity of the enterprise they choose to engage with.

As India’s data protection jurisprudence matures, governance innovations of this nature will play an important role in ensuring that the law remains effective in an increasingly interconnected and AI-driven economy. The Super Data Fiduciary is not a departure from DPDPA; it is an evolution in its practical application—demonstrating how sound governance can anticipate tomorrow’s challenges while remaining firmly rooted in today’s law.

(..Comments are welcome)

Naavi

Listen to the Audio Podcast here.

Video Review

Posted in Privacy | Leave a comment