Naavi.org

The launch of DGPSI-GDPR is not  just another event. It is a symbol of Indian Data Protection eco system coming of age not only to be compliant with  DPDPA 2023 but also provide the guidance to the compliance of other data protection laws such as GDPR. The work has started and with the cooperation of the community we will have a framework that is acceptable as a good guidance to all companies firstly in India.

DGPSI (Digital Governance and Protection Standard of India) was developed as a guidance framework for compliance of DPDPA. It is a useful framework today for implementation of the DPDPA 2023 in an organization as well as for audit and assessment.

In India we also have many organizations who process data from outside India and most of them so far treated GDPR as the standard for Data Privacy Compliance. With the coming of ISO 27701:2025, the GDPR Compliance through ISO 27701:2025 as an independent certifiable framework also received a boost.

In this context, most organizations in India are confronted with the need to look at two compliance drives  one for DPDPA and another for GDPR.

While some would like to adapt GDPR compliance to DPDPA compliance and use ISO 27701:2025 (modified for India), an alternative is to use DGPSI and adapt it to GDPR compliance.

To facilitate this use of a Made in India framework for compliance of GDPR, DGPSI has now been extended with a DGPSI-GDPR version. This uses the 50 Model implementation specifications of DGPSI with subtle changes to be capable of meeting the GDPR requirements.

This is a a game changer in the domain of Data Protection Compliance in India and a transition point where DGPSI becomes the source framework from which compliance of Data Protection laws of other countries can be carved out.

Currently, FDPPI is working on a draft version of the DGPSI-GDPR version and the Certified Data Auditors of FDPPI will be trained to use the version for GDPR compliance as may be required.

Under DPDPA, data processing activities where process foreigner’s data under a contract are exempted from DPDPA. Such activities involving  EU data are now capable of being implemented and audited using DGPSI-GDPR. It is one of the requirements of DGPSI that personal data is classified on the basis of applicable jurisdiction and hence even where the data is currently mixed up, they need to  be segregated and a virtual GDPR processing division has to be created. Such  virtual division can now use DGPSI-GDPR as the framework for compliance.

Can an India framework take on the compliance of Global Data Protection Compliance? …will be a question in the minds of many data protection professionals.

Let us make it happen. FDPPI invites all data protection professionals in India to put in their efforts to develop the DGPSI family of frameworks to expand and provide guidance to the compliance of GDPR as well as other data protection laws in due course.

Naavi

FDPPI’s Certification program for developing DPOs and Data Auditors in India offers an online  examination for professionals to validate their knowledge and skills to be a good DPO in the Indian scenario.

While trainings are conducted by the  training partners of FDPPI from time to time (Eg: Virtual Program on December 20-21 conducted by Cyber Law College), the coveted certification of C.DPO.DA. is available  for anybody who registers for the online examination and pass through  the  cut-off marks required.

Whether you are a CIPP certified or DSCI certified or ISO certified or PECB certified or EXIN Certified or ISACA Certified you can appear for this online examination by making payment  of the prescribed fees and take the examination.

As a special year end offer, the examination for which the fee is normally Rs 25000/- is being offered at Rs 10000/- till 31st December 2025.

The material for the exam is available in the following three books

The Certification training conducted by Cyber Law College consists of 12 hours of online discussions that cover

• Legal nuances of DPDPA and the DPDPA  Rules
• DPDPA Risk Assessment and Case Study
• The Roles of DPO and Data Auditor in the DPDPA era
• Classification of DPDPA protected Data (DPD) and ROPA as a strategic tool of Compliance
• DPDPA Compliance by Default:  Technical challenges and Designing Controls
• Use of DGPSI as a Compliance Management framework
  • DGPSI Full, DGPSI-Lite and DGPSI-AI
  • DGPSI-GDPR,DGPSI HR, DGPSI Data Processor
• Comparison of DGPSI with ISO 27701
• Discussions

Besides training themselves to be DPOs in an organization, some of our trainees may emerge as independent trainers in different parts of the country under a franchise scheme of FDPPI.

FDPPI is also introducing an upgrade over C.DPO.DA. for those who want to be “Independent Data Auditors” which is a position that is likely to open up in 2027 after the Act becomes fully effective. A separate upgradation training for CIDA (Certified Independent Auditor) is being planned to be conducted in 2026 for this purpose.

For the time being it is an opportunity for interested professionals to take the C.DPO.DA. examination at the special year end price of Rs 12000/-. (Inclusive of GST)  You can register directly on the CDPODA page of fdppi.in and making a payment of Rs 12000/-. (Indicate in the description that the registration is for examination only)

Naavi

I was just recalling that on 17th December 2022, I was conferred a Life Time award for Cyber Jurisprudence in Chennai. It was a coincidence that on 17th December 2023, at Hyderabad, a “Lifetime Achievement Award for Privacy” was conferred by EndNow Foundation of Hyderabad.

These will continue to inspire me for further work in the field.

Today on December 17, 2025, I am pleased to announce officially  the release of the framework “DGPSI-GDPR” which marks the extension of the Made in India for India framework  of DGPSI for the global world. This could be the beginning of a new era of DGPSI family growing  into a global family of frameworks. This could be a self determined  life time achievement which gives satisfaction and a sense of fulfilment.

Closely followed by DGPSI-GDPR, we are adding two more extensions to DGPSI-India in the form of DGPSI-Data Processor and DGPSI-HR. DGPSI-Data Processor provides an Indian Data Processor equipping himself with a DPDPA Compliance culture voluntarily to increase his competitive position in the market. DGPSI-HR has been envisaged  for those companies who donot have  any individual customer data because they are a B2B organization, but have employee data for which they are still the data fiduciary under DPDPA 2023.

Request professionals to encourage these developments and participate in the further development of these frameworks.

December 17, 2023 Life time achievement award for Privacy at Hyderabad…Socialwood conference of Endnow Foundation

Naavi

As we look at the Data industry, there are organizations which clearly identify themselves as collectors and  processors of personal data for different purposes. They all will be Data Fiduciaries and some of them would be Significant Data Fiduciaries.

There will be another category of organizations  mostly in the SME sector who want  to be only “Data Processors” and would operate only under the instructions of a data fiduciary and want to be outside the burden of DPDPA Compliance.

However, if these organizations are having employees, then they automatically become Data Fiduciaries in respect of Employees’ data which may also include the data of past employees, rejected applicants, applicants in the process of being  onboarded as well as terminated or retired employees, who are non-employees as of date. Whether processing of their  personal data may be considered as “Legitimate Use” is debatable.

While FDPPI wants to apply DGPSI-Data Processor as a framework for evaluating the compliance of DPDPA for assuring the Data Fiduciary, the data fiduciary may have to simultaneously be DDPDPA Compliant itself since it does have the Data Fiduciary status for the employees. For this purpose FDPPI wants to introduce a simplified DGPSI-Lite framework as DGPSI-HR.

Thus  the family of DGPSI now expands to following categories.

1. DGPSI Full: 50 implementation specifications
2. DGPSI Lite: 36 implementation specifications
3. DGPSI AI : 9 implementation specifications for deployers and 13 implementation specifications for developers.
4.  DGPSI-Data Processor: with 38 implementation specifications
5.  DGPSI-HR: 31 implementation specifications
6. DGPSI-GDPR: 50 implementation specifications.

Last three frameworks are now under development and  refinement.

A day may come when  DGPSI as a family may expand to different Jurisdictional laws. It will not grow to 30000 frameworks like ISO family but may grow to around 10-15 in due course.

FDPPI is likely to focus more on these standards and related certification systems in the coming years while a sister organization may take up some additional responsibilities.

Watch out  for the developments.

Naavi

In 2022, Naavi/Ujvala Consultants Pvt Ltd had suggested “Data Importer Assurance Certification”  for Data Processors who were processing EU data in India on behalf of Data Controllers. The focus was to meet the Standard Contract Clause requirements under Cross border data transfer to the extent legally feasible in India.

With  the advent of DPDPA 2023 which imposes the burden of compliance solely on the Data Fiduciary, there is a debate on what are the responsibilities of a Data Processor in this new era of DPDPA Compliance.

At the same time, FDPPI considers that DPDPA Compliance is indirectly the duty of a Data Processor also and while the Data Fiduciary tries to add Data Protection Clauses to protect himself, unless the Data Processor considers himself as a “Deemed Data Fiduciary” the Data Fiduciary will not be able to fulfil his obligations under the Act.

DGPSI, the Crown Jewel of Compliance Frameworks already recognizes that the responsibility of Compliance in the Data Fiduciary is considered “Distributed” with all persons who process the personal data whether they are designated as DPO or not. It also recognizes that the “Whistle Blower” status is recognized even for external vendors.

Under the same principle of distributed responsibility extended to Data Processors, DGPSI considers that “Data Processors are Deemed Data Fiduciaries”.  What this means is that a Data Processor should consider himself to be a Data Fiduciary and voluntarily undertake all the responsibilities as if he is a “Joint  Data Fiduciary” whether the contract mentions so or not.

To further cement this  concept, Ujvala Consultants Pvt Ltd which is the patron member of FDPPI introduces “Data Processor Assurance Certificate” under DPDPA. Under this Certification, any Data Processor may get themselves as “DPDPA Compliant Data Processor” to increase his competitive position in the service market.

The process of certification would follow the general DGPSI principles duly simplified for the role of the processor. It would be a bit wider than the recommended 18 PIMS implementation Controls for processors under ISO 27701:2025  (Table A.2) and 29 Security controls recommended under Table A.3.

Perhaps we may call such certified Data Processors as “Emancipated  Data Processor”.

Naavi

Orissa High Court was confronted with an interesting petition from a parent who refused to give consent to the school of his child which wanted to create an APAAR ID. The ID is considered a unique identification that is designed to provide a lifelong 12 digit digital identifier to store the academic accomplishments. It is meant to be used for certain purposes which are beneficial to the subject in making available the ID to other institutions for educational services. It is not expected to be used for marketing or other purposes prohibited under DPDPA 2023.

However the petitioner invoked the Justice Puttaswamy judgement and no discussion seems to have been made on DPDPA provisions. The school contended that there is a provision to withdraw the consent any time. The Petitioner contended that “Withdrawal of consent” was after providing the consent and is different from “Option not to give consent”.

The Court has agreed with this contention and suggested alteration of the consent form.

Judgement copy available here

The issues that should have been debated here are whether  the school can segregate the APAARID related services from others  and provided a purpose specific privacy notice to enable the subject to understand the likely consequences of not registering for the APAAR ID. Some services should be exclusively linked to the holders of APAAR ID and then such objections would not arise.

By refusing the registration, many of the services of the department of education may become difficult to avail on a later date.

Naavi