Naavi.org

The earlier post on AIDAI as a milestone for FDPPI as well as for the Data Protection Eco system has elicited this comment.

“The article provides a thoughtful and timely perspective on the evolving data protection landscape in India and rightly characterizes the current phase as a structural milestone rather than a mere legislative event.

One of the key strengths of the article is its implicit shift in framing—from privacy as a conceptual right to data governance as an operational discipline. This is a necessary transition, especially in a rapidly digitizing economy where accountability, auditability, and measurable compliance outcomes are becoming central to regulatory expectations.

At the same time, I believe the discussion could be further strengthened by explicitly distinguishing between institutional readiness and enforcement maturity. While the notification of rules and the operationalization of the Data Protection Board of India represent significant progress, the effectiveness of the framework will ultimately depend on consistent enforcement, regulatory clarity, and the development of supporting professional infrastructure.

In this context, the article presents an opportunity to more explicitly recognize the role of independent assurance mechanisms. As envisaged under Section 10 of the DPDPA, the emergence of Independent Data Auditors will be critical in bridging the gap between statutory intent and operational compliance. Their role, analogous in some respects to financial auditors in corporate governance, can provide credibility, objectivity, and trust to the ecosystem.

Further, the article may benefit from articulating the evolving accountability architecture more explicitly—namely:

• • Data Fiduciaries as responsible entities,
  • The Data Protection Board as the enforcement authority, and
  • Independent auditors as the assurance layer.

This triadic structure, if developed effectively, can form the backbone of a robust data governance regime in India.

Finally, a forward-looking closing that calls for capacity building, professional standardization, and institutional collaboration would strengthen the article’s impact and align it with the emerging needs of the ecosystem.

Overall, this is a well-argued and important contribution that moves the conversation beyond compliance into the domain of governance and accountability. With a slightly stronger emphasis on enforcement realities and the role of professional assurance, it can serve as a foundational reference for the next phase of India’s data protection journey.”

In 2018, FDPPI was launched as an organization for the promotion of Privacy and Personal Data Protection culture in India. After covering the foundation ground of certification programs and seminars, one important milestone was the launching of DGPSI or Digital Governance and Protection Standard of India on September 13 2023. 

The DGPSI had its own sub-milestones such as the launch of DGPSI-AI and DGPSI-GDPR and will develop as a framework of reference for Data Protection Compliance in India and elsewhere in due course.

Now FDPPI is standing at the cusp of another milestone namely the launch of “Association of Internal Data Auditors of India”. (AIDAI).

Currently AIDAI will function as a division of the parent entity FDPPI and eventually it may be an independent entity by itself.

On 11th  April 2026, FDPPI is set to formally dedicate the new entity to the public in a simple function in Bangalore.

The Launch of this new entity recognizes the emergence of the new  breed of professionals  namely “Independent Data Auditors” in India who are statutorily recognized under DPDPA 2023. They will be the backbone of the DPDPA compliance eco-system in India and are aptly called the “Guardians of Data Accountability”.

“Building Trust through Integrity and Independence” will be the motto of the organization.

The first objective of the organization is

Objectives:

1. To serve as a collaborative platform for capacity building, knowledge sharing, and policy advocacy, and to act as an interface between Independent Data Auditors, industry stakeholders, and the Data Protection Board of India.
2. To foster a culture of independence, objectivity, and accountability among Data Auditors, ensuring that audits of Significant Data Fiduciaries are conducted with integrity and that material findings are reported without bias or influence.
3. To define, develop, and continuously evolve a nationally recognized framework of qualifications, competencies, ethical standards, and audit methodologies for Independent Data Auditors under the Digital Personal Data Protection Act, 2023.

Towards fulfilment of these objectives, the organization will

a) Empanel professionals as Data Auditors at multiple levels.

 1. Empanelled Data Auditors Level 1: (EDA-L1)  : All interested members who want to join the community

2. Empanelled Data Auditors (Level 2):(EDA-L2)  with  designated qualifications

b) Conduct in association with FDPPI appropriate Certification Programs CIDA (Certified Independent Data Auditors) with the following modules

1. 1. Module 1 – Auditor Profession & Ethics
   2. Module 2 – Audit Principles & Methodology
   3. Module 3 – Planning & Risk-based Approach
   4. Module 4- Risk Evaluation and Audit of DF, SDF and Consent Managers)
   5. Module 5 – Frameworks (ISO + DGPSI Architecture)
   6. Module 6– Applying DGPSI Variants
   7. Module 7– Evidence Collection & Control Testing
   8. Module 8 – Data Trust Score and Audit Reporting
   9. Module 9 – Mini Audit Simulation

c) Encourage development of tools for audit

In the meantime, FDPPI will focus on Education, Conduct of Certification Examination, Management of Study Centers across the country, Management of Grievance Redressal, advocacy on the law and related practices, Conduct Research, Publish  relevant literature, etc. FDPPI will focus  with “Implementation Consultancy” and work along with AIDAI for audits.

FDPPI and AIDAI will be like binary stars which will revolve around each other and support each other.

AIDAI will have a separate Advisory Body, Governance body and  a CEO.

It is observed that the passage of DPDPA 2023 was a significant milestone  which has now been formalized with the passage of the DPDPA Rules setting the time lines for implementation.

Though ITA 2000 and DPDPA 2023 are now applicable laws, the enforcement mechanisms always present a challenge. AIDAI is expected to support the Government in the enforcement of the DPDPA 2023 compliance by setting up an infrastructure for development of necessary professional eco system to enable audits as required.

The Concept of “Data Audit” is an audit of the “Governance of Technical implementation of law”. It involves legal knowledge, Technical understanding and Managerial acumen.

Governance of Data Includes “Valuation and Monetization of Data”. Hence it is considered that Chartered Accountants as well as Cost Accountants would consider this emerging profession as an extension of their current activities.

AIDAI will therefore attempt to bring together all professionals in Financial Audit, Cost Audit and Governance Audit in  a single platform with auditors involved in Information Security Audits and Privacy Audits by whatever name it is called. Hence professionals in Internal Auditors Association, Company Secretaries Association, Lead auditors of ISO are all invited to join the platform.  The Advisory body may reflect the same.

The launching of AIDAI will following the earlier developments in the industry such as Passing of the law, Notification of the Rules and Establishment of DPB. Significantly this is an industry initiative to support the larger goals of the nation from the MeitY and DPB.

Being an industry initiative, this can pave the way for better compliance and overcome the traditional challenges in enforcement. By promoting “Independence” in audits, AIDAI has the potential of being a watch dog for the implementation of a compliance culture going with the  tag line “Guardians of Data Accountability”.

The “Independent Data Auditors” will conduct Data Compliance Audits for all kinds of Data processors including Data Fiduciaries, Significant Data Fiduciaries and Consent Managers. The rules already specify that significant deviations need to be reported to DPB and AI algorithms need to audited exclusively. These will be conducted  by the Certified Independent Data Auditors who will also sign an “Ethical Professional Declaration” when they become member of this organization.

Now is the time for all professionals to join the Association. The Level 1 membership is “Intent Based” and any professional who is in tune with the objectives of the organization can be a member. Level 2 membership will depend on certain accreditation principles which the institution will fix such  as passing of a Certification or Empanelment test.

Hence I request all professionals interested in being in the Data Auditor community, to join as Level 1 members as soon as the registrations open on 11th April 2026.

Naavi

Naavi will be conducting a special mentor assisted program for CEDPO in April 2026 consisting of recorded videos along with mentor sessions of around 6 hours over weekends.

The recommended four book s will be provided as part of the cost (Courier Charges may be extra for some remote places).

Naavi

I have recently raised an issue about non receipt of NOC for an Auto loan closed in 2018. The brief description of the incident is as follows:

I am placing these in public domain as it indicates that even a Bank like HDFC Bank is currently not ready for DPDPA Compliance by 13th may 2027.

Everybody is running behind Consent forgetting that handling  Data Principal access requests is a key element of compliance and cannot be fulfilled without a wholesale revision of the product policies.

Quote:

Dear Sir

For the last few days, I have been corresponding with your loan products department and customer services department and am unable to get resolution of my problem. I am therefore bringing this to your notice for redressal as a “Grievance” and “Data Principal Right”.
The incident is briefly described below.

1. I had availed an auto loan in 2013 which closed in 2018.

2.On closure of the loan I was under the assumption that the Bank has ceased to be the hypothecatee of the vehicle since the “Consent” was terminated automatically. It was therefore a duty of the Bank to have taken measures to inform the RTO and delete the hypothecation clause. The RC certificate/card with me was not indicative of any hypothecation and hence I was not aware that the Bank was still actively placing a restrictive hold on the asset which should have been free. 

3. Recently I tried to put my car on sale and invited bids from intended buyers. I got some offers which were good enough for me to accept. However I was told by the buyer that since there was a hypothecation on the vehicle, it needs to be removed. I then submitted a request for NOC. Given that I am a customer for decades and on my customer account the loan also is on record, I thought that the issue of NOC should be quick.

4. I got a message from Bluedart courier that a consignment was being delivered and assumed that it should be the NOC. But I found after a few days that there was no delivery of the letter and my commitment to submit the letter to the buyer by a certain date was frustrated.

5. On calling the Blue Dart courier, I was told that they could not deliver  and they had noted that “Addressee was not available at the given address”.  When  I enquired how they marked such a note which was a “Lie”,

6. Even after raising the issue with the Bank, I am yet to see resolution.

In this context my questions to you as the DPO of the bank is as follows.

1.You have the account details under my customer ID which also has the loan details. My address is updated on this account page. Hence the claim of Bluedart that a truncated address was only available with them (They claim that the name was simply mentioned as “Nagaraj”) should be false. I would like to know from your records what is the address given to Bluedart for the delivery of the consignment and why it was not given correctly is their statement is true?. This may be considered as a request under Section 11 of DPDPA 2023. (As part of Section 43A read with DPDPA as the Due diligence requirement).
2. Why do the courier say they did not have my phone number to contact? Was it not given by HDFC Bank? If Not  why?

3. Non availability of the NOC has frustrated the sale of the vehicle to a preferred buyer and has perhaps inflicted a financial loss of Rs 75000/- since I have to now sell it to another buyer and after March 31st. Please let me know why I cannot claim this as a compensation either as deficiency of service or under Section 46 of ITA 2000.

4. I was disappointed that HDFC Bank has failed to maintain the simple courtesy of removing the hypothecation after a loan closure which should have been a customer service move. Why this is not a SOP? Why do you expect the customer to complete it himself under  these circumstances of service deficiency? I am told by many that this is a common problem of many.

5. I was told by your help center that NOCs can  only be obtained by physically visiting one of the  three designated branches in Bangalore (Not the nearest Branch). Why is HDFC bank not able to deliver the NOC electronically?

6. Has your Bank initiated any steps for DPDPA Compliance so far? …It appears that you will not be ready by May 13 2027 and will be exposed to penalties under DPDPA.  Has this risk been flagged by your CFO under disclosures under Clause 49 of listing requirements and SEBI regulations?

For the education of the public, I will be placing these questions in the public domain through www.naavi.org

Looking forward to your response.

End Quote

I will be  happy to receive your comments.

Naavi

BlueDart is one of the respected courier agencies in India. I have used their services and have been a satisfied customer in many instances.

I am however bringing this incident to public notice for general awareness since Blue Dart has not tried to resolve my grievance and tried to hide behind technicalities to cover their suspected deficiency of service.

We are aware that many delivery persons donot make a proper attempt to locate the delivery address and report “Address Not found” or “Address changed address” etc and claim charges for their visit. This is cheating the consignor besides adversely affecting the consignee with delayed delivery. This practice is not expected of Blue Dart. I am sure that the company would vehemently deny this.

But I suspect that this happened during a recent document sent by HDFC Bank which was not delivered to me under the excuse “C’Nee shifted from the given address”.

This is a blatant lie since the consignment was addressed to me and I have not shifted from the address for several decades.

On enquiry the company stated excuses  “Name was not clear, PIN Code was not proper and Bank had not given your phone number”. They washed their responsibility in the incident.

I have now raised the following questions to the DPO of Blue  Dart through the customer service department.

While the Supreme Court is hearing the petitions  on challenging DPDPA (where FDPPI has filed an  intervention petition to oppose the Challenge  and defend DPDPA), NHRC has issued notices to the Government on why action has not been initiated on implementation of provisions to protect the Privacy of Children.

Refer article here for details

The National Human Rights Commission (NHRC) has taken cognisance of alleged violations of the Digital Personal Data Protection Act (DPDP Act), particularly concerning the absence of systems for tracking children’s data transfers and grievance redressal mechanisms across major digital platforms.

It is expected to strengthen the Government of India in its defence  at the  Supreme Court.

Let us wait and see how it develops.

Naavi