“B2B-DTS” for DPDPA compliance tailored to Manufacturing industries

Yesterday we had an interaction with a large group of CIOs in Coimbatore and discussed the DGPSI framework as a solution to DPDPA compliance.

As a part of the discussion, a need has emerged for considering the manufacturing industries with only B2B services as a separate category/sector for which DPDPA compliance has to be specifically designed.

The DGPSI framework already has one simpler version called DGGPSI Lite with 36 implementation specifications and DGPSI Full with 50 implementation specifications.

Both frameworks are applicable across different sectors including manufacturing sector. DGPSI full version also addresses some Data Governance issues while DGPSI Lite is limited to DPDPA compliance.

While implementing these frameworks for manufacturing industries, the fact that their exposure to personal data processing is limited to employees is already factored in. In case the manufacturing industry has retail stores or e-commerce websites, their exposure to DPDPA 2023 increases.

However there are many industries who donot have e-commerce and donot have retail sales and hence their encounters with personal data is limited to employees, current, prospective and past.

Considering these restricted exposure of B2B companies, the DPDPA Gap assessment as well as implementation has been simplified leading to an assessment which is named “B2B-DTS”.

Hopefully this will enable a large number of eligible industries of this category meet the compliance certification quickly without the rigorous requirements of a company which has personal data collections on a large scale from consumers.

Companies interested in such assessments may contact Naavi/Ujvala Consultants Pvt Ltd for more information.


Posted in Cyber Law | Leave a comment

International information Security conference at Bangalore

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.


On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

Posted in Cyber Law | Leave a comment

Use of AI lead Compliance Software for DPDPA

As a natural development of technology there is a scramble by product manufacturers to create products and services to offer “Compliance Products”. Most of these vendors are focussing on developing a “Consent Management Solution”.

The essential feature of such software would be to record the consent for a given set of personal data, give it an identity tag and attach it to the personal data set so that it can be referred to whenever required. The consent has to meet the expectations of “Purpose Orientation”, Data Minimisation” and “Data Retention Minimization”.

One of the dilemmas the companies have is that whether they can take one perennial consent for collecting personal data for multiple purposes which is logically the most suited for business.

However the law does not support such an omnibus and omnipotent, omni present, ever alive consent.

Hence consent collection, use and retention mechanism has to be a carefully considered plan that should meet the legal requirements without seriously hindering the business operations.

Probably the appropriate use of AI should help. However, when an AI is developed on a faulty training data, the AI output will also be faulty. One option that thee ML program has is to parse all similar websites and the privacy policies and gather intelligence which can be incorporated in its own policy. Obviously the user will provide his own inputs on the purpose, data requirements, retention objectives etc so that the AI algorithm will develop a suitable privacy policy that can be used.

In such automation, it is important to recognize that a “Legal Compliance” is difficult to be successfully automated and a strict human supervision is essential.

As more and more such products surface, FDPPI will apply its “Product-DTS” tool to evaluate the compatibility of the product to Indian DPDPA system and provide a “DTS Score”. 

Data Fiduciaries need to be careful when selecting solutions since any purchase of such a product is likely to be a long term purchase and difficult to be changed subsequently.

When FDPPI auditors evaluate a Data Fiduciary, they look at such service providers as “Joint Data Fiduciaries”. But the product vendors themselves have an option to get their products evaluated as a pre-sales qualification criteria. Such evaluation takes into account the principles of EU-AI act, the ISO 13485 etc. Obviously this is a complex process which is perhaps more complex than a routine DPDPA audit for a Data Fiduciary.

FDPPI therefore operates such assignments through  a “Consortium” of its experts so that the technology intricacies are considered along with the Legal, Governance and Business issues. Exciting days are ahead in incorporating EU-Ai act with the DPDPA compliance and w look forward to the same.


Posted in Cyber Law | Leave a comment

Implementation Challenges of DPDPA

FDPPI has been conducting many programs around the country discussing the implementation challenges of DPDPA. We are happy to note that after initial hesitation many other consultancy organizations have shed their complacency that the rules are not notified and started conducting their own programs. This is a welcome development for the industry.

Most of these consultants have also accepted Naavi’s argument that DPDPA as a published law has become a due diligence under ITA 2000 and hence the law needs to be applied as of now by companies as part of their plan to be ready to face the next level of compliance where “Penalties” are a “Financial Risk” to be mitigated.

This is how the “Jurisprudence” becomes the “Best Practice” while law continues to the final version that is relevant for determination of penalties.

As we move towards our next program in Delhi on December 11th with the CIOKLUB and also on December 12th under the FDPPI banner, we will continue to discuss the other implementation challenges.

The next challenge that we need to address is that many solution providers have come up offering solutions for Compliance. We understand that some of them are also in discussion with the MeitY and are trying to also advise the ministry in the rule making.

It is a distinct possibility that some of the built in capabilities of these solutions may find expression in the rules to be announced by MeitY in the next few months.

As the competition in the product market increases, there is likely to be a bombardment of different views on the user companies. The users need to be able to understand what are the compliance requirements and how does each solution meet the requirements.

I suppose that during the Delhi event we will discuss how “Consent Management” solutions or “Data Classification Solutions” which are presently in the market address these issues. We may also discuss how to evaluate interesting offers of solutions who claim “AI based Automated Compliance” as their USP.

If you are in Delhi and are interested in understanding the compliance issues with which you can evaluate different solutions, you should not miss the FDPPI event.


Posted in Cyber Law | Leave a comment

Consent Managers can be sector specific specialists

The concept of “Consent Manager” in DPDPA 2023 is not understood by many. It is obviously a registered Data Fiduciary with necessary infrastructure to get themselves appointed by data principals. The registration will require some conditions that Meity may prescribe.

Such conditions may include the Capital and Networth consideration, expertise, information security etc. The ownership of the consent manager as a company, whether it can be owned by foreign interests, will there be a “Fit and Proper Criteria” will there be a minimum period for withdrawal from business, the distance to be kept with Data Fiduciaries etc need to be specified or factored.

One of the recommendations we have is to encourage Consent Managers as sector specific experts so that they will be able to provide better assurance to the data principals.

DGPSI will be working on such sector specific compliance guidelines as part of its development of detailed guidelines.

In the process FDPPI may also develop Consent Manager-DTS or CM-DTS as an indicator of the maturity of compliance as a Data Fiduciary engaged in the service of a C0nsent Manager.

It is possible that the Meity may come up with its own version of rules without taking into account all the requirements that we may suggest. But we hope that the guidance developed by the DGPSI team being the experts in Data Protection will eventually be a “Best Practice”.

To enable this it is better if MeitY does not come up with rigid rules and leave flexibility for compliance.


Posted in Cyber Law | Leave a comment

How India is being treated as a “Third Country” by some websites

There is a need to flag the condemnable attitude of service providers including “WhatsApp” who have the temerity to approach the Indian Courts against Government regulations by treating India as a country whose regulations are ignored.

I call the attention of Mr Modi, Mr Amit Shah and Mr Rajeev Chandrashekar with good wishes for their re-election to take note of some of the web sites who set terms of service stating that the jurisdiction for dispute resolution for their consumers is in their country and not in India. While the services are rendered in India, the consumers are barred by a contract to approach Indian Courts.

Some websites have started providing supplementary terms recognizing the rights of EU citizens and Californian Citizens besides the country of the origin of the service. But no other country is mentioned.

While we can accept that any company has the freedom to set its own rules and is not bound to recognize the Indian sovereignty, it is our responsibility to ensure that our citizens are protected.

This can be done only through an omnibus protection provided to Indian users of foreign services through the DPDPA 2023.

Currently such users are considered “Data Fiduciaries” and are liable under the Indian law. Hence any contractual terms that sets the dispute resolution outside the legal mandate of ITA 2000 and DPDPA 2023 is ultra-vires and cannot be considered valid.

However it is better if the MeitY through its rules on DPDPA 2023 makes it clear that

“Clauses in the contracts with any Data Fiduciary, Indian or foreign, which are not in conformity with the Indian laws shall be considered as void and the dispute resolution provisions provided under ITA2000/DPDPA2023 shall prevail.”

Ignoring this and bringing pressure on Indian users to agree to online click wrap contracts should be considered as an attempt to deliberately over-rule the law of the land and should be made punishable.

The DGPSI supported Dispute Resolution Policy shall support introduction of such a clause.

In one of the websites I observed the following clause:

Applicable Law and Jurisdiction. These Terms of Use shall be construed in accordance with the laws of Singapore without regard to its conflict of laws rules. Any dispute arising out of or in connection with these Terms, including any question regarding existence, validity or termination of these Terms, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the Arbitration Rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be Singapore. The Tribunal shall consist of three (3) arbitrators. The language of the arbitration shall be English.

…It continues..

The following terms apply if you reside in the European Union:

Dispute Resolution. Notwithstanding the “Applicable Law and Jurisdiction” section of these Terms, if you are a “consumer” as defined under the EU Direction 83/2011/EU, any dispute, controversy or claim (whether in contract, tort or otherwise) between us and you, arising out of, relating to, or in connection with these Terms will be referred to and finally resolved by the court of your place or residence or domicile. You can also file a complaint at the online platform for alternative dispute resolution (ODR-platform). You can find the ODR-platform through the following link: https://ec.europa.eu/consumers/odr.


If you are a user of our Services in the United States of America, the below Additional Terms: (a) are incorporated into these Terms; (b) apply to your use of our Services; and (c) override the head terms of these Terms to the extent of any inconsistency.

If you are a user of the Services in the United States of America, the following terms expressly replaces the above “Applicable Law and Jurisdiction” section of these Terms.

California Resident. If you are a California resident, in accordance with Cal. Civ. Code § 1789.3, you may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by contacting them in writing at 1625 North Market Blvd., Suite N 112 Sacramento, CA 95834, or by telephone at (800) 952-5210.

If you are a California resident, then (except to the extent prohibited by applicable laws) you agree to waive California Civil Code Section 1542, and any similar provision in any other jurisdiction (if you are a resident of such other jurisdiction), which states: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favour at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor”.

If such companies can selectively accept laws of EU and California, why should we not insist that they also take into account the laws of India. We need to protect Indian data principals against such clauses on the websites.

Suggestions are invited.


Posted in Cyber Law | Leave a comment