Naavi.org

As we look at the Data industry, there are organizations which clearly identify themselves as collectors and  processors of personal data for different purposes. They all will be Data Fiduciaries and some of them would be Significant Data Fiduciaries.

There will be another category of organizations  mostly in the SME sector who want  to be only “Data Processors” and would operate only under the instructions of a data fiduciary and want to be outside the burden of DPDPA Compliance.

However, if these organizations are having employees, then they automatically become Data Fiduciaries in respect of Employees’ data which may also include the data of past employees, rejected applicants, applicants in the process of being  onboarded as well as terminated or retired employees, who are non-employees as of date. Whether processing of their  personal data may be considered as “Legitimate Use” is debatable.

While FDPPI wants to apply DGPSI-Data Processor as a framework for evaluating the compliance of DPDPA for assuring the Data Fiduciary, the data fiduciary may have to simultaneously be DDPDPA Compliant itself since it does have the Data Fiduciary status for the employees. For this purpose FDPPI wants to introduce a simplified DGPSI-Lite framework as DGPSI-HR.

Thus  the family of DGPSI now expands to following categories.

1. DGPSI Full: 50 implementation specifications
2. DGPSI Lite: 36 implementation specifications
3. DGPSI AI : 9 implementation specifications for deployers and 13 implementation specifications for developers.
4.  DGPSI-Data Processor: with 38 implementation specifications
5.  DGPSI-HR: 31 implementation specifications
6. DGPSI-GDPR: 50 implementation specifications.

Last three frameworks are now under development and  refinement.

A day may come when  DGPSI as a family may expand to different Jurisdictional laws. It will not grow to 30000 frameworks like ISO family but may grow to around 10-15 in due course.

FDPPI is likely to focus more on these standards and related certification systems in the coming years while a sister organization may take up some additional responsibilities.

Watch out  for the developments.

Naavi

In 2022, Naavi/Ujvala Consultants Pvt Ltd had suggested “Data Importer Assurance Certification”  for Data Processors who were processing EU data in India on behalf of Data Controllers. The focus was to meet the Standard Contract Clause requirements under Cross border data transfer to the extent legally feasible in India.

With  the advent of DPDPA 2023 which imposes the burden of compliance solely on the Data Fiduciary, there is a debate on what are the responsibilities of a Data Processor in this new era of DPDPA Compliance.

At the same time, FDPPI considers that DPDPA Compliance is indirectly the duty of a Data Processor also and while the Data Fiduciary tries to add Data Protection Clauses to protect himself, unless the Data Processor considers himself as a “Deemed Data Fiduciary” the Data Fiduciary will not be able to fulfil his obligations under the Act.

DGPSI, the Crown Jewel of Compliance Frameworks already recognizes that the responsibility of Compliance in the Data Fiduciary is considered “Distributed” with all persons who process the personal data whether they are designated as DPO or not. It also recognizes that the “Whistle Blower” status is recognized even for external vendors.

Under the same principle of distributed responsibility extended to Data Processors, DGPSI considers that “Data Processors are Deemed Data Fiduciaries”.  What this means is that a Data Processor should consider himself to be a Data Fiduciary and voluntarily undertake all the responsibilities as if he is a “Joint  Data Fiduciary” whether the contract mentions so or not.

To further cement this  concept, Ujvala Consultants Pvt Ltd which is the patron member of FDPPI introduces “Data Processor Assurance Certificate” under DPDPA. Under this Certification, any Data Processor may get themselves as “DPDPA Compliant Data Processor” to increase his competitive position in the service market.

The process of certification would follow the general DGPSI principles duly simplified for the role of the processor. It would be a bit wider than the recommended 18 PIMS implementation Controls for processors under ISO 27701:2025  (Table A.2) and 29 Security controls recommended under Table A.3.

Perhaps we may call such certified Data Processors as “Emancipated  Data Processor”.

Naavi

Orissa High Court was confronted with an interesting petition from a parent who refused to give consent to the school of his child which wanted to create an APAAR ID. The ID is considered a unique identification that is designed to provide a lifelong 12 digit digital identifier to store the academic accomplishments. It is meant to be used for certain purposes which are beneficial to the subject in making available the ID to other institutions for educational services. It is not expected to be used for marketing or other purposes prohibited under DPDPA 2023.

However the petitioner invoked the Justice Puttaswamy judgement and no discussion seems to have been made on DPDPA provisions. The school contended that there is a provision to withdraw the consent any time. The Petitioner contended that “Withdrawal of consent” was after providing the consent and is different from “Option not to give consent”.

The Court has agreed with this contention and suggested alteration of the consent form.

Judgement copy available here

The issues that should have been debated here are whether  the school can segregate the APAARID related services from others  and provided a purpose specific privacy notice to enable the subject to understand the likely consequences of not registering for the APAAR ID. Some services should be exclusively linked to the holders of APAAR ID and then such objections would not arise.

By refusing the registration, many of the services of the department of education may become difficult to avail on a later date.

Naavi

On November 19,2025, a major EU proposal has been made to simplify the EU regulations in many areas. It has proposed 15 amendments to GDPR which we are separately taking note of. Additionally it has made changes to Data Act which was a very recent regulation as well as the Artificial Intelligence Act. It appears that EU has realized that its current approach of very strict regulation does not go with the universal approach of  USA and  India to give more freedom to businesses to promote innovation. Perhaps this is a timely move not to let EU become a technologically archaic society.

One of the measures that we need take note of is the Business Wallet proposal  and published a “Digital Rule Book”. The objectives of these changes are captured in this “Press Release”

This proposal is expected to  provide European companies and public sector bodies with a unified digital tool, enabling them to digitalise operations and interactions that in many cases currently still need to be done in person. Businesses will be able to digitally sign, timestamp and seal documents; securely create, store and exchange verified documents; and communicate securely with other businesses or public administrations in their own and the other 26 Member States.

One of the  simplification measures is to develop a unified platform for data exchange so that there would a “Single Digital Gateway” requiring authorities to re-use data already held in another member  state without repeated submissions by businesses. Indian approach of “Centralized eKYC”, “Account Aggregator” and “Consent Manager” as well as the UPI system and “Digital Locker”  follow similar principles and it appears EU wants to follow India in these innovative measures and perhaps improve upon them.

While we can feel proud that Indian initiatives have been validated and followed by EU, we can observe if there are improvements that we may adopt ourselves and amend our established systems including the Consent Manager system under DPDPA 2023. RBI and MeitY may closely monitor the developments.

Naavi.org will also monitor the proposals and try to identify lessons for India.

Some of these discussions could commence in our C.DPO.DA. program of December 20/21. If you have not yet joined the program, check here for registration.

Naavi

To all those who are associated with FDPPI as Members, Registrants for any paid services

Dear Friends

It is the desire of FDPPI/Naavi that all those who are associated with FDPPI during the last 7 years of its existence should consider themselves to be forming an  eco-system to drive DPDPA compliance culture in the country.

We have all entered a new era of DPDPA implementation and hence all those who are now  preparing themselves to be DPOs and Data Auditors are considered as the “NextGen DPOs” and “NextGen Data Auditors” for whom DPDPA implementation is a certainty from 13th May 2027.

We ideally want  all our members and associates to be actually “Certified” for C.DPO.DA. But we are aware that this may not be practical. Hence we want them to be  at least carry a participation certificate for our latest training program even if they want to avoid the challenge of passing of the examination. We are therefore trying to provide a free upgrade of knowledge to all our previous certified professionals or those who have paid and registered in the National Register of Data Protection Professionals by giving them an opportunity to attend our next Virtual program on request. Every such complimentary pass is worth Rs 25000/- which we are donating to the creation of this NextGen data protection professionals.

I hope some will make use of this opportunity.

I wish all these persons will represent the future of DPDPA compliance in India. Some of them may look at generating revenue and building their career and some may continue their pro-bono work as “Privacy Mitra” s.

Naavi/FDPPI however want the country to be full of empowered and  knowledgeable Data Protection Professionals so that we stand out as one country which  transforms itself into a DPDPA compliant society in the next decade.

Let us therefore look forward to the emergence of this new eco system.

Reference: Also see here 

Naavi

An Indian DPO often works  in an environment where the organization encounters both personal data coming under the jurisdiction of DPDPA as well as under GDPR.

DGPSI recommends that data is classified with a “Jurisdiction Tag” so that  data to which DPDPA is applicable is separated from data to  which  GDPR (or any other country’s  law is applicable).

Once this segregation is done, we will have different data  buckets  one for each jurisdiction making application of controls easy.

While compliance for DPDPA is  recommended to be built under the DGPSI-Full (with DGPSI-AI)  or DGPSI-Lite frameworks, the bucket of GDPR data needs to be covered only under GDPR. Currently one framework option for this purpose is ISO 27701:2025.

However, DGPSI which is basically a principle based framework is itself capable of being extended to meet the compliance requirements under GDPR.

To help professionals in being GDPR compliant along with DPDPA compliance, DGPSI has now been expanded to DGPSI-GDPR. It is still a 50 specification framework and includes some AI aspects also. Some of the specifications in the current version have been combined to keep the specification number count to 50.

This DGPSI-GDPR therefore becomes a “Made in India for the EU” framework which we recommend Indian companies to get certified from DGPSI auditors along with DTS maturity assessments.

The framework is being refined and will soon  become a DPDPA-GDPR  combo offer for implementation for  companies who are Data Fiduciaries under DPDPA and Data Controller/Data Processor under GDPR. The first version of this framework will be discussed in the forthcoming C.DPO.DA. Certification program (Virtual) on December 20/21.

(P.S: The program will also discuss Digital Omnibus Proposal of November 19 and proposed GDPR Amendments. )

Interested persons may rush to register themselves asap. (The Early bird discount expires today.)

Check here for Registration