FDPPI has established itself as a Standards Organization

Posted on April 21, 2026 by Vijayashankar Na

FDPPI was established in 2018 as a Section 8 Company (Not for Profit) with the following three objectives.

    1. To build an empowered community of Knowledgeable, Efficient and Ethical Data Protection Professionals who contribute to the development of a Secure Information Society by lawful means.
    2. To enhance the intrinsic Value and Worth of the profession of Data Protection Professionals who  are  directly  or  indirectly  engaged  in  the  activity  of generating, managing, preserving and protecting information.
    3. To bring harmony in the pursuance of Civil Rights of individuals such as Privacy and Freedom of Expression along with the Right to Information and Right to Cyber Security.

In pursuance of this objectives, FDPPI has

a) Developed Certification programs for Professionals

b) Certification Programs for Data Processing companies

With the establishment of DGPSI as a framework for Compliance, FDPPI went further to facilitate Compliance by the industry.

With the establishment of AIDAI (Association of Independent Data Auditors), FDPPI has taken a further step to establish a network of professionals  who can use DPGSI framework, Conduct Audits, Provide Assurance (Using the Data Trust Score system).

In the coming days, FDPPI will focus more on education through FDPPI Study Centers while AIDAI will focus more on the facilitation of Audits.

The DGPSI as a framework of compliance was first introduced for DPDPA Compliance. The Full version with 50 implementation Specifications was the beginning of the DGPSI revolution. The Origin of DGPSI can be traced to IISF 309 which was a framework developed by Naavi for ITA 2000 compliance. (first released in 2009 March). In 2019 after FDPPI came into existence and GDPR was in place, the framework PDPSI (Personal Data Protection Standard of India) was published. As the Government moved from PDPB 2019 to DPDPA 2023, the framework also moved from PDPSI to DGPSI.

In August 2023 when DPDPA became a law, BIS also released a Draft Indian Standard  named “Information Technology-Adequacy of Organizational Data Governance and Management Practices”. This standard had about 20 recommendations related to Privacy.

Since the PDPSI  had already incorporated some of the Data Governance Principles as part of the recommended Standard, the first release of the PDPSI-Upgraded to DPDPA was titled DGPSI making “Data Governance” as a part of “Data Protection” and extending the implementation responsibilities from a CISO or DPO to the entire management of an organization. The principles of Distributed Responsibility, Measurability, Data Valuation, Top Management Responsibility, Business Level Compliance were all “Management  Principles” that were the  essential part of DGPSI. Hence the Privacy related principles of the BIS standard were considered as merged with DGPSI.

After DGPSI was first released in September 2023, it is being continually improved to meet the different segments of the industry.

The first evolution was DGPSI-Lite meant for  SMEs to reduce the burden of compliance. This focussed more on the legal mandate and adopted 36 implementation specifications.

In 2025 with AI coming into prominence DGPSI was extended with a supplementary framework of DGPSI-AI. This is a document which can be considered as a fore runner to AI regulation in India.

Later in 2025, DGPSI family was extended to DGPSI-HR and DGPSI-Data Processor (DP) as well as DGPSI-GDPR.

DGPSI-HR was an attempt to provide a framework for the HR Sector which was the common element of Data Governance across all kinds of establishments.

DGPSI-DP was  another milestone which suggested that Data Processors can voluntarily be compliant with DPDPA through this framework and be “Emancipated”.

Sceptics may say  why burden a compliance which is legally not there. But history tells us that HIPAA and  GDPR both have responsibilities cast on Business Associates/Data Processors.

India’s ITA 2000 itself  extends DPDPA compliance to Data Processors and hence they cannot escape liability one way or the  other.

DGPSI-GDPR was another significant milestone that extended DGPSI to the GDPR compliance requirements.

In the remaining part of 2026, FDPPI is extending the DGPSI with exclusive frameworks for DPDPA Compliance to the Health Care industry, BFSI and Educational Industry sectors.

This vision of FDPPI is farther than any other organization in India including perhaps BIS.

In this context, if BIS is trying to re-invent a compliance standard for Privacy, one can only feel that FDPPI has already moved ahead several years and will continue development of its own compliance systems.

In USA we have seen the emergence of HITRUST as a private organization creating a certifiable standard for HIPAA Compliance which later has extended its activities to other sectors. HITRUST has been recognized  by the HHS which has developed a complimentary relationship.

FDPPI may be a similar example of a Private Initiative in India which will keep providing its own contributions even as BIS may try to introduce its own standard specifications.

Whether BIS will follow the inclusive approach of HHS by joining hands with  FDPPI or try to remain as a “Government Standard” and remains at a distance from DGPSI as Self Regulatory Governance mechanism developed by the industry, time will tell.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.