Naavi.org

The increasing importance of Privacy and Personal Information Management system (PIMS) has prompted ISO to release a dedicated certifiable standard ISO27701:2025 in replacement of the ISO27701:2019 which was an extension of ISO 27001.

ISO 27701:2025 introduces a dedicated PIMS-specific management system framework with clauses 4-10 defining the structure, moving away from the previous dependency on ISO 27001’s framework. The standard maintains the traditional Plan-Do-Check-Act (PDCA) cycle structure but now provides specific guidance for privacy management systems. This restructuring includes context of organization, leadership, planning, support, operation, performance evaluation, and improvement sections tailored for privacy management.

The 2025 version consolidates the previously separate annexes for PII controllers and processors into a single Annex A, simplifying compliance and implementation processes. A new Annex B has been introduced, providing detailed implementation guidance with practical steps for organizations setting up their privacy management framework. This enhancement addresses the limited guidance available in the previous version and offers clearer instructions for practical implementation.

Annex A has been reorganized into distinct controls for PII Controllers (31), PII Processors (18), and shared security controls (29). This clarifies roles and responsibilities.

ISO 27701:2025 encompasses 184 privacy controls organized into five main categories: security management, information security incident management, information security controls, business continuity management, and information security risk management. The standard helps organizations manage personally identifiable information (PII) effectively, whether they act as PII controllers or processors.

The standard provides a jurisdiction-neutral framework that aligns with major privacy regulations including GDPR, making it an effective tool for demonstrating compliance across multiple jurisdictions. It includes specific mappings to GDPR and other international privacy frameworks, helping organizations navigate complex regulatory landscapes while maintaining a single, coherent privacy management approach.

DPDPA 2023 which is being notified shortly introduces opportunities for two new professions in India. First is the DPOs and Second is the Data Auditors.

DPOs will be responsible for implementation and maintenance of DPDPA  Compliance within an organization and will be employees.

Data Auditors would be responsible for conducting annual Data Audits and DPIAs  and will be independent consultants. They will not be the same as Statutory financial auditors nor they will be the ISO 27001 or PCI DSS auditors who are around.

While Naavi is developing with FDPPI, necessary Training and Certification for building necessary skills   for further interaction of those who are already qualified either with FDPPI or with other Certification bodies such as DSCI, a group has been created on Arattai platform. This group should not only enable exchange of professional thoughts but also emerge as a group for representing the interests of the community with the Government.

I invite all interested persons to  join the groups here with this link:

DPO Group on Arattai

Data Auditor Group on Arattai

The objective of the two groups are slightly different. While the DPOs do internal data audits, they are employees of an organization. The Data Auditors on the other hand are entrepreneurial in nature and consultants  by profession.

Considering that “Aspiring DPOs” and “Aspiring Data Auditors” also would like to join the group for their self development, we shall keep  the groups open to all and not have any restrictive entry criteria.

I request interested persons to join and also bring in their current community members.

If we can build a single large community, we should be able to develop into a strong force to ensure that the professional interests of these groups are well nurtured.

Naavi

In anticipation of the release of the rules within this weekend as hinted by the secretary of MeitY a two day physical training program is being contemplated in Mumbai on November 1 and 2. The program will be from 10.00 am to 5.00 pm and held in a hotel in Andheri.

Venue:

IRA by Orchid : IRA By Orchid Mumbai – T2 International Airport (Formerly VITS Mumbai ) Metro Station, Andheri – Kurla Rd, near Chakala, Bhim Nagar, Andheri East, Mumbai, Maharashtra 400059.

The coverage would be

1. Legal nuances of DPDPA and the DPDPA  Rules
2. Classification of DPDPA protected Data (DPD)
3. ROPA as a strategic tool of Compliance
4. Governance  Structuring for meeting the obligations under DPDPA by a Data Fiduciary
5. Technical challenges of Management of Legal Basis for processing and Rights of Data  Principal
6. AI and its challenges in meeting the obligations
7. The Roles of DPO and Data Auditor in the DPDPA era
8. Use of DGPSI as a Compliance Management framework
9. Discussions and case studies

The training would be priced at Rs 15000/- plus GST. (Total Rs 17700/-)Participants would be provided with participation certificates and 12 hours of CPE.

Registration for examination for Certification would be optional.  The fees for examination would be Rs 10000/- plus GST (Total R 11800/-)

The total fees for those who register together would be Rs 25000/-. plus GST. (Total Rs 29,500/-)

An early bird discount is provided for registration upto 15th October 2025

1. Early bird discount for training Rs 3000/- Net fees Rs 12000/- (Rs 14160/0)
2. Early Bird discount for Examination: Rs 2000/-. Net fees Rs 8000/- (Rs 9440/-)

Net price of  the training with certification exam with early bird discount is Rs 20,000/-. (Rs 23,600/-)

The delegate fee will cover breakfast, Lunch and two Tea with snacks.

The registration will be limited to a maximum of 25.  

The program is available offline only. It may be recorded and used for virtual sessions later but concurrent virtual broadcast may not be feasible. Outstation attendees have to make their own arrangements for stay either in the same hotel or otherwise.

The three books namely “Guardians of Privacy…”, “DGPSI, he Perfect  prescription…” and ” Taming the twin risks of DPDPA and AI with DGPSI-AI” would be the reading material. The kindle versions of all three are now available and are recommended for purchase for preparation for the exam which will be open for the batch after November 20th.

Naavi

PS: In the unlikely event of the DPDPA rules not being notified, a free Virtual session would be conducted subsequently to all the participants.

Naavi

PS: In the unlikely event of the DPDPA rules not being notified, a free Virtual session would be conducted subsequently to all the participants.

Registration Process :Please visit here

Success in E Commerce is a combination of technology, supplier chain, pricing strategy and delivery efficiency.

Amazon undoubtedly is in the forefront of e commerce companies and other competitors are unable to catch up in the breadth of product range and pricing.

Many users see product advertisements on Facebook but often prefer to buy from Amazon the same products which may be available in the manufacturer’s website also.

One of the hidden reasons for which Amazon has succeeded  in getting this customer confidence is that the frauds of wrong products being delivered by vendors is reasonably controlled.

Recently, I had an occassion to dispute a supply on Amazon which was not the product ordered. The product supplier was perhaps not  prepared to take the return. But Amazon without question refunded the money even though the product  was not returned.

No doubt, Amazon might have suffered a small loss in the transaction but the customer confidence they would have gained is worth more than that.

On the other hand I recently ordered a product based  on a Face Book advertisement from a site called Apwety and the order was fulfilled by Delhivery.  (Product was not available on Amazon). The product delivered was different and when I checked, this was the experience of many others (Details).

What this indicates is that the customer is a noted fraudster and Delhivery was supporting the fraudster by being the delivery agent for the fraudulent company.

In terms of legal liability of a fraud of this kind, the responsibility has to be considered as “Shared”. In a situation where the Delivery partner is a bigger entity and the end  fraudster is a relatively unknown company, the possibility of legal liability being claimed from the delivery partner is high. The question that one is the principal and the other is the agent has minimal impact and depends on whether the agent is a disclosed agent or not. Also it is only a matter of investigation if the products were switched by the delivery partner or at the source itself.

Hence when an FIR is filed, it will have to be filed against both the E Commerce operator and the delivery partner with “Joint and several responsibility”.

In the instant case, Apwety and Delhivery are therefore jointly and severally responsible for the fraud. On further enquiry it is found that the details on the MCA website about the company representing Apwety has details of promoters which  the registered promoter claims is incorrect since he has sold  his company to another person. This means that Delhivery has not done proper KYC  on their  vendors at the time of their onboarding.

In a parallel case in a Bank scenario, if a customer whose KYC is improper commits a fraud, the Bank  has to take the liability. This is the principle established first with the S.UMashankar Vs ICICI Bank case which was personally handled by me and thereafter several cases in which decisions have been given by the Adjudicator of IT and TDSAT. (In Umashankar case the judgement was endorsed further by the High Court).

Hence if a complaint is formally launched against Delhivery and the E Commerce partner together, Delhivery would be liable to  fulfill the claim and try to recover it from the vendor.

From my experience with Delhivery, an intelligent guess is that there are perhaps hundreds of  fraudulent transactions and scores  of fraudulent customers that Delhivery is supporting. If a formal investigation is launched, it would cause a serious damage to  the company.

The objective of pointing this out  is not to bring disrepute to the Company but to highlight that many companies like this have no understanding of the Risks they run because of the company they keep.

It is in this context that I observed that Delhivery has 8 independent Directors who are expected to be the experts who provide advise to the company on such matters as against three executive directors who may be taking care of Finance, Technology and HR.

This also opens up a thought whether there is any strategy of the entrepreneurs to have 8 non executive independent directors to three executive directors and whether each of the independent directors represent a specific expertise.

Ideally a company should ensure that each of the independent directors take some informal responsibility of managing one area of operations either to assist revenue increase  or  reduce liabilities which are hidden costs.

In today’s world , there are several legal compliance issues that are hidden liabilities for a company and it requires close monitoring. ITA 2000,DPDPA and AI are three such risks that need close monitoring and it  would be a good strategy for organizations to ensure that specific independent directors are assigned oversight responsibilities  to assist the Compliance officer, DPO and the  AI Governance manager.

Naavi

After the Minister of Railways and IT , Mr Ashwin Vaishnav publicly pleaded the Meity Secretary to confirm the date of release of the final rules related to DPDPA, one thought that there will be no turning back.

But it appears that the department still ignored Mr Vaishnav’s soft directive  to release the  rules by September 28th and prioritized the release of the draft rules on the PROGA 2025 which is anyway going to be delayed through a challenge in the Court.

Assuming that the MeitY is not defying their ministerial head, we can presume that the department is working on how the DPDPA rules can be used to give a strong reply to Mr Trump for his Tariff and H1B Visa attacks on India.

Mr Vaishnav has also encouraged  ZOHO and his simple sentence that  he is shifting to Arattai  has created a big wave in favour of ZOHO. We also understand that CHINA is allowing ZOHO to operate in their country to erode Microsoft further.

But so far, Microsoft, Adobe, Google, Meta and Amazon has controlled all narratives of policy in Indian IT. We have many times the practice of sharing proposed drafts of legislation with these US based Tech companies and heeding to their advice. NASSCOM unfortunately is in the control of these giants and hence this consultation with the industry  often means seeking the permission from them to go ahead with our legislation.

We hope at least now MeitY shows its own commitment to Indigenisation by making “Personal Data Localization” mandatory within the next 6 months. We should also ensure that none of the DPB appointments should be based on the recommendations of Meta/Google/Microsoft. Alternatively Data transfer outside India should be subject to a special tariff.

We should also work for reducing our dependencies on the US IT services and encourage ZOHO, Jio, OLA and other Indian entities to take over the work which Meta, Google, Adobe, Amazon, Uber and Microsoft are doing today.

It is high time we create a new independent ministry on IT and appoint a suitable technocrat to head it.

Naavi

While all of us were waiting for the Final Rules for DPDPA to be released, Meity came up with “Draft Rules” for public comments related to Promotion and regulation of Online Gaming Act 2025 (PROGA2025).

Details of the notification are available at www.proga2025.in

The public comments can be submitted by 31st October 2025 by email to ogrules.consultation@meity.gov.in

The draft rules can be accessed here: 

Explanatory notes for the rules can be accessed here

The essential aspect of the rules is the formation of a regulatory body with a Chairperson and Five other members. Three members  will represent the ministries of Information and Broadcasting, youth Affairs and Sports and financial services. Out of the other two one would be a person having special knowledge of and experience in law. The regulatory body may take the assistance of experts as may be necessary.

It is proposed that any online  game service provider intending to seek recognition and registration of an online game as an “Online Social Game” or “E Sport” may on his own volition make an application.

The authority may “Suo moto” or on the basis of application made determine whether an online game is an online money game or otherwise. If a service is considered an “Online money game”, the service shall be stopped immediately and further action may be initiated by the Government.

Naavi