Naavi.org

Healthcare industry in India is increasingly exploring the use of Blockchain technology for managing Electronic health Records. Blockchain, Smart Contracts and AI are the new technologies that the industry is trying to adopt as they move ahead.

At the same time, the DPDPA is hanging like a Damocles Sword on all health care companies such as Hospitals, Health Research Labs, Diagnostic Centers etc. Most of these health care organizations deal with sensitive and ultra sensitive personal data including DNA records, Generic abnormalities,  life threatening decease information etc. By virtue of the sensitivity even with a smaller volume of data being processed, most of the Health Care companies fall into the category of “Significant Data Fiduciaries”  who  are required to follow a stringent compliance requirement.

The exemption of DPDPA 2023 is limited to Research institutions who are exempted from Consent and Rights clauses. But certain standards of security would be applicable and the exemption is restricted to instances where the data is not used for taking any decision on the data principal. In the case of a pure research laboratory, this condition may be applicable. But Hospitals and research institutions which share their research to their associate hospitals or drug testing companies, will not be able to take the benefit of these exemptions.

The legitimate  use as an  alternative to Consent may be available in certain cases for the Hospitals handling medical emergencies and life threatening situations but not  in all cases.

When organizations use Blockchain technology, they have a challenge in managing the Data Principal’s consent during the lifecycle of the data and the management of consent modification, withdrawal, Right of Access etc.

Some Blockchain architecture like IPFS (Inter Planetary Filing System” or RBTS (Reference Based Tree Structure) tries to overcome this problem of deletion of data after it has  gone into a Block chain by keeping an off-chain  storage of data with a hash value alone going into the Block chain or placing a Reference pointer in the main block, keeping the data in a different sub-chain.

The problem of managing the block  chain where the chain continues with 50% or 67% consensus of the nodes instead of 100% is another risk that these systems may  pose to the data fiduciaries.

When Smart Contracts and AI is also used along with the block chain, the combination may enlarge the risks rather than limiting them.

It is therefore necessary for the technology advisors to the Health care industry to understand the law and adopt it to the new technologies used in the industry.  While “Innovation” in technology is welcome, we must understand that the responsibility for compliance increases with technology instead of reducing. Hence there has to be a proper Governance mechanism that should go with the use of frontier technologies.

We need to watch  out how organizations manage this conflict between Innovation and Responsibility.

Naavi

There are two rumours/news-plants that are running in the media about DPDPA Rules. They are

a) Government may accelerate the time line for implementation from 18 months to 12 months in some respects.

b) TCS is likely to apply for Consent Manager license.

Let us briefly review these two issues.

It would be welcome if the Government goes for a faster implementation time line particularly for the large companies who are already compliant with global laws and are capable of implementing the law within the next 6-9 months. Given the fact that DPB is yet to be formed, a period of 1 year seems reasonable.

It is possible that for SMEs the implementation can be kept at the present level of 18 months so that they will have the benefit of observing the implementation challenges as resolved by the large entities before the smaller entities can jump in with lesser resources for software selection and implementation. This could even be part of the promise in the budget today.

Second aspect is the TCS applying for being a Consent  Manager. While it appears logical that a conglomerate like TCS would consider it attractive to have an in-house consent manager for its group entities, the “Conflict” situation could be very tough to handle.

Secondly we are aware that TCS has the record of entering the business of Certifying Authorities and later exiting. This is not a good track record to boast for a business like Consent Manager and the group may have to disclose the reasons for their surrendering the  Certifying Authority license since similar possibilities may also exist in TCS surrendering the Consent Manager license in the future.

Now that the Government is considering revision of some of the rules, I suggest some changes to the consent manager rules.

The Current Consent Manager rules under Rule 4 suggest that data can be transferred from one data fiduciary to another at the instance of the consent manager. This amounts to “Data Portability” which the parent law has omitted as a “Right of the Data Principal”.  The rule therefore is “Ultra-Vires” the law at least in legislative intent.

Secondly, we have pointed out that if the Consent Manager does not have “Visibility” to the data, the rigorous conflict related conditions appear to be an overkill. It can be modified if the Government comes out of its blinkers that Consent Manager is like an Aggregator in the DEPA framework.

Yesterday, I was discussing with the “Spastic Society of Karnataka”  on the possibility of such NGOs to become specialist Consent Managers for “Disabled Data Principals”.  These institutions know who is entitled to be in this category, what they need from the Internet and what is the law of guardianship for such persons better than any other commercial organizations. It therefore appears that such organizations should be allowed to be “Consent Managers” for some niche category of data principals. However such organizations may not be able to fulfill say the Capital requirement nor they may be “Companies incorporated in India”.

Hence we suggest that the Government should consider providing exemptions from some conditions of the Rules under Rule number 4 to enable such genuine NGOs to be the consent managers for their niche areas of operation.

Hope the MeitY considers these suggestions when they think of making some changes to the November 13 rules for which they have had a closed door meeting with the privileged Tech Giants.

Naavi

When we started working on the Internet in the early 1990s we used to speak about the need to bridge the “Digital Divide”. In this pursuit of equality of the citizen and the netizen we created a new merged world of Cinezens. While  Citizens derived the benefit of E Commerce and E Governance due to this merger, Cyber Criminals exploited this situation by committing Cyber Crimes and get away with it due to weaknesses in law and the enforcement systems.

Now we are seeing an ugly face of this cyber crime where there is a complete dependence of citizens on the Internet and this dependence is creating a field day for psychological manipulators in cheating the innocent citizens .

New technology developments such as AI and VR/AR have only increased the cyber crime risks for the society. One offshoot of this development is the increasing addiction of our children to mobiles which is a concern for the next generation.

It is time that  we try to find a solution to this and make our Children safe on the Internet. Merely asking them not to use mobile will not work since the usage will go “Underground”.

Hence we need to ensure that even if the children continue to use Internet and the devices, the harm is reduced substantially.

Some measures we need to consider in this direction is for schools to work towards creating an awareness that “Cyber World is different from Physical World” and we need to learn “Not to trust any message online without Fact Checking”.

In other words we need to build a psychological barrier for children to recognize  that mixing the cyber experience with real experience is dangerous. The augmented reality, the games that mix cyber space  existence with real life need to be  closely monitored and regulated.

We understand that the Government is thinking of banning mobile for children like what Australia has done. Probably this will help a little but real  success comes from children voluntarily distancing themselves from Mobiles and the reels.

The SMART network is a guideline but we need to  design strategies to create a psychological digital divide so that children know that the two societies are different  and should not be mixed.

May be  we require  the Schools to work more on this aspect while they continue to promote the responsible use of Internet through computers. Access through Computers at our option and access through mobile whenever it “Trings” are two different things and this has to be recognized.

All of us including adults need to remember the need for “Ulysses Contracts” where use of the screen is at our choice and not at the device’s choice.

AI specialists should work on how to prevent addiction rather than create more and more addiction. If not, regulators  need to step in with a liberal interpretation of “Dark Patterns” which are already recognized as Crimes in our legislations such as Consumer Act, ITA 2000 and DPDPA 2023.

Need to discuss these during the S P Acharya Endowment  lecture today at Bangalore.

Naavi

The next C.DPO.DA. program will be conducted by FDPPI as a Virtual Program on February 21 and 22, 2025.

The program will be conducted by Naavi and will cover the following topics.

Day 1:

Legal nuances of DPDPA and the DPDPA  Rules
Classification of DPDPA protected Data (DPD)
ROPA as a strategic tool of Compliance
Technical challenges of Management of Legal Basis for processing and Rights of Data  Principal
Digital Omnibus GDPR Amendments
DGPSI-GDPR  introduction

Day 2:

Governance  Structuring for meeting the obligations under DPDPA by a Data Fiduciary
The Roles of DPO and Data Auditor in the DPDPA era
Use of DGPSI as a Compliance Management framework
AI and its challenges in meeting the obligations with DGPSI AI
Comparison of DGPSI with ISO 27701

Fees Rs 29500/- including all taxes . This includes fees for examination (One attempt). Subsequent attempts Rs 5000/- (Subject to changes)

Interested persons may kindly join here:

PAY HERE FOR REGITRATION

Also fill up the application form here

For any clarifications, contact  Naavi

Naavi

As India prepares for the DPDPA Era, it has become necessary for organizations to explore the technical tools required to work towards compliance. FDPPI has already unveiled the Compliance frameworks, conducted many awareness sessions and also created many certified professionals.

It is time now to move to the next level of assisting the industry for compliance with assistance to understand and evaluate technical tools necessary for DPDPA Compliance.

It is natural that all existing international software solution providers who are already in the game serving the GDPR community are now eyeing the “Big and Beautiful Indian market” which is “Tariff Free”  and are tweaking their software to meet DPDPA requirements. Some of them are opening Indian subsidiaries to give their software a local touch.

Many Indian start ups are also venturing into the development of software for DPDPA Compliance including the Six shortlisted companies which are into the final round of development of the open source “Consent Management” software in the Coding Challenge.

Many large entities are however not relying on the external software suppliers and are developing their  own in-house software for compliance .

Already many of the professionals in the organizations have started gathering data and taking presentations from the vendors. Those who were already using some international products are experiencing the customization for DPDPA.

We as a community of Data Protection Professionals need to understand where the industry stands as of today, who are the serious players and what are their offers and what is the experience of the early users are. We know that these are early days and experience is sketchy. Many have only the marketing presentations to depend for their understanding. But this is early 2026 and we need to make an  assessment of what do we have today.

FDPPI has therefore launched the country’s first survey of DPDPA Compliance tools as a perception study from the users.

The Indian National Survey of DPDPA Compliance tools is an initiative launched by Naavi and FDPPI as a part of the celebration of the International Privacy Day of 2026.

The survey is now open and over the next one month till end February 2026, will collect the data. It will then be analysed and a report would be prepared.

Kindly access the survey here

Your views will be consolidated and all respondents will get a copy of the final report if they have shared their contact e-mail in the form

The tool manufactures can participate in the survey identifying their role as vendors of solutions. FDPPI would also give a one hour slot to them to present their software in one of the Jnaana Vardhini Sessions to the members of FDPPI  if interested.

Naavi

The first Indian National Survey of DPDPA Compliance tools in India is now open. FDPPI would request professionals with relevant information to contribute to this survey.

We are aware that a very few organizations in India have actually started implementation of DPDPA Compliance. Out of them many have implemented their in-house software development capability to meet the requirements. A few would have used the internationally available tools like OneTrust since they were perhaps already using them for GDPR compliance.

It is natural to expect that most of the big players claim that their software is also compatible with DPDPA Compliance.

To have the first hand account from the users of these products, FDPPI has opened this survey.

The Survey should have two benefits

1. All those who complete the survey are entitled to a copy of the report when ready. (Provided they have shared their contact details).
2. Additionally the survey has been so constructed that the completion of the form itself would give a fair idea of the requirements.

It is our endeavour to make the effort and time used worthy.

It is possible that  many are just aware of the products and may have taken demos but do not have a hands on experience. We have added them also in this survey so that the respondent’s base is wide.

Direct link to the survey is here:

Naavi