Naavi.org

In modern Cars we find the “Advanced Driver Assistance System” or ADAS to improve the safety of driving. This includes the alerts on speed or lane discipline maintenance. A similar system of “Advanced DPDPA Assistance System” is represented by the “Independent Data Auditors”, a profession subtly recognized by DPDPA 2023 and identified  by FDPPI.

This is the profession of “Independent Data Auditors” (IDA). FDPPI is the first to recognize the need for this profession and taken the effort to nurture this profession by starting a “Association of Independent Data Auditors of India” (AIDAI).

AIDAI was launched formally on 11th April 2026 in a physical function in Bangalore. But for the larger audience, AIDAI is being presented through a town hall meeting today the 27th April 2026 at 7.00 pm. The link for free registration is available here:

The Objective of this meeting is to introduce the nature and potential of this profession and to invite professionals like ISO 27001 lead auditors, Chartered Accountants, Cost Accountants, Company Secretaries etc to join the forum and expand their activities into Data Audit.

AIDAI also has the ambition of adopting “Probationary Independent Auditors” who will undergo a training for a period, work as interns and assistants to other DPOs before getting themselves “Accredited” or “Certified”.

AIDAI is built on the principle of “Vasudaiva Kutumbakam” inviting all professionals in similar areas of specialization  to come together on one platform. What may surprise many but comes naturally to FDPPI is that even professionals who are certified by other organizations as DPOs or Chartered Accountants or CMAs are accepted as “Accredited” Independent Data Auditors and empanelled in AIDAI.

AIDAI has plans to conduct an induction program for all newly empanelled IDAs to introduce them to the basics of the profession of IDA some time in June 2026 at Bangalore. (Physical event).

Who is an IDA?

DPDPA 2023 expects a set  of professionals who will

“Undertake “An evaluation of the compliance of a Significant Data Fiduciary in accordance with the provisions of the Act”.

The law prescribes that a Significant Data Fiduciary shall appoint an independent data auditor (IDA) to carry out the data audit.

It is the vision of FDPPI that has flagged this statutory role of an “IDA” as a professional who will be the “Guardian of Data Accountability”. Accordingly the new institution AIDAI is born.

Currently a Division of FDPPI, led by a CEO Mr Vijayendra Shenoy who is a veteran Information Security specialist and  supported by a Governance Committee

The team at AIDAI will be guided by a group of Advisors who are leaders of their own in the industry. The Group of Advisors which is being finalized will consist of leaders from the related domains such as ISO auditors, DPDPA specialists, Chartered Accountants etc.

Prospects for IDAs 

According to Rule no 13, of DPDPA

A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.

A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board (Ed: Data Protection Board which is the regulator)  a report containing significant observations in the Data Protection Impact Assessment and audit.

These are the statutory activities that an “Independent Data Auditor” must perform and is mandatory in respect of a Significant Data Fiduciary.

Though there is still a need for clarity  about “Who is a Significant Data Fiduciary” and whether the Government will take the responsibility of “Notifying” a data fiduciary as “Significant Data Fiduciary” or leave it to the judgement of a “Data Fiduciary” to himself determine  whether he is a “Significant” data fiduciary or not based on the volume and sensitivity of personal data processed.

The Government cannot know the intricacies of the processing that a data fiduciary is undertaking and hence except defining sensitive sectors like Health Care or Fintech, cannot individually identify data fiduciaries who can be notified as “Significant Data Fiduciaries”.  It will therefore be a self determination responsibility of a Data Fiduciary.

In the context of the use of biometrics and AI by most organizations,  a large number of data fiduciaries who may not be having high volumes data will still possess “Sensitive personal information” with “Unknown AI Risk”. Hence wise organizations will err on the safe side by self classifying themselves as Significant Data Fiduciaries and take the assistance of Independent Data Auditors to help them keep within the lane and also to alert them from time to time when they  tend to take an unacceptable Risk.

The profession which will act as this “Advanced DPDPA Assistance system” (ADAS) is the Independent Data Auditors who will assist the DPOs and guide the management towards the right path.

FDPPI and AIDAI is committed to nurture this profession and make it the key pillar of creating the DPDPA compliance culture in the country. It is indirectly the support structure for “Privacy Protection through  Personal Data Protection”.

We invite all interested persons to join the town hall today and come on board this profession of the future.

Naavi

At FDPPI we started a “User Perception Survey on Privacy Software Compliance with DPDPA 2023” some time in January  2026.

The Objective was to collect the responses from DPOs and Companies about their current experience of the tools they were using. We later also requested  the tool manufacturers also to use the same survey to report the utility of their tools.

During the survey responses were sought on  the following specific parameters which the tools were expected to have.

1. 1. 1. Risk Assessment
      2. Data Discovery-Structured Data
      3. Data Discovery-Unstructured Data
      4. Classification of Data as per DPDPA requirements
      5. Creation of ROPA/Inventory of Processes
      6. Privacy Notice Generation
      7. Consent Collection
      8. Consent Lifecycle Management
      9. Consent Manager Handling
      10. Rights of Access and Deletion
      11. Rights of Grievance Redressal
      12. Rights of Nomination
      13. Management of pseudonymisation
      14. Management of Encryption
      15. Management of CIA of personal data
      16. Management of Data Breach Identification
      17. Data Breach Notification
      18. Cross Border Data Transfer
      19. Management of Verifiable Consent of guardian
      20. Management of Legitimate use based Processing
      21. identification of Significant Data Fiduciary Status
      22. management of Data Processing contracts
      23. Management of Processing under Processor’s control
      24. Management of Employee Data as an exclusive category
      25. management of DRP/BCP
      26. Creation of Personal Data Inventory
      27. Management of Data Governance Structure
      28. Management of Data Retention
      29. Data Audit Management
      30. Any other

In this comprehensive list we had indicated what is the expectation of a DPO from the software.

We must admit that the  responses received were lukewarm. Many responses were incomplete.  Some were anonymous.

The reasons could be

a) Experience of the industry is non existent

b) Tool developers themselves are not confident of speaking about their products.

c) Many of the tools listed in the survey are not being used by companies at this point of time and only exist as offerings.

We admit that some of the tool developers would like to consider their tool capabilities as confidential and would not like to expose the weaknesses at this time to the professional community.

The lack of response is therefore not surprising. However we take on record that first such survey in India has been done and will be repeated from time to time.

If some tool owners want to keep themselves out of such surveys, it is their choice.

All  tools claimed to support “Risk Assessment” but on other parameters only a few claimed to support.  Most tools claimed support for Data Inventory creation, Consent Management and Classification though we have our doubts on the quality of performance in these areas.

However, we will look forward to further  information from some of the tool developers who are likely to make their demo presentations  to FDPPI and hope to get good responses on the 29 points mentioned above.

Naavi

FDPPI was established in 2018 as a Section 8 Company (Not for Profit) with the following three objectives.

1. 1. To build an empowered community of Knowledgeable, Efficient and Ethical Data Protection Professionals who contribute to the development of a Secure Information Society by lawful means.
   2. To enhance the intrinsic Value and Worth of the profession of Data Protection Professionals who  are  directly  or  indirectly  engaged  in  the  activity  of generating, managing, preserving and protecting information.
   3. To bring harmony in the pursuance of Civil Rights of individuals such as Privacy and Freedom of Expression along with the Right to Information and Right to Cyber Security.

In pursuance of this objectives, FDPPI has

a) Developed Certification programs for Professionals

b) Certification Programs for Data Processing companies

With the establishment of DGPSI as a framework for Compliance, FDPPI went further to facilitate Compliance by the industry.

With the establishment of AIDAI (Association of Independent Data Auditors), FDPPI has taken a further step to establish a network of professionals  who can use DPGSI framework, Conduct Audits, Provide Assurance (Using the Data Trust Score system).

In the coming days, FDPPI will focus more on education through FDPPI Study Centers while AIDAI will focus more on the facilitation of Audits.

The DGPSI as a framework of compliance was first introduced for DPDPA Compliance. The Full version with 50 implementation Specifications was the beginning of the DGPSI revolution. The Origin of DGPSI can be traced to IISF 309 which was a framework developed by Naavi for ITA 2000 compliance. (first released in 2009 March). In 2019 after FDPPI came into existence and GDPR was in place, the framework PDPSI (Personal Data Protection Standard of India) was published. As the Government moved from PDPB 2019 to DPDPA 2023, the framework also moved from PDPSI to DGPSI.

In August 2023 when DPDPA became a law, BIS also released a Draft Indian Standard  named “Information Technology-Adequacy of Organizational Data Governance and Management Practices”. This standard had about 20 recommendations related to Privacy.

Since the PDPSI  had already incorporated some of the Data Governance Principles as part of the recommended Standard, the first release of the PDPSI-Upgraded to DPDPA was titled DGPSI making “Data Governance” as a part of “Data Protection” and extending the implementation responsibilities from a CISO or DPO to the entire management of an organization. The principles of Distributed Responsibility, Measurability, Data Valuation, Top Management Responsibility, Business Level Compliance were all “Management  Principles” that were the  essential part of DGPSI. Hence the Privacy related principles of the BIS standard were considered as merged with DGPSI.

After DGPSI was first released in September 2023, it is being continually improved to meet the different segments of the industry.

The first evolution was DGPSI-Lite meant for  SMEs to reduce the burden of compliance. This focussed more on the legal mandate and adopted 36 implementation specifications.

In 2025 with AI coming into prominence DGPSI was extended with a supplementary framework of DGPSI-AI. This is a document which can be considered as a fore runner to AI regulation in India.

Later in 2025, DGPSI family was extended to DGPSI-HR and DGPSI-Data Processor (DP) as well as DGPSI-GDPR.

DGPSI-HR was an attempt to provide a framework for the HR Sector which was the common element of Data Governance across all kinds of establishments.

DGPSI-DP was  another milestone which suggested that Data Processors can voluntarily be compliant with DPDPA through this framework and be “Emancipated”.

Sceptics may say  why burden a compliance which is legally not there. But history tells us that HIPAA and  GDPR both have responsibilities cast on Business Associates/Data Processors.

India’s ITA 2000 itself  extends DPDPA compliance to Data Processors and hence they cannot escape liability one way or the  other.

DGPSI-GDPR was another significant milestone that extended DGPSI to the GDPR compliance requirements.

In the remaining part of 2026, FDPPI is extending the DGPSI with exclusive frameworks for DPDPA Compliance to the Health Care industry, BFSI and Educational Industry sectors.

This vision of FDPPI is farther than any other organization in India including perhaps BIS in the limited space of Data Protection.

In this context, if BIS is now trying to develop a compliance standard for Privacy, one can only feel that it is a reinvention of what has already been done with FDPPI having already moved ahead several years and will continue development of its own compliance systems.

In USA we have seen the emergence of HITRUST as a private organization creating a certifiable standard for HIPAA Compliance which later has extended its activities to other sectors. HITRUST has been recognized  by the HHS which has developed a complimentary relationship.

FDPPI may be a similar example of a Private Initiative in India which will keep providing its own contributions even as BIS may try to introduce its own standard specifications.

Whether BIS will follow the inclusive approach of HHS by joining hands with  FDPPI or try to remain as a “Government Standard” and remains at a distance from DGPSI as Self Regulatory Governance mechanism developed by the industry, time will tell.

Naavi