The Era of Certified Independent Data Auditor training begins

The concept of Independent Data Auditor introduced by FDPPI will be a watershed event in the history of Data Protection in India. The Era is now set to begin.

Venue:

Fairfield Marriott, 59th C Cross, 4th M Block, Rajaji Nagar, Bengaluru, India, 560 010

Location

Tentative Curriculum:

Day 1:

-Introduction to the Course
-Overview of DPPA
-Challenges in implementation of DPDPA

-Role of an Auditor vis-a-vis a DPO or a Consultant
-Professional independence and conflict of interest
-Legal exposure and liability of audit opinions
-Engagement acceptance and scope definition
-Ethical standards and confidentiality obligation
-Audit Principles & Methodology: (Principles of ISO 19001
-Audit lifecycle
-Evidence Collection
-Documentation standards and audit trail
-Audit Engagement Contract

Day 2:

-Understanding organisational context and business model
-Stakeholder interview
-Designing audit checklists
-Sampling strategy and time budgeting

-Frameworks (ISO + DGPSI Architecture)
-Introduction to ISO 27701 privacy information management
-DGPSI as an Indian compliance assurance framework
-DGPSI Principles
-DGPSI Full and DGPSI Lite

Day 3:

DGPSI Variants:
-DGPSI-AI — AI governance assurance
-DGPSI-HR — employee data governance audit
-DGPSI-DP — core DPDPA compliance audit
-DGPSI-Hospital-DPDPA Compliance framework for a hospital
-DGPSI-Banks

Audit Simulation

Certification

All participants will get participation Certificates

Online examination will be available after 15 days.  Those who pass the cut off will get the completion certification.

Certificate will be issued as FDPPI-MYRA Certified Independent Data Auditor

Fees:

Rs 30000/-+GST (Toral Rs 35400/-)

Early Bird Discount Rs 5000/- upto 31st July 2026 Rs 5000/- (Net price Rs 25000+GST, Total Rs 29500/-)

REGISTRATION AND PAYMENT OF FEES

Posted in Privacy | Leave a comment

One day workshop in Mumbai on DPDPA

Corporatelore Communication, Mumbai is organizing a one day workshop on DPDPA on 24th July 2026 at Holiday Inn, Mumbai.

The program will be conducted by Naavi.

The details of the program are available below.

Download the flyer

Naavi

Posted in Privacy | Leave a comment

Why we call Data Auditors as “Guardians of DPDPA Compliance”

DPDPA introduced the statutory profession of “Independent Data Auditor” under Section 10.

Section 10 described the additional responsibilities of a Significant Data Fiduciary which stated that the Significant Data Fiduciary shall appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and  periodic DPIA.

Rule 13 of the DPDPA Rules mentions

 -A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board* a report containing significant observations in the Data Protection Impact Assessment and audit. (*Board means Data Protection Board, the regulator)

-A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.

In view of the requirement for direct report of significant observations, the Independent Data Auditor (IDA) has been cast a duty on behalf of the regulator.

This provides the IDA a statutory relevance in the eco  system of DPDPA Compliance. In view of this FDPPI interprets that the Data Auditor functions as the eyes and ears of the DPB. The need to be involved in periodic audit also signifies a continuous monitoring of the activity of a significant data fiduciary.

The law does not currently specify the credentials required for being a Data Auditor and what does the word “Independent” imply. It also does not specify if the annual audit, the DPIA and the periodic audits can be performed by different auditors and whether there is any check on an organization playing one auditor against the other.

We hope these issues will be clarified over a period of time by the DPB or MeitY.

However, without waiting for the Government to provide a criteria for the Data Auditors and the Code of Conduct which makes them “Independent”, FDPPI has gone ahead with its own pro active decision to create a knowledge base and certification for the Data Auditors and the Code of Conduct for “Independence”. In order to enforce this code of conduct, FDPPI has created an “Empanelment” under AIDAI (Association of Independent Data Auditors). In order to provide incentivisation for empanelment, AIDAI will be providing a Business Exchange platform which will enable its trained persons to interact with the industry for audit business.

At this point of time we do envisage that an organization may experiment with different auditors for DPIAs while settling down for the annual audit with one of them. However, the changes and the need thereof may be documented by the company and the subsequent auditors.

Since some organizations particularly in the IT services industry may have multiple applications dealing with different sectors, FDPPI envisages that “Sectoral Specialist IDAs” may conduct DPIAs for different sector facing applications. For example if there is an application which can be used both for health care and Finance, the IDA who specializes in health care may conduct a DPIA for health care facing application while finance related application may be audited by an IDA who specializes in Finance.

The DPDPA rules also envisage an audit of “Algorithms” or “AI”. RBI has also indicated that Models and AI need to be audited. In such circumstances there may be a IDA who specializes only in AI models or Autonomous algorithms. Perhaps DGPSI-AI can be used for this purpose.

FDPPI is therefore developing individuals who specialize in different DGPSI frameworks to serve different industries.

Currently the sectoral DGPSI frameworks are available for HR, Data Processor platforms, Banks, Bank Branches, Hospitals. Additional frameworks for Education are also being developed.

In each of these sectors, there is scope for specialization and FDPPI will develop “Champions” for each of the frameworks indicated below.

Watch this space and keep in touch with Naavi if you want to take part in such sectoral specialization.

Naavi

 

Posted in Privacy | Leave a comment

Why DGPSI Bank Branch

(…Continued)

As a further refinement of the DGPSI system for Sectoral compliance, Naavi/FDPPI presents for public debate, the DGPSI-Bank Branch framework. This follows the foundation principle of DGPSI namely “Distributed Responsibility” in DPDPA Compliance.

DGPSI-Bank Branch is a comprehensive framework tailored for Indian bank branches. It acknowledges that compliance starts at the ground level and provides actionable guidance, taking into account the unique operating environment of a bank branch.

Key Features:

Branch as a Compliance Unit:

The framework recognizes each bank branch as an independent unit responsible for personal data processing within its operations.

Empowered Branch Manager:

It designates the Branch Manager as the dedicated Data Protection Officer (DPO) at the branch level, equipping them with the necessary tools and guidance.

Harmonized Compliance:

The framework integrates DPDPA requirements with existing regulatory mandates, including RBI Master Directions and Head Office (HO) directives, ensuring seamless compliance.

Practical Checklists and Toolkits:

It will provide user-friendly checklists, assessment tools, and practical guidance on data mapping, consent management, data security measures, and breach response.

Step-by-Step Implementation Guide:

DGPSI-Bank Branch offers a structured, step-by-step approach to implementing DPDPA compliance within the branch, covering:

Data Discovery and Mapping:

Identifying and classifying personal data processed within the branch.

Consent Management:

Implementing robust consent mechanisms and ensuring lawful processing.

Data Security & Retention:

Enforcing appropriate security controls and adhering to data retention policies.

Individual Rights Handling:

Managing and responding to requests from individuals regarding their data.

Transparency & Notice:

Providing clear and concise information to individuals about data processing.

Data Breach Notification

Providing appropriate data breach identification and notification to the Central DPO

Vendor Management:

Evaluating and monitoring third-party vendors for DPDPA compliance.

Training and Awareness:

Sensitizing branch staff about DPDPA principles and best practices.

Why DGPSI-Bank Branch?

Localized and Relevant:

The framework addresses the specific nuances and challenges of bank branch operations in India.

Reduced Compliance Burden:

By providing structured guidance and ready-to-use tools, it minimizes the complexity and effort required for DPDPA compliance.

Enhanced Data Governance:

DGPSI-Bank Branch promotes better data governance practices within the branch, strengthening data security and reducing data privacy risks.

Increased Trust and Confidence:

Proactive DPDPA compliance builds trust and confidence among customers, enhancing the bank’s reputation.

Avoidance of Penalties:

Adherence to the framework helps branches avoid substantial penalties and legal repercussions associated with non-compliance.

Target Audience:

Branch Managers:

The designated DPOs for their branches, responsible for leading compliance efforts.

Operations Managers:

Key personnel involved in data processing within the branch.

Compliance Officers:

Staff responsible for overall compliance within the bank.

Head Office Executives:

Those responsible for overseeing DPDPA implementation across the bank’s network.

Getting Started:

Review the DGPSI-Bank Branch Framework Document:

Gain a thorough understanding of the principles and requirements. Watch out for in-house training programs conducted by FDPPI for Banks on request.

Assign a Branch DPO:

Appoint the Branch Manager as the dedicated DPO for the branch.

Conduct a Data Audit:

Map the flow of personal data within the branch using the provided templates.

Implement Step-by-Step Guidance:

Follow the implementation guide to put in place the necessary compliance measures.

Utilize the Toolkits:

Leverage the practical checklists and tools for ongoing compliance monitoring and assessment.

By adopting DGPSI-Bank Branch, Indian bank branches can confidently navigate the landscape of DPDPA compliance, creating a secure and transparent data ecosystem that protects customer privacy and enhances trust.

(Naavi would be available for conducting training programs to explain this concept to HO level DPOs of Banks)

…Watch out for more..

Naavi

Posted in Privacy | Leave a comment

DGPSI for Bank Branch Managers

Naavi/FDPPI has been working on DPDPA Compliance for different sectors including Banks.

In this process of developing DGPSI-Banks, it has been recognized that Indian Banks operate with a vide network of physical branches where Branch Managers and their employees interact with the customers starting from new account opening, to conducting KYC, processing loan applications etc. These operations are autonomous operations under the policy guidelines of their head offices which itself works under the RBI guidelines.

RBI guidelines of course are sectoral guidelines within the legal framework such as the DPDPA.

In this context, DGPSI which is the gold standard for DPDPA Compliance has carved out a “DGPSI-Banks” as a framework for Bank level compliance of DPDPA.  Additionally, a separate simplified framework titled “DGPSI-Bank Branch” is being unveiled.

The purpose of this framework is to assist an autonomous Bank Branch to be compliant with DPDPA as a “Branch Level Significant Data Fiduciary”.

Under this scheme, DPDPA working through RBI and the HO will be the compliance guide. The Branch Manager is the “Branch DPO” (or any other name that may be ideally associated to the role) who is accountable for compliance of DPDPA along with the HO instructions, in compliance with RBI master directions and DPDPA.

Watch out for more information on this as we go ahead.

…Continued

Naavi

 

Posted in Privacy | Leave a comment

DPDPA Compliance in a heavily regulated sector like Banks

In quest for the right framework for DGPSI-Banks, it has been necessary to take a deep look at the current regulatory directions from RBI to Banks. Let us restrict ourselves today to the post digital regulatory era in Banking.

After ITA 2000 was enacted, RBI came up with the recommendations on Internet Banking following the trend setting S R Mittal Group recommendations. Subsequently in 2008 after the amendments of ITA, RBI followed up with the Information security guidelines recommended by the G Gopalkrishna Committee reports. Subsequently the Cyber Security framework 2016 was notified.  We have discussed most of these developments in Naavi.org.

After DPDPA 2023 came into existence, RBI came up with the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices”. Recently RBI has come up with the draft AI guidelines 2026. (Comments are open upto 24th July) These were guidelines which could have incorporated the guiding principles of DPDPA 2023.

RBI has however preferred to restrict its focus in these guidelines to “Information Security” and tried to avoid conflict with the DPDPA.

The AI guidelines however do make a reference to protection of consumer interests without going into details.

In the master direction, there are specific provisions about “Explicit Consent”, “Dark patterns”, “Avoidance of compulsory bundling”, “Total loss compensation for mis selling”. These are directly related to the Consent Rules of DPDPA 2023 and also to the Consumer Protection Act 2019.

DGPSI-Bank as a framework therefore needs to factor in these guidelines. Accordingly the following become guidelines for implementation of DGPSI-Banks.

  1. The single, pre-ticked “I agree to all terms and conditions” checkbox is officially non-compliant. There needs to be a centralized and highly specific consent management mechanism.
  2. Regulated entities must obtain standalone, affirmative consent for every individual financial product or service sold, including third-party offerings
  3. Digital interfaces must automatically default to “No” or “I do not agree.” Users must explicitly choose to opt-in via active physical or electronic steps (e.g., OTP confirmations or digitally recorded validations).
  4. Financial institutions are required to build a centralized, timestamped consent trail that can survive rigorous supervisory review and must be retained for at least one year after the contract terminates.
  5. Product managers and UX designers are now directly linked to regulatory compliance. RBI has banned manipulative user interfaces that trick consumers into unintended financial commitments such as Basket sneaking, Confirm shaming and Forced actions & subscription traps (under consumer protection act, 13 different practices have been notified as dark pattern practices for which criminal punishments may be given)
  6. The common banking practice of making a core product conditional on buying an auxiliary product (e.g., refusing a home loan unless the borrower purchases life insurance from their joint-venture insurance partner) is banned.
  7. Lenders can specify the type of risk mitigation needed, but the customer retains absolute freedom to choose the third-party provider
  8. Bank and NBFC employees are prohibited from directly or indirectly receiving direct commissions or kickback incentives from third-party service providers
  9. Institutions must actively seek customer feedback within 30 days of a sale to verify the customer truly understood the product’s risks and lock-in conditions.
  10. If mis-selling or un-consented bundling is established, the institution is legally mandated to refund the entire amount paid and compensate for any financial loss.
  11. Regulatory liability now fully extends to Direct Selling Agents (DSAs), Direct Marketing Agents (DMAs), sub-agents, and Third-Party Product Service (TPPS) representatives.
  12. Any third-party agent operating within bank premises must wear clear, distinct on-person identification to ensure customers do not mistake them for core bank employees

These guidelines become part of DGPSI-Banks under the provisions of Consent Management, Data Processor management and other policies.

As regards the AI guidelines, incorporation of human oversight, Kill switch etc are already part of the DGPSI-AI framework and it gets integrated to DGPSI-Banks also.

A Question that arises at the end of this discussion is if DGPSI-Banks should have a DGPSI-Bank Branch version.  Comments are welcome.

Naavi

 

 

Posted in Privacy | Leave a comment