Naavi.org

When we last conducted a C.DPO.DA. program on November 1 and 2 at Mumbai, we called it an “Elite DPO” program because we had added DGPSI-AI into the curriculum which otherwise included the basic DPDPA law and Implementation challenges along with the implementation framework of DGPSI Full and DGPSI-Lite. We also briefly added the ISO 27701:2025 version to update the “Elite” Curriculum.

Before the examination for the candidates were due, the DPDPA Rules came into place on November 13. We conducted a supplementary session and included it in the examination that followed.

Now on November 19, GDPR has brought in several changes through the Digital Omnibus Rule which becomes relevant to DPOs who are also handling GDPR data in their organizations in India.

We have therefore decided that in the December 20-21 program, we shall “Enrich” the “Elite” curriculum with

a) DIGITAL Omnibus GDPR modifications
b) A brief coverage of DGPSI-GDPR as a framework

This will be in addition to the

1.Legal Nuances of DPDPA 2023 and DPDPA Rules

2.Implementation Challenges for DPDPA including Classification, ROPA, Governance Structure, DPIA etc

3.Role of DPO and Data Auditor

4.DGPSI as a tool for compliance implementation and audit

We do anticipate time shortage within 12 hours of time allocated. We may therefore need to supplement the 12 hours of interaction with additional material for study in the form of Videos.

Hope participants would see the value of these enrichment which only FDPPI can give .

The “Enriched, Elite C.DPO.DA program” comes with a price of Rs 25000/- till tomorrow EOD. There after the price would be Rs 29500/- including the GST.

It is your right of choice to miss out this special program…

Register today here 

Naavi

On 19th November 2025, the EU has proposed some amendments to GDPR through the “Digital omnibus Regulation” package which could be effective later in the year after necessary approval formalities.

The Digital omnibus package includes the Data Act which introduces  a unified  framework for data regulations. It merges and streamlines certain rules for enabling free flow of non personal data regulation.

Following  proposals are meant to amend  GDPR and they address simplification of compliance to smaller businesses and clarify AI development.

1. Redefining “Personal Data”

he Package proposes two amendments to clarify the concept of “personal data” under the GDPR (references to the “Amended GDPR” relate to the GDPR as it would be amended under the proposals set out in the Package).

• Definition of “personal data” (Art.4(1) Amended GDPR) – The definition of “personal data” under the Amended GDPR would be amended, effectively codifying the recent decision of the CJEU.(Court  of Justice of EU)
  • The revised definition would clarify that information is not personal data for a given entity if that entity cannot identify the natural person to whom the information relates, taking into account “the means reasonably likely to be used” to achieve identification.
• Pseudonymisation (new Art.41a Amended GDPR) – The Package also introduces the possibility that pseudonymised data may, in certain circumstances, no longer be considered personal data for certain entities.
  • The details of such circumstances would be specified through implementing acts adopted by the Commission.

2. Artificial Intelligence

Two additional proposals in the Amended GDPR addresses the processing of personal data when developing and deploying AI systems and models.

• Processing for AI development (new Art.88c Amended GDPR) –
  • The Package includes a new provision to clarify that controllers can rely on legitimate interests under Art. 6(1)(f) Amended GDPR to process personal data for the development and operation of an AI system.
    • Such reliance would remain subject to the usual balancing test for legitimate interests, appropriate safeguards, and any EU or Member State laws that expressly require consent for the relevant processing.
• Special category personal data (“SCD”) and AI systems (Art.9(2) & new Art.9(5) Amended GDPR) –
  • The proposed amendments would allow residual processing of SCD in the context of developing and deploying AI systems and models, provided that the controller “effectively protect[s] without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties”.
    • The proposed addition of Art.9(5) in the Amended GDPR also makes clear that, as a general rule, SCD should not be used for the development or operation of AI systems.

3. Key Operational Amendments

The Package also proposes to revise several practical data protection obligations, including data subject access requests (“DSARs“), personal data breach notifications, and data protection impact assessments (“DPIAs“).

• (a) DSARs (Art.12(5) Amended GDPR) –
  • The proposed amendment introduces a new ground for refusing (or charging a reasonable fee for responding to) a DSAR where “the data subject abuses the rights conferred by [the Amended GDPR] for purposes other than the protection of their data” (emphasis added).
    • The scope of this exemption remains uncertain, including whether it could assist organisations in responding to a DSAR submitted in litigation, where the purpose of the DSAR appears to be to obtain information for use in that litigation.
• (b) Personal data breach notifications (Art.33 Amended GDPR) –
  • The proposed amendment would:
    • (i) raise the threshold for notifying data protection supervisory authorities (“SAs“) regarding personal data breaches, aligning the threshold in the Amended GDPR with the threshold for notifying data subjects (i.e., only where a breach “is likely to result in a high risk to the rights and freedoms of natural persons”);
    • (ii) extend the deadline for notifying SAs from 72 to 96 hours; and
    • (iii) introduce a single-entry point for incident reporting (once established), which would also act as the single-entry point for various other related notifications (e.g., under NIS2 / DORA).⁴
    • In addition, the European Data Protection Board (“EDPB“) would be mandated to prepare a common notification template and a list of circumstances in which a breach is likely to result in a high risk to an individual’s rights and freedoms, with both instruments subject to review at least every three years and updates where necessary.
• (c) DPIAs (Art.35 Amended GDPR) –
  • The proposed amendment would harmonise DPIA requirements across the EU through EU-wide guidance.
    • Under this approach, the EDPB would compile unified lists of processing activities that do or do not require a DPIA, and create a standard DPIA template and methodology.
    • Once approved by the Commission, these EU-wide lists would supersede national lists, ensuring that organisations face the same DPIA triggers across all Member States. Any national lists already published by SAs would continue to apply until the Commission adopts the relevant implementing act.

• • (d) ROPA exemption to SMCs (Small midcap companies* and SMEs
    • • The omnibus package extends exemption from SMCs, SMEs ( less than 250 employees) under Article 30(5)  to apply only to “high risk” processing such as AI profiling or biometrics and removes  disqualifiers like occasional processing or special category data (except employment-related under Article 9(2)(b))

(* SMCs are defined as ..fewer than 750 employees.,  total balance sheet not exceeding EUR 129 million, an annual net turnover not exceeding EUR 150 million. SMEs are currently defined as enterprises with under 250 employees, combined with an annual turnover up to 50 million euro or a balance sheet total up to 43 million)

• • (e) Cookie Banners and ePrivacy:
    • • The package integrates ePrivacy rules into GDPR; enable one-click accept/refuse for cookies, with choices respected for 6 months

It is observed from the suggested changes that EU authorities are correcting some of the stringent provisions in the earlier version .

In the DGPSI-GDPR version of the framework being developed by FDPPI, these changes will be used though they are legally effective subsequent to necessary clearances.

The changes to the definition of Personal Data to exclude data which cannot be reliably identified with a natural person is the principle already adopted under DGPSI where only a “Set of data elements” which together identify an individual is considered as “Personal Data” and not otherwise. Exclusion of “Pseudonymised  Data” from the definition aligns with the definition of “Anonymisation” where the user of the data cannot identify the individual.

The changes in the DSAR are similar to the RTI regulation in India where the Right to information is denied when  it is requested in support of an intended litigation.

Naavi

Reference:

Proposed Amendments to GDPR

All amendments:

Digital Omnibus Proposal

Annexes

The C.DPO.DA. program conducted by Naavi/FDPPI is unique since those who attend the program and get certified by passing the examination, will get a free membership of FDPPI for one year along with an opportunity for receiving ongoing mentoring to make your life as DPO more productive. During this period, short of consultancy, you can  get personal advice on issues that you may encounter during your DPO role.

We believe that an Expert DPO cannot be created in a day however good the training is. It requires the professionals to digest  the concepts, apply it in practice and refine their understanding.

Is there any organization that provides a similar handholding…?

Naavi

This is in continuation of my response to the question raised by a professional on why anybody should chose FDPPI Certification instead of other certifications available at a  lesser cost.

Naavi’s views on the commoditization of ” CDPO” as a  tag that can be acquired just by registering for an online webinar.

Being a “CDPO” does not end with only knowing DPDPA 2023. It should try to equip the professional the ability to take the responsibility of being a DPO.

We observe that there is a proliferation of “CDPO” courses to take advantage of the rush in demand for professionals to be “Certified as CDPO”.

While it is good that there are many organizations who are into the providing education related to Data Protection, just as it has happened in the ISO certification game, “CDPO” certificates have become a commodity on sale or close to being so.

This should stop.

If anybody can register themselves for a webinar and be called “Certified” DPO, it would dilute the quality of other DPOs who with years of experience and hours of effort try to understand the application of the law into the technical environment in a systematic manner.

There are three elements of being a good DPO. First they should understand the law. Second they should understand how technical architecture has to be re-built to meet the legal requirements. Third, there should be a handbook for guidance of how to meet the requirements.

Lastly, “Participation” in a program is necessary but not sufficient to consider a person “Certified”.

FDPPI therefore provides “participation Certificates” different from the final “Certificate” which is issued only after a successful completion of an examination. “Evaluation based certificates” are different from “Participation Certificates”, both of which have their values but Evaluation based certificates are distinctly superior to Participation certificates.

FDPPI does not end its Certification training with classes on DPDPA 2023 only but discusses the technical challenges and extends it with a “Framework” as a guideline. The “Framework of FDPPI” for DPDPA Compliance is DGPSI which is available as an open source framework both in “Lite” version as well as “Full Version” with an extension for AI Deployment.

At present there is no  other training program that discusses a DPDPA Compliance framework along with the DPDPA law and Implementation challenges.

We want professionals who are aiming to acquire “Knowledge and Skills” donot fall into the trap of picking up “Webinar Participation Certificates” and call themselves “Certified”.

I hope organizations who recruit DPDPA Trained professionals distinguish the two kinds of certificates and ask “Where were you Certified and How?” before accepting any body as a “Certified DPO”.

FDPPI’s C.DPO.DA. program is conducted in offline and online modes from time to time. The next program is being conducted online on December 20 and 21. for which registrations are now open. 

Fees for early birds upto 12th is Rs 25000/-. Subsequently it will be Rs 29500/- with GST.

It is a comprehensive program which covers the law, the technology challenges as well as the implementation framework. The 12 hour online session is supplemented with another 12 hours and 43 minutes of recorded videos which include GDPR coverage in detail. Reading material and recommended books make the kit of the “Certified” professional complete.

The C.DPO.DA. participants get 12 hours of CPE credit and a participation certificate which is different from the final certificate which is issued to those who pass a three hour online examination.

Yes..it is tough to be a C.DPO.DA. from FDPPI but we want “Certificates” to be earned.

All participants of the FDPPI course also get one year complimentary membership of FDPPI for continued interaction with likeminded professionals. This will enable the  participants to continue to be under mentorship of FDPPI/Naavi when they have to implement their acquired knowledge in practice.

So, think before you chose how you are to be “Certified” as DPO.

I hope my friend who asked the question “Why FDPPI” is satisfied.

Any other comment is welcome.

Naavi

The Indigo fiasco is a good education for all organizations and the MeitY regarding DPDPA Compliance  deadline which comes on 13th May 2027.

The problem of INDIGO was directly related to their stubborn attitude to refuse regulatory compliance  and challenging the Government much the same way as Meta, Amazon or Google or X would like to do for the implementation deadline under DPDPA.

Given the fact that  Indigo refused to make arrangements for compliance even though 2 years was available for planning and implementation and tried to stall the implementation with Court cases, the Ministry was unable to foresee the game plan and even now is struggling to force Indigo to take corrective action.

Since there was prima facie evidence of deliberate negligence as claimed by the pilots, there was a case for criminal action against the CEO of the company who should have been arrested immediately (Could have been released on bail to initiate further action after which the case could have been withdrawn). But the Ministry of Civil Aviation was not strong enough to do it.

In the DPDPA case also, though 2 years is available, many of the organizations could raise objections in the court a few months before the deadline and force the Government to extend the due date. There is no guarantee that MeitY will be more committed than the Ministry of Civil Aviation in enforcing compliance.

Hence it is necessary for DPB to keep following how the major companies are moving towards compliance in the interim period from now to next 17 months and push organizations to show their preparations.

The SEBI should indicate  that under Clause 49 declaration, every listed company should declare the “DPDPA Non Compliance Risk” in their annual reports. Those companies who donot come under such listed companies must be pushed by the sectoral regulators to file an Action Taken Report for DPDPA Compliance every quarter from now onwards.

Share holders of companies should also raise this issue in AGMs. Media should try to track the implementation efforts independently so that we donot see a crisis on May 13, 2027 when a company may say “I am not compliant and will cause disturbance in the society if I am forced.”

Hope Meity and DPB will take appropriate Technical and Governance measures to ensure Compliance by the specified date.

FDPPI has a “Privacy Watch” page where public can report any of their observations on apparent violations so that a record can be kept of any deliberate challenge being mounted on the Government rejecting the compliance requirements.

Naavi