Naavi.org

Association of Independent Data Auditors of India is conducting an introductory webinar on “Emergence of Independent Data Auditor” profession in India.

Interested persons may attend the webinar on  23rd May 2026 at 11AM.

The Registration link is available here:
https://us02web.zoom.us/j/88286391275?pwd=wrP6fgGrCWTOVPv9p53RFvo22JgeJo.1

A request circulated by the Secretary AIDAI is reproduced below for your information.

Naavi

Dear Professional Friends,

We are delighted to inform you that the ASSOCIATION OF INDEPENDENT DATA AUDITORS OF INDIA (AIDAI), was established in April 2026 as a pioneering new vertical of FOUNDATION OF DATA PROTECTION PROFESSIONALS IN INDIA (FDPPI).

This initiative marks a significant milestone in India’s evolving data protection and digital governance landscape, arriving at a time when organisations across sectors are preparing to align themselves with the transformative framework introduced under the Digital Personal Data Protection (DPDP) Regime.

AIDAI has been conceived as a forward-looking professional platform dedicated to building a credible ecosystem of INDEPENDENT DATA AUDITORS (IDA) capable of supporting organisations in achieving robust privacy and compliance standards. The platform creates a unique and timely professional pathway for experienced CAs, ICMAs, CS, Legal, GST practitioners and similarly placed professionals, and Governance practitioners, presently in auditing field, to expand their expertise into the rapidly emerging domain of Data Protection Auditing and Privacy Compliance Services. For more information, please listen to YouTube presentations @

https://www.youtube.com/watch?v=_p2JWVG47Qk  and

 https://www.youtube.com/watch?v=B4MF_RdCAX4&t=390s

As you are aware FDPPI is a Section 8 non-profit organisation driven by a nationwide network of distinguished Data Protection and Privacy professionals under the able leadership of Vijayashankar Nagaraja Rao, popularly known as Naavi, a pioneer in the field of Cyber Laws in India. With a vibrant membership base of over 500 professionals across India, FDPPI has consistently worked towards promoting awareness, capacity building, professional excellence, and responsible data governance practices in the country.

Now AIDAI aims to expand privacy-compliance services by formally empanelling qualified professionals to perform DATA PROTECTION AUDITS, ASSESSMENTS, AND ADVISORY SERVICES for businesses seeking compliance under DPDPA 2023, DPDP Rules 2025, and related frameworks. Here are 3 different Empanelment categories of IDA’s and their benefits

1) Probationary Independent Data Auditor (PIDA): Rs3540/- inclusive of GST

Empanelment of Probationary Independent Data Auditors is open to all interested persons to take up Data Auditing.

Benefits: Mentored placement with experienced auditors, discounted training and practice labs, access to sample audit materials, and a pathway to AIDA upon meeting experience and training milestones.

2) Accredited Independent Data Auditor (AIDA): Rs7080/- inclusive of GST

Empanelment  of Accredited Independent Auditors is restricted to those who hold relevant certifications in Privacy or Information Security or Law or Chartered Accountancy, or Cost Accountancy or Company Secretary or other approved certifications. (Check for clarification if required). Necessary evidence needs to be provided for confirmation.

Benefits: Inclusion in AIDAI directory, eligibility for Sectorial-focused audit projects, access to audit templates and checklists, discounted FDPPI resources and webinars, and referral support for client engagements.

3) Certified Independent Data Auditor (CIDA) : Rs11800/- inclusive of GST

Empanelment of Certified Independent Data Auditors is restricted to those who have passed the CIDA examination of FDPPI.

Benefits: Priority listing for large-scale audit assignments, eligibility to lead multi-auditor engagements, FDPPI endorsement for client proposals, continuing professional development credits, and preferential rates on FDPPI training and certification renewals.

Welcome to Introductory Free Webinar: Saturday, 23rd May 2026 @ 11:00AM to introduce AIDAI, explain the empanelment process, and answer your questions, we are organizing a webinar on Saturday, 23rd May 2026 @ 11:00AM.

The session will cover empanelment criteria, application process, code of conduct, empanelment workflow, and commercial terms. There will be a live Q&A to address role-specific queries for Legal and GST professionals.

Please register to join the webinar using the Zoom link below:
https://us02web.zoom.us/j/88286391275?pwd=wrP6fgGrCWTOVPv9p53RFvo22JgeJo.1

Meeting ID: 882 8639 1275
Passcode: 700473

Time: Saturday, 23rd May 2026 @ 11:00AM

We believe AIDAI will create meaningful professional opportunities and help expand high-quality data protection audit capacity, especially for MSMEs that need practical, affordable compliance support. We look forward to your participation and questions during the webinar.

Warm regards,

Srivatsa. R
Chapter Representative, FDPPI / AIDAI
secretary@aidai.org.in

For more details visit https://aidai.org.in  and  https://fdppi.in;

In February 2025, we had introduced the concept of “Super Data Fiduciary”  as part of our discussions  on DPDPA Compliance for Hotels who work under a Brand  Franchise basis. Examples of this category were the Oyo, Treebo, Airbnb or even the Hotel brands like Hilton, Taj, Hyatt, Radisson or Hospital Brands like Apollo or Manipal, Fortis  or Kims, or Wockhart etc.

The law clearly recognizes  only two types of entities under DPDPA namely the Data Fiduciaries and Data Processors.

(Under ITA 2000, there are two types of entities namely “Intermediaries” and “Data Consumers”. A “Data Consumer” under ITA 2000 such as say  is always a Data Fiduciary. An “Intermediary” under ITA 2000 can be a Data Processor or a Data Fiduciary depending on the functions.)

We can however derive  a category of Data Fiduciaries as “Joint Data Fiduciaries” if the purpose and means of use of personal data is shared between two different entities. The data fiduciary which collects the data for a specified purpose is the main data fiduciary and another entity which may determine the means of finance will be the Joint Data Fiduciary. The question of sharing of “Purpose” does not arise since collection is purpose based and who ever declares the purpose and collects the data becomes the Data Fiduciary and the second person who processes the data is always the Data Processor or a  Joint Data Fiduciary.

Now all instances of Business relationships related to DPDPA cannot be classified as an activity between a Data Fiduciary, Joint Data Fiduciary and a Data processor. The umbrella Brand owner may have only licensed the use  of the brand name but is not  directly involved in the collection of personal data. But a data principal who approaches say Atria may be seeing Atria Hotel as part of the Radisson Blue brand. His relationship is dependent on the brand image of Radisson rather than Atria.  Most Franchisee may in order to protect their own reputation may also impose policies and procedures on their affiliates and even have a “Data Sharing” mandate.

In such cases the conflict is whether the  data principal wants to share his data with Radisson brand or Atria Brand? Who is the Data Fiduciary in the minds of the data principal? If the data principal tomorrow raises a legal claim on Radisson for any negligence of Atria, what is the legal liability?.  These are difficult questions to answer.

It is in this context that we introduced the concept of a “Super Data Fiduciary” who stands at the top of the Fiduciary pyramid on perception basis,  under which an operational data fiduciary collects personal data of the data principal, processes it himself or through other Joint data fiduciaries, Data Processors  etc.

Now a similar concept appears to be essential for developing the DGPSI system for the Educational Sector where the University remains at the top . Below the university are the Colleges. Colleges have their own autonomous departments both for teaching, examination, Research, Library maintenance, Sports Maintenance etc.

Personal Data is actually originated at the College level where admissions happen.   (The  CET system may be an exception where the admissions are allocated by the CET authority to a specific college.)

Colleges provide the education, conduct examinations and the examination authority declares the results under the banner of the University. Colleges consume the information as given and record it as part of the student  records.

Thus there may be different “Data Generators” within the Education system who are the first data fiduciaries for the given purpose. Others become joint data fiduciaries or Data Processors. The University however remains the Super Data Fiduciary where every thing is done under their name but executed by other autonomous delegated departments.

Conceptually each of the delegated departments should be considered as “Data Fiduciaries” and the university should be a “Super Data Fiduciary”.

For the purpose of DGPSI, we may need to adopt a precise definition of the Super Data Fiduciary as a jurisprudential thought and we adopt the following definition.

“A Super Data Fiduciary is an entity which, though not necessarily the primary collector or operational processor of personal data, exercises overarching reputational, governance, policy, economic or ecosystem control over subordinate Data Fiduciaries operating under a common brand, institutional framework or delegated authority.”

Points to ponder:

1.The liabilities of the Super Data Fiduciary under DPDPA is not defined and hence DGPSI  need to deefine the responsibilities.

2.  a)The University often comes under the direct governance of a State Government and could be a claimant for the status of “Instrumentality of State” and the associated exemptions. But should this privileged status is to be given to the Colleges? is a moot question.

b) Does the current interpretations of the “Instrumentalities of  State” given out in various Supreme Court decisions in the context of the status of employment of different persons can also be  applied to the Data Processing environment? is another moot point to be clarified.

Let us discuss these in another article in our bid to to explore the DGPSI-Education framework.

Naavi

An Audio explainer  from NotebookLM

Hear the debate here

Also Hear the Kannada Version 

Also hear the Tamil Version

Also hear the Hindi Version

The Podcasts are also available on the Youtube Channel here

AIDAI is a unique concept of bringing Chartered Accountants who are today engaged in Financial Audit into the domain of “Independent Data Auditor”. (ID)

The principal role of an IDA is to ensure compliance of DPDPA and this applies to all those who act as Data Auditors for a Significant Data Fiduciary.

Apart from the natural development of “Privacy Auditors” into the role of IDA, AIDAI has envisaged that ISMS auditors such as “Lead Auditors of ISO 27001” also migrate to be IDAs. This also may look a natural transition.

AIDAI has also identified “Advocates” to be part of the IDA community though they may not be proficient in the technology area.  This is because there is a huge element of legal compliance associated with DPDPA which require experience as a Legal professional. This relates to the contracts with data processors, Defining the status of an Instrumentality of State or Exemption Status, Management of Grievance Redressal, handling of DPB Inquiries. We hope Bar Council will not have any objections for the Advocates to be part of the IDA community.

[P.S: AIDAI is organizing a special talk  on May 23rd to discuss the role of Advocates in AIDAI. (Link for this proposed virtual talk at 11.00 am is here)  ]

However  AIDAI has called for Chartered Accountants also to be part of the IDA network along with the Cost Accountants and Company Secretaries. May be many of the professionals in this domain are uncertain what is the special role that they have in the Data Audits so that they should consider becoming IDAs along with  being what they are now.

However the Data Industry survives on “Data Monetization” which is facing a challenge because of DPDPA. Data Monetization leads to “Data Valuation”.  Hence the Data Governance activity of “Profiling of Data Principal” is linked to finding a value to the personal data and the associated observations. These activities are closely linked to the activities of a Chartered Accountant or a Cost Accountant. The  Company Secretaries on the other hand are responsible for the Corporate Governance and hence should be interested in participating in the Data Audit as part of their responsibilities. If the compliance is not properly managed or if the Data Monetization is not managed properly, the corporate Governance suffers and hence the Company secretaries have a relevant role in Data Audit.

Hence the CAs, CMAs and ICS professionals are considered part of the AIDAI community and we invite them to join hands.

I am presently uncertain about how the ICAI or ICMAI or ICS will react to their members being part of the IDA community.

AIDAI believes in Vasudaiva Kutumbakam. But will others reciprocate?

I invite the views of these professionals to discuss and debate this collaboration of Privacy Auditors with Advocate, CAs, CMAs, and ICS members.

Naavi