Naavi.org

FDPPI was established in 2018 as a Section 8 Company (Not for Profit) with the following three objectives.

1. 1. To build an empowered community of Knowledgeable, Efficient and Ethical Data Protection Professionals who contribute to the development of a Secure Information Society by lawful means.
   2. To enhance the intrinsic Value and Worth of the profession of Data Protection Professionals who  are  directly  or  indirectly  engaged  in  the  activity  of generating, managing, preserving and protecting information.
   3. To bring harmony in the pursuance of Civil Rights of individuals such as Privacy and Freedom of Expression along with the Right to Information and Right to Cyber Security.

In pursuance of this objectives, FDPPI has

a) Developed Certification programs for Professionals

b) Certification Programs for Data Processing companies

With the establishment of DGPSI as a framework for Compliance, FDPPI went further to facilitate Compliance by the industry.

With the establishment of AIDAI (Association of Independent Data Auditors), FDPPI has taken a further step to establish a network of professionals  who can use DPGSI framework, Conduct Audits, Provide Assurance (Using the Data Trust Score system).

In the coming days, FDPPI will focus more on education through FDPPI Study Centers while AIDAI will focus more on the facilitation of Audits.

The DGPSI as a framework of compliance was first introduced for DPDPA Compliance. The Full version with 50 implementation Specifications was the beginning of the DGPSI revolution. The Origin of DGPSI can be traced to IISF 309 which was a framework developed by Naavi for ITA 2000 compliance. (first released in 2009 March). In 2019 after FDPPI came into existence and GDPR was in place, the framework PDPSI (Personal Data Protection Standard of India) was published. As the Government moved from PDPB 2019 to DPDPA 2023, the framework also moved from PDPSI to DGPSI.

In August 2023 when DPDPA became a law, BIS also released a Draft Indian Standard  named “Information Technology-Adequacy of Organizational Data Governance and Management Practices”. This standard had about 20 recommendations related to Privacy.

Since the PDPSI  had already incorporated some of the Data Governance Principles as part of the recommended Standard, the first release of the PDPSI-Upgraded to DPDPA was titled DGPSI making “Data Governance” as a part of “Data Protection” and extending the implementation responsibilities from a CISO or DPO to the entire management of an organization. The principles of Distributed Responsibility, Measurability, Data Valuation, Top Management Responsibility, Business Level Compliance were all “Management  Principles” that were the  essential part of DGPSI. Hence the Privacy related principles of the BIS standard were considered as merged with DGPSI.

After DGPSI was first released in September 2023, it is being continually improved to meet the different segments of the industry.

The first evolution was DGPSI-Lite meant for  SMEs to reduce the burden of compliance. This focussed more on the legal mandate and adopted 36 implementation specifications.

In 2025 with AI coming into prominence DGPSI was extended with a supplementary framework of DGPSI-AI. This is a document which can be considered as a fore runner to AI regulation in India.

Later in 2025, DGPSI family was extended to DGPSI-HR and DGPSI-Data Processor (DP) as well as DGPSI-GDPR.

DGPSI-HR was an attempt to provide a framework for the HR Sector which was the common element of Data Governance across all kinds of establishments.

DGPSI-DP was  another milestone which suggested that Data Processors can voluntarily be compliant with DPDPA through this framework and be “Emancipated”.

Sceptics may say  why burden a compliance which is legally not there. But history tells us that HIPAA and  GDPR both have responsibilities cast on Business Associates/Data Processors.

India’s ITA 2000 itself  extends DPDPA compliance to Data Processors and hence they cannot escape liability one way or the  other.

DGPSI-GDPR was another significant milestone that extended DGPSI to the GDPR compliance requirements.

In the remaining part of 2026, FDPPI is extending the DGPSI with exclusive frameworks for DPDPA Compliance to the Health Care industry, BFSI and Educational Industry sectors.

This vision of FDPPI is farther than any other organization in India including perhaps BIS.

In this context, if BIS is trying to re-invent a compliance standard for Privacy, one can only feel that FDPPI has already moved ahead several years and will continue development of its own compliance systems.

In USA we have seen the emergence of HITRUST as a private organization creating a certifiable standard for HIPAA Compliance which later has extended its activities to other sectors. HITRUST has been recognized  by the HHS which has developed a complimentary relationship.

FDPPI may be a similar example of a Private Initiative in India which will keep providing its own contributions even as BIS may try to introduce its own standard specifications.

Whether BIS will follow the inclusive approach of HHS by joining hands with  FDPPI or try to remain as a “Government Standard” and remains at a distance from DGPSI as Self Regulatory Governance mechanism developed by the industry, time will tell.

Naavi

At a time when BIS is considering re-inventing a framework for Compliance for Privacy  in India, it is necessary to recognize how the DGPSI framework (Data Governance and Protection Standard of India used by FDPPI) has been thinking ahead of the requirements.

In one of the recent Security Studies in USA released on April 7, 2026, it was found that in the health care sector the security breaches involving third parties increased from 15% to 30%. This highlights the need for securing data processed by Data Fiduciaries with the assistance of Data Processors.

If you are a Data Fiduciary, you would therefore think of choosing a Data Processor who empathizes with your exposure to DPDPA liabilities and responds with empathy.

It  is in this context that DGPSI developed a framework called DGPSI-DP meant  for voluntary adoption of a compliance framework by Data Processors.

The normal response of sceptics could be…

“Even the Data Fiduciaries have not adopted compliance, where is the need for Data Processors who have no liability under DPDPA to adopt a compliance framework?”

It is certainly a valid question given the priorities of organizations. But wise corporate managers will realize that it is always better to go with a Data Processor who understands our problems better and has shown an inclination to be DPDPA Compliant even before it is considered mandatory by the law.

Developing an army of such “Trusted Data Processors” is the objective of the framework DGPSI-DP.

A brief view of the framework is already available here:

One can also view the detailed presentation of Naavi made to an open house.

It is time industry recognizes that “What FDPPI thinks today, is what others think  day after tomorrow”

We hope BIS recognizes the futility of re-inventing the wheel by working on a new Privacy Framework from the beginning rather than adopting DGPSI.

Naavi

Naavi

The initiative of DSCI and BIS to work on a framework for compliance under a working group ISO/IEC JTC 1/ SC 27/WG 5 – Privacy Protection & Personal Data Governance is a notable development.

It is good that 3 years after the passing of the DPDPA 2023 and also after the Draft Guidelines of BIS on Data Governance ,  an effort is being initiated to develop a standard for Data Protection .

It is however necessary to point out that this work should not end up as  a “Reinvention of the Wheel”.

We draw the attention of BIS to the existing framework “DGPSI”  or Data Governance and Protection Standard of India which

1. Is a framework developed by an organization of the professionals  namely the FDPPI which is a Section 8 company, exclusively for the Indian scenario
2. FDPPI does not carry the vested interests of the Big Tech
3. The DGPSI Framework is available as a Public Document
4. The Framework is already under implementation by many auditors
5. The Framework comes with variations such as
   1. DGPSI Full
   2. DGPSI Lite (For SMEs)
   3. DGPSI-AI (For AI deployers)
   4. DGPSI-HR (For HR systems)
   5. DGPSI-DP (For Data Processors)
   6. DGPSI-GDPR (For GDPR Compliance)

Documents are available in the form of published printed books and on different websites.

These frameworks could be adopted and fine tuned by BIS into modified frameworks.  It is therefore not necessary for BIS to start a new work from scratch.

We note that BIS is trying to collaborate with DSCI an arm of NASSCOM,  which is strongly influenced by the Big Tech Companies. It is well known that DSCI had filed a dissent note to the Justice Srikrishna Committee in support of the Big Tech Industry along with the many opposition politicians.

We foresee that the framework development process is likely to be under the influence of the Big Tech and not be independent.

We are sure that BIS would have examined this aspect and it would be interesting to understand the logic of BIS in not considering the upgradation of DGPSI into a BIS framework and opting to go for a different exercise for development from scratch.

Even now the BIS  committee can hit the ground running if it picks up the DGPSI framework as the foundation and work a new BIS version.

DGPSI has already has incorporated the August 2023 draft guidelines released by BIS on Data Governance and Data Protection. It is already in the next level of compliance requirement  addressing the requirement of deployment of AI by Data Fiduciaries, the special requirements of the HR sector, SME Sector. It is ready with a recommended framework for the Data Processors and even for the GDPR network.

Hence it does not seem logical that the DGPSI input is excluded from the work of BIS.

We request that BIS may  set up a separate committee to  study these frameworks and if found necessary, reject them before they invest on the new working group.

We draw the attention of the MeitY and the Standing Committee on IT in the Parliament to take the lead in setting up such a  committee so that a proper logic be built  on the need for a new effort at a higher cost rather than modification of the existing frameworks.

DGPSI is a framework made in India for the world..not as a mere slogan, but as a concrete work. FDPPI accepts that the framework can be improved and request BIS to study the framework and if possible adopt it as BIS-DGPSI framework.

We await the top management of BIS  and the Ministry of Consumer Affairs to react to this proposition.

PS: A copy of this note is being forwarded separately to BIS for necessary action.

Refer:

Article on naavi.org:  IS17428 and PDPSI

Draft Guidelines of BIS released in August 2023

FAQ on DGPSI

The Association of Independent Data Auditors of India (AIDAI) was launched in Bengaluru on 11th April 2026 at WoodRose Club, JP Nagar, Bengaluru, 2026.

Though the live broadcast on the YouTube could not be organized as planned, the rest of the program went on successfully.

During the event, Mr Nagendra Javagal welcomed the audience. Mr Ramesh  Venkataraman presented the activities of FDPPI. Naavi introduced the Concept of AIDAI. Mr Vijayendra Shenoy, the CEO of AIDAI shared his plan for the coming years. Mr R Srivatsa proposed the Vote of Thanks

Representatives from different Audit Communities such as Mr Sudarshan Mandyam, Mr B. Jayachandran, Mr Madhava Murthy, as well as Mr Manish as representative of BSPIN and Dr Prashant Koranne as representative of the Data Audit Community from Mumbai were present during the occasion.

A Copy of the Book, Wisdom Companion for Champions of DPDPA Compliance was formally unveiled during the occasion.  Some of the guests spoke during the occasion and shared their views.

During the event empanelment process was also  launched.

AIDAI has started with the ambition of unifying the Auditors scattered across multiple accreditation agencies organizations onto a single platform.  This concept is not natural to the Indian Psyche but an attempt is being made by FDPPI and AIDAI to achieve what is not easy to achieve. I hope this time it is different.

Naavi

Report in Deccan Herald on 12th April 2026: