Naavi.org

There are two rumours/news-plants that are running in the media about DPDPA Rules. They are

a) Government may accelerate the time line for implementation from 18 months to 12 months in some respects.

b) TCS is likely to apply for Consent Manager license.

Let us briefly review these two issues.

It would be welcome if the Government goes for a faster implementation time line particularly for the large companies who are already compliant with global laws and are capable of implementing the law within the next 6-9 months. Given the fact that DPB is yet to be formed, a period of 1 year seems reasonable.

It is possible that for SMEs the implementation can be kept at the present level of 18 months so that they will have the benefit of observing the implementation challenges as resolved by the large entities before the smaller entities can jump in with lesser resources for software selection and implementation. This could even be part of the promise in the budget today.

Second aspect is the TCS applying for being a Consent  Manager. While it appears logical that a conglomerate like TCS would consider it attractive to have an in-house consent manager for its group entities, the “Conflict” situation could be very tough to handle.

Secondly we are aware that TCS has the record of entering the business of Certifying Authorities and later exiting. This is not a good track record to boast for a business like Consent Manager and the group may have to disclose the reasons for their surrendering the  Certifying Authority license since similar possibilities may also exist in TCS surrendering the Consent Manager license in the future.

Now that the Government is considering revision of some of the rules, I suggest some changes to the consent manager rules.

The Current Consent Manager rules under Rule 4 suggest that data can be transferred from one data fiduciary to another at the instance of the consent manager. This amounts to “Data Portability” which the parent law has omitted as a “Right of the Data Principal”.  The rule therefore is “Ultra-Vires” the law at least in legislative intent.

Secondly, we have pointed out that if the Consent Manager does not have “Visibility” to the data, the rigorous conflict related conditions appear to be an overkill. It can be modified if the Government comes out of its blinkers that Consent Manager is like an Aggregator in the DEPA framework.

Yesterday, I was discussing with the “Spastic Society of Karnataka”  on the possibility of such NGOs to become specialist Consent Managers for “Disabled Data Principals”.  These institutions know who is entitled to be in this category, what they need from the Internet and what is the law of guardianship for such persons better than any other commercial organizations. It therefore appears that such organizations should be allowed to be “Consent Managers” for some niche category of data principals. However such organizations may not be able to fulfill say the Capital requirement nor they may be “Companies incorporated in India”.

Hence we suggest that the Government should consider providing exemptions from some conditions of the Rules under Rule number 4 to enable such genuine NGOs to be the consent managers for their niche areas of operation.

Hope the MeitY considers these suggestions when they think of making some changes to the November 13 rules for which they have had a closed door meeting with the privileged Tech Giants.

Naavi

When we started working on the Internet in the early 1990s we used to speak about the need to bridge the “Digital Divide”. In this pursuit of equality of the citizen and the netizen we created a new merged world of Cinezens. While  Citizens derived the benefit of E Commerce and E Governance due to this merger, Cyber Criminals exploited this situation by committing Cyber Crimes and get away with it due to weaknesses in law and the enforcement systems.

Now we are seeing an ugly face of this cyber crime where there is a complete dependence of citizens on the Internet and this dependence is creating a field day for psychological manipulators in cheating the innocent citizens .

New technology developments such as AI and VR/AR have only increased the cyber crime risks for the society. One offshoot of this development is the increasing addiction of our children to mobiles which is a concern for the next generation.

It is time that  we try to find a solution to this and make our Children safe on the Internet. Merely asking them not to use mobile will not work since the usage will go “Underground”.

Hence we need to ensure that even if the children continue to use Internet and the devices, the harm is reduced substantially.

Some measures we need to consider in this direction is for schools to work towards creating an awareness that “Cyber World is different from Physical World” and we need to learn “Not to trust any message online without Fact Checking”.

In other words we need to build a psychological barrier for children to recognize  that mixing the cyber experience with real experience is dangerous. The augmented reality, the games that mix cyber space  existence with real life need to be  closely monitored and regulated.

We understand that the Government is thinking of banning mobile for children like what Australia has done. Probably this will help a little but real  success comes from children voluntarily distancing themselves from Mobiles and the reels.

The SMART network is a guideline but we need to  design strategies to create a psychological digital divide so that children know that the two societies are different  and should not be mixed.

May be  we require  the Schools to work more on this aspect while they continue to promote the responsible use of Internet through computers. Access through Computers at our option and access through mobile whenever it “Trings” are two different things and this has to be recognized.

All of us including adults need to remember the need for “Ulysses Contracts” where use of the screen is at our choice and not at the device’s choice.

AI specialists should work on how to prevent addiction rather than create more and more addiction. If not, regulators  need to step in with a liberal interpretation of “Dark Patterns” which are already recognized as Crimes in our legislations such as Consumer Act, ITA 2000 and DPDPA 2023.

Need to discuss these during the S P Acharya Endowment  lecture today at Bangalore.

Naavi

The next C.DPO.DA. program will be conducted by FDPPI as a Virtual Program on February 21 and 22, 2025.

The program will be conducted by Naavi and will cover the following topics.

Day 1:

Legal nuances of DPDPA and the DPDPA  Rules
Classification of DPDPA protected Data (DPD)
ROPA as a strategic tool of Compliance
Technical challenges of Management of Legal Basis for processing and Rights of Data  Principal
Digital Omnibus GDPR Amendments
DGPSI-GDPR  introduction

Day 2:

Governance  Structuring for meeting the obligations under DPDPA by a Data Fiduciary
The Roles of DPO and Data Auditor in the DPDPA era
Use of DGPSI as a Compliance Management framework
AI and its challenges in meeting the obligations with DGPSI AI
Comparison of DGPSI with ISO 27701

Fees Rs 29500/- including all taxes . This includes fees for examination (One attempt). Subsequent attempts Rs 5000/- (Subject to changes)

Interested persons may kindly join here:

PAY HERE FOR REGITRATION

Also fill up the application form here

For any clarifications, contact  Naavi

Naavi

As India prepares for the DPDPA Era, it has become necessary for organizations to explore the technical tools required to work towards compliance. FDPPI has already unveiled the Compliance frameworks, conducted many awareness sessions and also created many certified professionals.

It is time now to move to the next level of assisting the industry for compliance with assistance to understand and evaluate technical tools necessary for DPDPA Compliance.

It is natural that all existing international software solution providers who are already in the game serving the GDPR community are now eyeing the “Big and Beautiful Indian market” which is “Tariff Free”  and are tweaking their software to meet DPDPA requirements. Some of them are opening Indian subsidiaries to give their software a local touch.

Many Indian start ups are also venturing into the development of software for DPDPA Compliance including the Six shortlisted companies which are into the final round of development of the open source “Consent Management” software in the Coding Challenge.

Many large entities are however not relying on the external software suppliers and are developing their  own in-house software for compliance .

Already many of the professionals in the organizations have started gathering data and taking presentations from the vendors. Those who were already using some international products are experiencing the customization for DPDPA.

We as a community of Data Protection Professionals need to understand where the industry stands as of today, who are the serious players and what are their offers and what is the experience of the early users are. We know that these are early days and experience is sketchy. Many have only the marketing presentations to depend for their understanding. But this is early 2026 and we need to make an  assessment of what do we have today.

FDPPI has therefore launched the country’s first survey of DPDPA Compliance tools as a perception study from the users.

The Indian National Survey of DPDPA Compliance tools is an initiative launched by Naavi and FDPPI as a part of the celebration of the International Privacy Day of 2026.

The survey is now open and over the next one month till end February 2026, will collect the data. It will then be analysed and a report would be prepared.

Kindly access the survey here

Your views will be consolidated and all respondents will get a copy of the final report if they have shared their contact e-mail in the form

The tool manufactures can participate in the survey identifying their role as vendors of solutions. FDPPI would also give a one hour slot to them to present their software in one of the Jnaana Vardhini Sessions to the members of FDPPI  if interested.

Naavi

The first Indian National Survey of DPDPA Compliance tools in India is now open. FDPPI would request professionals with relevant information to contribute to this survey.

We are aware that a very few organizations in India have actually started implementation of DPDPA Compliance. Out of them many have implemented their in-house software development capability to meet the requirements. A few would have used the internationally available tools like OneTrust since they were perhaps already using them for GDPR compliance.

It is natural to expect that most of the big players claim that their software is also compatible with DPDPA Compliance.

To have the first hand account from the users of these products, FDPPI has opened this survey.

The Survey should have two benefits

1. All those who complete the survey are entitled to a copy of the report when ready. (Provided they have shared their contact details).
2. Additionally the survey has been so constructed that the completion of the form itself would give a fair idea of the requirements.

It is our endeavour to make the effort and time used worthy.

It is possible that  many are just aware of the products and may have taken demos but do not have a hands on experience. We have added them also in this survey so that the respondent’s base is wide.

Direct link to the survey is here:

Naavi

Way back in 2015, Naavi had initiated India’s first survey of Cyber Insurance.  It was a survey to ascertain the status of the industry at that point of time. We presume it was useful to the industry and today the industry has grown by leaps and bounds.

Now is the time for DPDPA Compliance and the entire industry is looking for appropriate tools for implementing Compliance. FDPPI has been doing its bit to assist the industry with its DGPSI Compliance framework. But the industry is eagerly looking forward to technical tools for data discovery, classification, consent Management and other requirements of compliance.

There are many international software products which are also claiming to have already customised for DPDPA. Most of them have substituted the key words such as Data Fiduciary for Data Controller but the skeleton of the engine is still the GDPR. Many Indian companies are trying to adopt DPDPA concepts into the GDPR  framework since changing over to another software is very cumbersome and expensive. Putting the DPDPA into the body created for GDPR is like an orthodox Indian soul getting into a foreigner’s body on reincarnation.

There are many Indian companies who are trying to build indigenous products and some of them (Not all)  have also been part of the MeitY exercise for developing an open source Consent Management Platform.

In this scenario, it is time for the launch of the First Indian National Survey of DPDPA Compliance tools.

FDPPI is therefore launching an open survey in this regard and is preparing to publish  the questionnaire as part of its “International Privacy Day” celebration.

At the same time Naavi is also launching his next book in E Form named “Wisdom Companion for Champions of DPDPA”

This book will be the fourth in the series of books released by Naavi starting with “Guardians of Privacy, a comprehensive  handbook on DPDPA 2023 and DGPSI, DGPSI, the perfect prescription for DPDPA Compliance and Taming the twin challenges of DPDPA And AI”.

These books trace the progressive development of Information and converting them into knowledge and implementation skills. The new book will cover the DPDPA Rules along with the recent additions to DGPSI family namely DGPSI-GDPR, DGPSI-HR and DGPSI-Data Processor.

The Print version may take a little while but the Kindle version will be ready by this week.

There is a rumour that the Government may pre-pone the implementation of DPDPA from 13th May 2027 to 13th may 2026. Whether it materializes or not, FDPPI is racing ahead with its activities to prepare the country for the DPDPA Compliance Era.

Naavi