Naavi.org

The first Indian National Survey of DPDPA Compliance tools in India is now open. FDPPI would request professionals with relevant information to contribute to this survey.

We are aware that a very few organizations in India have actually started implementation of DPDPA Compliance. Out of them many have implemented their in-house software development capability to meet the requirements. A few would have used the internationally available tools like OneTrust since they were perhaps already using them for GDPR compliance.

It is natural to expect that most of the big players claim that their software is also compatible with DPDPA Compliance.

To have the first hand account from the users of these products, FDPPI has opened this survey.

The Survey should have two benefits

1. All those who complete the survey are entitled to a copy of the report when ready. (Provided they have shared their contact details).
2. Additionally the survey has been so constructed that the completion of the form itself would give a fair idea of the requirements.

It is our endeavour to make the effort and time used worthy.

It is possible that  many are just aware of the products and may have taken demos but do not have a hands on experience. We have added them also in this survey so that the respondent’s base is wide.

Direct link to the survey is here:

Naavi

Way back in 2015, Naavi had initiated India’s first survey of Cyber Insurance.  It was a survey to ascertain the status of the industry at that point of time. We presume it was useful to the industry and today the industry has grown by leaps and bounds.

Now is the time for DPDPA Compliance and the entire industry is looking for appropriate tools for implementing Compliance. FDPPI has been doing its bit to assist the industry with its DGPSI Compliance framework. But the industry is eagerly looking forward to technical tools for data discovery, classification, consent Management and other requirements of compliance.

There are many international software products which are also claiming to have already customised for DPDPA. Most of them have substituted the key words such as Data Fiduciary for Data Controller but the skeleton of the engine is still the GDPR. Many Indian companies are trying to adopt DPDPA concepts into the GDPR  framework since changing over to another software is very cumbersome and expensive. Putting the DPDPA into the body created for GDPR is like an orthodox Indian soul getting into a foreigner’s body on reincarnation.

There are many Indian companies who are trying to build indigenous products and some of them (Not all)  have also been part of the MeitY exercise for developing an open source Consent Management Platform.

In this scenario, it is time for the launch of the First Indian National Survey of DPDPA Compliance tools.

FDPPI is therefore launching an open survey in this regard and is preparing to publish  the questionnaire as part of its “International Privacy Day” celebration.

At the same time Naavi is also launching his next book in E Form named “Wisdom Companion for Champions of DPDPA”

This book will be the fourth in the series of books released by Naavi starting with “Guardians of Privacy, a comprehensive  handbook on DPDPA 2023 and DGPSI, DGPSI, the perfect prescription for DPDPA Compliance and Taming the twin challenges of DPDPA And AI”.

These books trace the progressive development of Information and converting them into knowledge and implementation skills. The new book will cover the DPDPA Rules along with the recent additions to DGPSI family namely DGPSI-GDPR, DGPSI-HR and DGPSI-Data Processor.

The Print version may take a little while but the Kindle version will be ready by this week.

There is a rumour that the Government may pre-pone the implementation of DPDPA from 13th May 2027 to 13th may 2026. Whether it materializes or not, FDPPI is racing ahead with its activities to prepare the country for the DPDPA Compliance Era.

Naavi

FDPPI has set up a SIG to evaluate Privacy Management tools available for DPDPA Compliance. The SIG is currently collecting information from users and evaluating them. Several Indian solutions providers are providing brief demos  to the FDPPI members during the Jnaana Vardhini Sessions in 2026.

This exercise will continue and will  enable Indian solution providers to reach out to the professionals who are associated with FDPPI.

In this context, it is noted that Forrester Wave has published it’s Q4-2025 report which has  placed One  Trust, Securiti and Big ID as the leading software solutions for Privacy Management. Transcend, Relyance AI, Truyo and  Trust Arc have been  placed in the “Strong performers” category. Additionally a couple of more software like Ketch and Osano are also  in the list of contenders for the leadership.

The  FDPPI’s SIG for Tool evaluation will be making a special evaluation of these Nine tools from the DPDPA perspective.

We are aware that “Only the wearer knows where the shoe pinches”. Hence to evaluate these solutions further,  the  SIG invites information from users in a survey to be set up for the purpose.

Participation is open to Indian Companies who are using and exploring to use any of these six tools. The Survey form would be distributed to the companies individually and a representative of FDPPI may contact  them for collecting their views. The report when generated would be shared with these participating companies free of charge. The results may also be separately collated into a document with anonymised attribution and released to others.

Organizations interested in participating in the survey and obtain a copy of the final report are requested to contact Naavi.

FDPPI may also share a complementary recommendation on how the usage of the tool can be customized for DGPSI compliance.

Naavi

Most of us are familiar with the “Periodic Table” used in Chemistry to group elements into different groups for better understanding  their properties and also to predict some missing members of a pattern.

Now Mr  Martin Keen of IBM Technology has brought out an interesting presentation of a “Periodic Table for AI Terms” in this video

The video tries to briefly explain and categorize the terms used in the AI domain into a table of 4 rows and five columns.

The Four rows are Primitive, Compositions, Deployment and Emerging terms.

The five columns are five groups  of terms namely, Reactive, Retrieval, Orchestrations, Validation and Models .

It is an excellent  attempt to assist decoding of the technical terms used by the industry.

A clean table for better readability is here:

Naavi

When CBDC was introduced in India (Refer: “Article CBDC Will change the World Economic Order” in 2022, we had indicated that the CBDC-W was useful in substituting the SWIFT mechanism and can be extended to Exporters and Importers. We had however held that CBDC-R for retail use may not be that useful since in India we already have the UPI system.

Much before the concept of CBDC emerged, we had commented in our article in 2016 ” Here is how the Currency shortage can Vanish in a jiffy with Digi-Real Currency“.  We had also explored in 2022, the impact of Data Protection Bill 2022 on CDC in our article “CBDC or E Rupee and the Data Protection Bill 2022” .

The concepts discussed in these articles remain relevant today and gains further strength not only because DPDPA has been enacted but also because India has now actively begun cooperating with the BRICS countries to introduce a currency exchange mechanism through the CBDCs of each country.

Watch the video from PGurus in this regard.

The video discusses the possible exchange system where settlements between the BRICS Countries may move through a central exchange currency which could be the CBDC-Rupee. In this system any payment to be made between Country A to Country B  will first be converted from the importer country to E-Rupee and then E-Rupee to the CBDC of the Exporter country.

The Clearing mechanism can be owned by any one of the participating country or  a consortium of countries like the “Board of CBDCs” which can be created to replace SWIFT.

At the same time, a thought arises if CBDC-R may also be  made relevant by creating an exchange mechanism within India between the E-Rupee in retail with the UPI system.

Currently in the UPI system, the requests between the payer and the receiver is routed through the NPCI to the respective banks who initiate the bank to bank transfer of money. These transactions directly debit or credit the rupee balances in the account.

In case the customer keeps the funds in E-Rupee form and created a link between his normal account with a Zero Balance,  then there can be a E-Rupee Exchange mechanism where by the UPI request can be directly routed to the E-Rupee Clearing house along with the destination Bank identity where the credit can be  given either to the E-Rupee account of the receiver or to his regular account.

In such  a system all existing Checking accounts would be like “BSPs” or “Banking  Service Providers” where digital instructions pass through automatically. Any need to convert the E-Rupee  into physical  cash can be routed through the regular account where as Bank to Bank transfers can be conducted through E-Rupee exchange system.

We need to explore if such a system may be helpful in reducing Banking costs and reducing the frauds.

Request views of experts on whether this makes sense.

Naavi

It is legally correct to say that DPDPA does not directly impose any liability  directly under the Act to Data Processors. The law only mandates that the Data Fiduciaries shall be responsible even for the processing done by the Data Processor.

It is however not ethical for Data Processors to think that they have no responsibility towards the data fiduciary being in compliance with the law. If necessary they have to take the lead and alert the data fiduciary if there is any risk of non compliance. This also makes prudent commercial sense since if there is a penalty on the data fiduciary and his business is shaken, the downstream data processor may also lose an opportunity to grow with the data fiduciary.

Currently the Data Fiduciary enters  into a contract to protect his responsibilities under DPDPA and  directs the Data Processor on how to process the  data in compliance with the DPDPA.  The Data Processor Contract therefore is not limited  to the commercial benefits or functional requirements but should have a clear description of the Data Processing responsibilities.  A DPDPA compliant Data Processing Contract will therefore have necessary data protection related clauses.

Though DPDPA might not have specified liabilities to the data processor directly, it should be recognized that Section 72A of ITA 2000 creates a liability for the data processor if a Data Processing Contract involving “Personal Data” is violated.

Recognizing the need therefore for Data Processors to be responsible for DPDPA Compliance, FDPPI promotes that a Data Processor should take measures to be compliant with DPDPA as if he is a “Deemed Data Fiduciary”.

In this context DGPSI (Data Governance and Protection Standard of India) has introduced a variant framework DGPSI-Data Processors exclusively to address the need for Data Processors to be voluntarily compliant with DPDPA.

The DGPSI-DP as it is being referred to adopts the unique principle that  “A Data Processor inherits the responsibilities of the data fiduciary through  the contract”. Under this principle, Data processor should look through the contract as if it is a transparent glass and  view the DPDPA on the other side.

Since many data processors are bigger than the data fiduciaries themselves, the voluntary adoption of DGPSI-DP by them will provide confidence to the Data Fiduciaries to use their services. This is ideal for such businesses who run a “Platform” for a specialized data processing service and invite data fiduciaries to use them.

According to the inheritance principle, a Data Processor of a Significant Data Fiduciary is a “Significant Data Processor” and needs to show the same level of responsibility that the Significant Data Fiduciary is expected to show.

As a part of this, the  Data Processor depending  on the volume and sensitivity of data processed by him cumulatively as an organization,  needs to conduct a DPIA, designate an internal DPO and also conduct external  Data Audits from time to time.

The DGPSI-DP is built therefore to reflect both the contractual obligations without losing sight of  DPDPA  liabilities.

We therefore urge all Data Processors to start understanding the essence of DPDPA and take steps to be in compliance. They should also realize that every Data Processor will himself be a Data Fiduciary to the  extent of the Data of employees. Hence there is no clean escape  from DPDPA for any Data Processor. They can however explore the DGPSI-HR as a framework for their manpower related obligations while looking at DGPSI-DP for compliance related to their data processing Contracts.

Hence, emancipated Data Processors should look for a combination of DGPSI-DP and DGPSI-HR  and this will be a hallmark of Ethical responsibility that an organization may exhibit in terms of certifications.

In the coming days we should not be surprised if ISO certification marks may be replaced with DGPSI certification marks on the  websites of responsible companies as a symbol of assurance.

Naavi