In this insightful interview, Vijayashankar Nagarajarao, popularly known as Naavi, shares his extensive expertise in cyber law, data privacy, and India’s evolving data protection landscape. As the Founder of the Foundation of Data Protection Professionals in India (FDPPI), Naavi has been a pioneer in shaping privacy standards and compliance frameworks like the Digital Personal Data Protection Standard of India (DGPSI). With over four decades of experience in banking, advertising, cyber law, and data protection, Naavi brings a unique perspective on how organizations can effectively implement India’s Digital Personal Data Protection Act (DPDPA) to build a strong data protection ecosystem. In this conversation, he reflects on the law’s strengths and challenges, the role of industry bodies, and the importance of indigenous frameworks tailored to India’s unique context.
Who is Vijayashankar Nagarajarao (Naavi)?
Vijayashankar Nagarajarao, popularly known as Naavi, is a skilled expert in cyber law and data privacy with over 40 years of experience. He began his career in banking, where he learned about the importance of confidentiality, and later moved into advertising and marketing before focusing on cyber law consulting and education. As one of the early leaders in India’s cyber law field, he founded Cyber Law College and the Foundation of Data Protection Professionals in India (FDPPI) to promote data protection awareness, training, and certification. Naavi developed important compliance frameworks like DGPSI, which combine legal guidance with practical technical implementation tailored to Indian businesses under the DPDPA. He currently serves as Chair Professor for the AI Chair at FDPPI, driving efforts to integrate emerging technologies with privacy compliance. His work blends legal expertise, governance frameworks, and public advocacy to help establish India as a leader in data protection.
Q1. Can you share your professional journey and how it led you to focus on data privacy?
Vijayashankar: My professional journey has been a combination of four distinct parts namely thee Banking career for 13 years, Advertising and Marketing Career for 11 years, Cyber Law Consultancy and Education career followed by Privacy and Data Protection for the next 25 years till date.
The first part of my career was as a Banker starting in 1973 where it is a common law principle that customer’s personal data is “Confidential”. Though the term “Privacy” was not prevalent in that era, the principles of “Confidentiality” and disclosure based on legal compulsion or customer consent was already understood in the Banking circles.
In the second part of my professional journey I was in Advertising and Marketing where the “Profiling” of customers was an essential part of the activity to structure appropriate communication to create “Awareness” and “Desire to buy”. Today these are the central areas of conflict for Privacy but Advertising industry lives on such analysis of customer behaviour. During this period Internet made its entry in India and Naavi developed focus on E Commerce.
The third part of my career started with Cyber Laws and addressing Cyber Crime issues where the consequences of data misuse, data theft etc became the center of my activity. In 2000, Naavi started Cyber Law College as the first dedicated Cyber Law Education center in India and devised a curriculum which included Domain Name laws, US Privacy Laws such as COPPA and HIPAA. The HIPAA trainings were the first serious step into the area of “Privacy” some time in 2005-2006.
During this stage I had already started a campaign for “ITA 2000 compliance” which resulted in the framework IISF 309 for implementation and audit of ITA 2008. (Version of ITA 2000 after the amendments of 2008-2009)
Subsequently the major turn around was around 2017 an year before GDPR was to become enforceable when Naavi started highlighting the Compliance requirements in Indian tech industry. Since May 2018 I have been into GDPR compliance consultancy and my online training programs on HIPAA, ITA 2000 and GDPR went on stream on the virtual platform of Apnacourse.com.
In September 2018 we launched FDPPI (Foundation of Data Protection Professionals in India) formally as a Section 8 company and it became the next platform for all my activities. We started our training programs the moment the first draft PDPB 2018 was available and has been continuously upgrading the trainings into a Certification model which today is in the form of C.DPO.DA.
Simultaneously, after 2000, Naavi stepped into developing a compliance framework called PDPSI (Personal Data Protection Standard of India) which today has evolved as DGPSI (Digital Personal Data Protection Standard of India).
Education, Consultancy and Audit has become the main activities of Naavi and most of Naavi’s activities under Naavi.org and Cyber Law College was merged with FDPPI
To summarize, Naavi’s journey started as a Banker and travelled through Advertising and Marketing into Cyber Law and further evolved into Privacy related activities.
Naavi.org was the first Virtual platform built by Naavi to promote awareness of Cyber Law supported by Cyber Law College for formal Cyber Law Education before the know how was transferred to formal law colleges. Presently, FDPPI is the platform for both awareness building, implementation consultancy as well as Audit and Certification for which Naavi has tried to get nearly 500 professionals to come together.
Most recently, Naavi has assumed responsibility as Chair Professor For AI Chair created at FDPPI and would try to push the AI for Privacy and Neuro Rights for Privacy as futuristic agenda.
Q2. What do you like most about DPDPA?
Vijayashankar: India was waiting for a formal law on Personal Data Protection for a long time. Though ITA 2000 itself had most of the provisions that a Data Protection Law tries to address and could have been effectively amended to include Data Protection, the lack of vision both at the industry level and the Government forced a new law on Privacy.
The draft of Personal Privacy Protection Bill of 2008 was a good attempt which did not get through the Parliament. Justice Srikrishna had provided a reasonably good draft which unfortunately got changed because Government wanted to accommodate industry views. This tendency to get consensus of the industry diluted the law substantially and DPDPA represents the most industry friendly version of such laws, though the industry is yet to accept even the diluted version.
What we should like DPDPA for is that it has placed complete faith on “Consent” as the legal basis though being flexible enough to accommodate legitimate use and National Security considerations.
The second most laudable feature of the law is the concept of “Consent Manager,” though it is being implemented in a manner in which it was embedded in the law by Justice Srikrishna in his draft. It will take a few years for the Government to understand the beauty of the concept of “Consent Manager” before necessary adaptations are made in the rules.
The third laudable feature was the introduction of the concept of ”Mandatory Data Audit” which has enabled a new set of Data Audit professionals to emerge in due course.
The law otherwise maintains the standard features of defining “Obligations” and “Protection of Rights of Data Principals”.
The approach of the law to define entities as “Fiduciaries” is a master stroke which makes the data processing industry accountable under the law itself unlike other laws where the entities were dubbed “Controllers”. The “Trustee type” role of a data fiduciary has the capability of absorbing all lacunae in the law.
As a result of the Data Fiduciary concept, the law is able to circumvent the short comings in defining the law as “Digital Personal Data Protection law” instead of “Privacy Protection Law”. Had the word ”Privacy Protection” been used to define the philosophy of DPDPA, the Government would have entered the grey areas of “defining the right to privacy” which the judiciary may interpret in its own way at different points of time.
The approach of “Significant Data Fiduciary” being defined instead of “Sensitive Personal Information” is also a great thought which does not allow developments in technology frustrate the law.
It may take more time for the industry to appreciate the benefits of the “Fiduciary” approach to law but in due course the world will appreciate DPDPA as “Viswa Guru for Data Protection Laws”.
Q3. What do you dislike most about DPDPA?
Vijayashankar: It is easy to pick holes in the laws but I would rather like its positive features to be appreciated.
One may say that the law does not give a detailed prescriptive guideline. I am however, happy with this approach since it gives more scope for Companies and Consultants to design their own ways of protecting Privacy.
If an organization wants to process personal data it has to be responsible enough to understand what are the requirements of a “Data Fiduciary” are and how the “Risks” in the perspective of Data Principal’s Privacy can be identified and protected. If companies expect templated prescriptive law, then they do not deserve to be in the market doing independent business.
One area where the law leaves some legal loopholes can be in the handling of Minor’s data and in providing nomination of personal data. But these can be covered through proper interpretation of the law.
Q4. How has India’s DPDPA reshaped the landscape of data protection
Vijayashankar: Since DPDPA redefines the provisions of Section 43A(ITA 2000) with lot more details and higher penalties, it would introduce a new era in the Indian data processing industry. If we can have a strong Data protection Board, without doubt Indian data protection landscape will be entering a new era.
However some of the concepts of the law such as the “Fiduciary”, “Consent Manager”, “Data Audit”, “Nomination” , “Exempting foreign personal data processing” etc can be guidelines that may influence the global data protection scenario also.
Q5. You’ve been a pioneer in India’s cyber law and data privacy space for years. What motivated you to focus on this area so early, before data privacy became mainstream?
Vijayashankar: I have always felt that to be a leader in an area, one has to be in the domain since its birth. I started my journey into Cyber Law when a committee first recommended the law some time before 1998. Such early entry gives us an opportunity to understand the legislative intent and build it into our interpretations. It is for this reason that I have the confidence to say that what I “Advise” today is “Jurisprudence” tomorrow.
To give an example, my interpretations on Section 65B of Indian Evidence Act was given in 2000 and introduced in the Court in 2004 but it took upto 2012 for the Supreme Court to publish its concurring view point. In the intervening period, I had to hold my fort against criticism and ultimately I was proved right. Similar situation may come when DGPSI interpretations will get published as our advise for better compliance, but would be resisted and opposed by others but eventually prove itself as a correct approach.
Q6. What inspired you to launch FDPPI, and how does it advance India’s data protection ecosystem?
Vijayashankar: The initial inspiration was to address the panic the industry felt with the advent of GDPR with astronomical fines, and fear of extra territorial application. Subsequently when the new law came in India it was a natural transition.
Q7. How does the DGPSI framework differ from global standards like GDPR or ISO?
Vijayashankar: GDPR is a law and ISO is a best industry practice. GDPR requires to be implemented in the technology environment and ISO can be one of the tools that can be used in GDPR implementation. Compared to these, HIPAA is a different framework. It is a law that has a prescriptive guidance built into the law itself as “Security Standards and Implementation Specifications”.
DGPSI has been developed by incorporating the best principles from all these laws or standards.
DPDPA compliance is a “Legal Requirement”. Unfortunately, laws are not clear prescriptions. They are subject to interpretations. While HIPAA is detailed and has a clear prescriptive format, DPDPA is “Principle Based” and does not contain the same level of granularity as HIPAA.
Hence DGPSI is designed as a “Prescription” for DPDPA Compliance. Under GDPR when we are in doubt of what the law intends, we refer to the accompanying document namely the “GDPR Recitals”. While the “Articles” are the law, “Recitals” provide some explanations. DGPSI serves the purpose of providing such additional clarity for interpreting the sections of DPDPA. It adopts the approach of HIPAA to the extent that “Model Implementation Specifications” are like “Addressable Implementation Specifications” where as “DGPSI Principles” are like broad standards.
DGPSI differs from other frameworks in the fact that in its “DGPSI Lite Version”, it is a section by section compliance like the HIPAA Privacy/Security rule. In the “DGPSI full” version, it combines certain Governance principles as part of the implementation specifications.
DGPSI framework stops at “Principles” and “Implementation Specifications”. However more detailing of how the “Implementation Specifications” may be customized has to be done by individual consultants on the basis of the context and based on a Risk Analysis.
DGPSI Lite is a very practical solution which can be used as implementation guideline. DGPSI Full version is used both for implementation and as well as for Audit leading to Certification and Assessment in terms of the DTS (Data Trust Score). It covers not only the needs of DPDPA compliance but also compliance related to ITA 2000, BIS draft guidelines of Data Governance and some unique features like Data Valuation and Distributed Responsibility.
The ”Process Based” compliance system suggested by DGPSI is an innovative system that can revolutionize compliance compared to the enterprise based system adopted by other frameworks.
There is no global framework which is comparable to DGPSI.
Q8. What’s your overall assessment of the Digital Personal Data Protection Act (DPDPA)? Does it meet the standards you envisioned for India’s privacy framework?
Vijayashankar: If we expected the law to be prescriptive and meet the expectations, we can say that it has not fully met the expectations.
But if we accept that the law will not be prescriptive and it is left to the industry to develop their own best interpretation, then we need to be satisfied with what is presented and work for fulfilment of our expectation through Risk Recognition and Risk Management. In this view, the basic foundation provided by the law is sufficient, and the rest of the objectives may be achieved at the time of implementation.
Q9. What do you believe will be the biggest challenges for Indian companies as they work toward DPDPA compliance?
Vijayashankar: One of the biggest challenges for Indian companies is to unlearn what they have been fed with as GDPR compliance in the last few years and the pressure from their global business partners to implement what is familiar to them. The local companies need to develop the conviction that DPDPA is not GDPR and its implementation is different from GDPR, but it is robust and should be implemented independently.
Q10. What advice would you give to India’s DPOs, CISOs, and compliance teams preparing to align with DPDPA?
Vijayashankar: Focus on “Classification of Personal Data”, segregate the DPDPA Protected Data from others so that the Indian law can be applied to them without conflict with other laws. Use a Centralized Personal Data storage system so that each data set can carry a unique identification. Follow the processed based compliance plan. It is like the bottoms up approach in management.
Q11. What expectations do you have from India’s Data Protection Board and other regulatory bodies in terms of enforcement and guidance?
Vijayashankar: DPB will be actively receiving complaints through the website. Initially it may not impose heavy fines. Everything depends on the individuals. It is too early to place any expectations.
Q12. Do you believe Indian consumers fully understand their data rights under DPDPA? What steps can improve public awareness?
Vijayashankar: This is an ongoing exercise. At present, there is low appreciation of the importance of the protection of personal data. The efforts have to continue. Organizations like FDPPI need to be encouraged by the Government to impart the right kind of knowledge.
If Cyber Law Awareness is still an ongoing exercise, Privacy awareness will take an equal time.
Q13. What role can industry bodies like FDPPI play in supporting companies and professionals through India’s DPDPA rollout?
Vijayashankar: FDPPI is already involved in awareness creation, interpretation of laws and providing a framework of implementation. This will continue.
Q14. Your book Guardians of Privacy has been an important contribution to India’s privacy discussion. What key message do you hope readers take away from it?
Vijayashankar: Guardians of Privacy is a management oriented discussion of the DPDPA related issues. Hopefully, it will bring the Business Managers to provide a higher degree of attention to the Data Protection activities in the organization.
Q15. What part of your work or advocacy are you personally most proud of, and what legacy would you like to leave for India’s privacy community?
Vijayashankar: The development of a framework for compliance in the form of DGPSI, which is a combination of legal interpretation and practical technical implementation, is the part of my work that I would expect the industry to appreciate in due course of time.
In the process, I have advocated a school of thought that considers DPDPA as an Indian law requiring an Indigenous approach, which is different from the globally acclaimed GDPR or ISO frameworks. I hope that this will make India the leader in the Data Protection scenario instead of being only a follower of the Western thoughts of data protection expressed through GDPR and ISO 27001.
Q16. In your view, what privacy initiative holds the most promise for shaping India’s data protection future?
Vijayashankar: It is necessary to adopt AI to compliance of DPDPA in such a manner that most SMEs/MSMEs would consider it possible to remain compliant without much of effort. The AI Chair initiative of FDPPI can work in this direction, provided others join hands with FDPPI.
Q17. How do you see DPDPA evolving over the next few years, and which areas do you think may be updated or strengthened?
Vijayashankar: DPDPA is a consent-based system, and what needs to be developed is a strong network of Consent Managers who represent different groups of data principals and protect their Privacy rights.
Closing Summary
Throughout this interview, Vijayashankar Nagarajarao (Naavi) shares clear and thoughtful insights about India’s journey in data privacy. He explains how privacy has evolved from basic confidentiality to more modern responsibilities under the DPDPA, highlighting the law’s practical and industry-friendly approach. Naavi emphasizes the need for Indian-specific frameworks like DGPSI that fit local conditions instead of just copying global laws like GDPR. He openly discusses areas where the law can improve, such as protecting minors’ data, and encourages companies to adopt risk-based and principle-led privacy practices. His work with FDPPI and education shows his long-term vision for building a strong privacy system in India, including using AI and new technologies responsibly. Overall, Naavi offers a balanced and practical way forward to strengthen data protection in India, helping build trust and compliance in the digital world.
