FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 33, column 0: Use of unknown namespace: com-wordpress:feed-additions:1 (10 occurrences) [help]
```
<site xmlns="com-wordpress:feed-additions:1">44280636</site>	<item>
```
line 493, column 0: content:encoded should not contain data-type attribute [help]
line 493, column 0: content:encoded should not contain data-id attribute [help]
line 497, column 0: content:encoded should not contain fetchpriority attribute [help]
line 497, column 0: content:encoded should not contain decoding attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-attachment-id attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-permalink attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-orig-file attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-orig-size attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-comments-opened attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-image-meta attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-image-title attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-image-description attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-image-caption attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-medium-file attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-large-file attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain sizes attribute (2 occurrences) [help]
line 497, column 0: content:encoded should not contain data-recalc-dims attribute (2 occurrences) [help]

Source: http://www.naavi.org/wp/?feed=rss2

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
xmlns:georss="http://www.georss.org/georss"
xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
>
<channel>
<title>Naavi.org</title>
<atom:link href="https://www.naavi.org/wp/feed/" rel="self" type="application/rss+xml" />
<link>https://www.naavi.org/wp</link>
<description>Towards building Cyber Jurisprudence in India</description>
<lastBuildDate>Sat, 28 Jun 2025 02:56:14 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<image>
<url>https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2015/08/cropped-naavi_lecture2.jpg?fit=32%2C32&ssl=1</url>
<title>Naavi.org</title>
<link>https://www.naavi.org/wp</link>
<width>32</width>
<height>32</height>
</image>
<site xmlns="com-wordpress:feed-additions:1">44280636</site> <item>
<title>Taking Control of Cookies under DPDPA</title>
<link>https://www.naavi.org/wp/taking-control-of-cookies-under-dpdpa/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sat, 28 Jun 2025 02:56:14 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18498</guid>
<description><![CDATA[For DPOs in India, one of the grey areas of compliance to be managed is the “Cookies Consent”. Normally the Cookies are hosted on the website and the website is managed by the IT department. The content on the website … <a href="https://www.naavi.org/wp/taking-control-of-cookies-under-dpdpa/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
For DPOs in India, one of the grey areas of compliance to be managed is the “Cookies Consent”.
Normally the Cookies are hosted on the website and the website is managed by the IT department. The content on the website is often written by the marketing department and contains company promotion and product promotion information. The marketing department may have a close watch on the content to ensure accuracy of product information. 
The websites also contain the “Privacy Policy” and “Terms of Use” which are typically managed by the legal department. 
In the case of listed companies, a part of the website contains investor information which is mandated by SEBI.
It is a tradition to have the “Privacy Policy” of the company displayed on the website along with the “Terms of use” and the contact details of the help desk, the Grievance officer and the DPO or Compliance officer. 
For the public, the website is the first contact point for knowing the company and if there is no mention of a DPO or a Compliance officer or a Grievance officer, the inference is that the company is not fully compliant.
CISOs recognize that website is exposed to the public and hence could be a source for cyber attacks some of which may have reputational damage by defacement or more seriously, implanting of malware in the source code of the website. There have been many instances of content being manipulated, images being substituted or invisible spamming activity occurring through hidden pages on the website. Domain name re-directions, domain name squatting, etc are also considered security risks and hence a continuous monitoring of all pages of the corporate website is required to be monitored by the Information Security department for any modification.
The “Domain Name” and the website is also considered an important “Financial Asset” of a Company, and has IPR value. The CFO also has a stake on the brand value value of the domain and the value of the content as well as the traffic.
Thus, the website of a company serves many purposes and there are multiple stakeholders who are responsible for the content and directly or indirectly create liabilities for the organization.
Governance of a website is therefore an important corporate activity. 
However, it is a common practice for most companies to register domain names and host the website with an external agency. Many of them use Cloud applications managed by different agencies. The hosting companies suggest statistical analysis and profiling of visitors. They also suggest certain monitoring of the visitors from the point of view of enhancing the user experience. Additionally the marketing companies try to use Google Analytics or other agencies to plant their own trackers and generate insights. With the use of AI in the background, we never know exactly how the information of the users may be used by these background agencies.
It is in this context that managing “Cookies Consent” assume importance. If the cookies collect any personal information of the visitors of the website, then the provisions of data protection laws may become applicable. The problem with a website is that anybody in the world including from over 140 countries which have specific data protection laws, may visit the website and the cookies may be collecting various information from them. 
Currently DPOs donot consider it essential to treat the “Web hosting” company as a “Data Processor” and handle the data protection obligations. If the hosting is outside a country, there may also be a “Cross Border Data Transfer” issue to be resolved.
It is time for DPOs to get details of Cookies including what data each cookie collects, how long the information is stored and what is the purpose of each of the data elements that is collected. 
If a Cookie is tagged as “Essential” or “Functional”, there is no need for it to be a persistent cookie nor to have the personal information such as the email address or name of the person even if it is available at log in. Every cookie that collects “Personal Information” is essentially a “Profiling tool”. The profiling itself may have a “Security Purpose” or a “Marketing purpose”. “Security” may be considered as a legitimate purpose but “Marketing” may not be.
Hence the Consent management has to understand and distinguish the type of data each cookie collects and display it on the website and not restrict the cookie information only to the “Name of the cookie” and its classification as “Analytical”, “Marketing” or “Functional”.
The DPO s need to take control of the Cookies and “No cookie should be installed on the website without the specific permission of the DPO”. If there is any “Profiling” of the visitors, then it has to have a proper legal basis with “consent” for marketing. “Security Profiling” of visitors may be considered as “Legitimate Use” but it has to be ensured that “Security profiling” is not converted into “Marketing profiling” either through ignorance or design.
I recall my own experience captured in the article <a href="https://www.naavi.org/wp/union-bank-and-rsa-fiasco/">“Union Bank and RSA Fiasco”</a>, where I have highlighted that a “Security Scanning” may be mis understood if the security team is blindly following automated systems of profiling
I therefore urge DPO s to start exercising greater control on the web hosting and planting of cookies and obtaining the cookie consents as part of their compliance exercise. The current method of Cookie Consents which are followed under GDPR regime which simply asks for consent on the basis of a declaration such as “Accept All Cookies” or “Accept Functional Cookies only” etc., are insufficient. The Cookie consent has to list out each cookie, indicate the data elements collected, the purpose of collection and retention periods and obtain consent in a more informed manner.
Comments are welcome.
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18498</post-id> </item>
<item>
<title>The D-Day</title>
<link>https://www.naavi.org/wp/the-d-day/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sun, 22 Jun 2025 04:26:24 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18495</guid>
<description><![CDATA[This is just to record the night of 21/22nd June 2025, IST as an important day of our generation when we might have seen the closest to a World War 3 scenario. India successfully conducted the Sindhur operations a few … <a href="https://www.naavi.org/wp/the-d-day/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
This is just to record the night of 21/22nd June 2025, IST as an important day of our generation when we might have seen the closest to a World War 3 scenario.
India successfully conducted the Sindhur operations a few weeks back and hit Pakistani nuclear facilities significantly. But inside these facilities the US was hurt and moved into force a ceasefire before the final assault.
In Iran however, the same USA has moved in to neutralize the nuclear capabilities of Iran. Though the blow could be crippling, the counter action could create lot of problems to US in the form of terrorist attacks the way India has been bled for decades by Pakistan.
Neutralization or debilitation of terrorist forces anywhere in the world is welcome and as responsible global citizens we need to take note of this day as one of the most important day of our life.
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18495</post-id> </item>
<item>
<title>Free DPDPA Evaluation for Select Companies</title>
<link>https://www.naavi.org/wp/free-dpdpa-evaluation-for-select-companies/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sat, 21 Jun 2025 03:27:26 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18490</guid>
<description><![CDATA[DPDPA Compliance is a complex process which requires discovery of personal data to which the act is applicable, Classifying it appropriately, understanding how the different sections of the Act apply to the data and determining what risks of non compliance … <a href="https://www.naavi.org/wp/free-dpdpa-evaluation-for-select-companies/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
DPDPA Compliance is a complex process which requires discovery of personal data to which the act is applicable, Classifying it appropriately, understanding how the different sections of the Act apply to the data and determining what risks of non compliance exists, what Governance and Technical measures are to be initiated to mitigate the risks.
Many companies might have already initiated some measures in this regard. Many companies are developing products and services to assist the companies for compliance. 
In this scenario, FDPPI as the apex organization promoting DPDPA Compliance has initiated a project to provide One free assessment of DPDPA Compliance for any Company in India per week (Till the scheme is withdrawn at its discretion).
The assessment requires one online session of around 90-120 minutes with the DPO or equivalent senior management person who may be assisted by others in the company. During the session, Naavi will conduct an online evaluation interview with appropriate questions and record the answers. 
Based on the answers provided, an evaluation report would be issued.
The evaluation would be based on the celebrated DGPSI system used by FDPPI.
There are no strings attached to this free offer which is a near substitute for a Gap Assessment which would normally cost a few lakhs for any company.
The offer is based on requests received and on first cum first served basis. Once the requests are received, the interviews would be scheduled appropriately. Initially around 12 bookings would be accepted for the next 3 months and a decision will be taken on its continuance.
We invite interested DPOs to contact through <a href="mailto:naavi@fdppi.in">email to Naavi</a> . Kindly use the subject line “Free DPDPA Assessment”.
Naavi
P.S: I have received a query about why FDPPI is giving this assessment free even if it is for one company per week. 
I would like to state that there are two objectives.
<ol>
<li>To remove the fear about DPDPA Compliance.</li>
<li>To prevent companies being mislead.</li>
<li>To provide an indication for Cyber Insurance readiness for DPDPA risk</li>
</ol>
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18490</post-id> </item>
<item>
<title>Name “Air India” attracts Risks of its own</title>
<link>https://www.naavi.org/wp/name-air-india-attracts-risks-of-its-own/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Mon, 16 Jun 2025 02:53:36 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18487</guid>
<description><![CDATA[The Air India crash has a distinct signature of what experts call as a near improbable total two engine failure. However this also significantly increases the possibility of an “Electronic Sabotage” which could have caused the fuel cut-off or hydraulic … <a href="https://www.naavi.org/wp/name-air-india-attracts-risks-of-its-own/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
The Air India crash has a distinct signature of what experts call as a near improbable total two engine failure. However this also significantly increases the possibility of an “Electronic Sabotage” which could have caused the fuel cut-off or hydraulic failure etc which the experts indicate as a possible reason.
Though Air India is no longer a national carrier and is as much private as any other airline, the perception is that its reputation good or bad is linked to the reputation of India. Hence the enemies of India both within the country or outside target the airline to indirectly bring down the reputation of Air India. Hence Air India faces an “Enemy Risk” which other airlines donot face. 
Since today’s aircrafts are all controlled by electronics, the safety of the aircraft is very much dependent on the safety of the electronic systems just like controlling a large computer network. It appears that there needs to be a CISO for every aircraft. 
The more we think Air India is the nation’s pride, the more attention we would attract of Pakistani terrorists. 
One of the Risk management strategies for the airline now is to change its name though it would be a sad decision to take. 
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18487</post-id> </item>
<item>
<title>Valuation of Data upheld by a Court</title>
<link>https://www.naavi.org/wp/valuation-of-data-upheld-by-a-court/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sun, 15 Jun 2025 06:49:33 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18485</guid>
<description><![CDATA[In an interesting decision of the UP State Consumer disputes redressal Commission, WhatsApp has been considered as a “Paid Service” with the payment having been received in the form of personal data shared by the account holder. (Refer: article the420.in) … <a href="https://www.naavi.org/wp/valuation-of-data-upheld-by-a-court/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
In an interesting decision of the UP State Consumer disputes redressal Commission, WhatsApp has been considered as a “Paid Service” with the payment having been received in the form of personal data shared by the account holder.
(<a href="https://the420.in/amitabh-thakur-whatsapp-consumer-rights-case-up-state-commission-game-changing-verdict-on-free-apps-data-as-payment/" target="_blank" rel="noreferrer noopener">Refer: article the420.in</a>)
Naavi has been advocating the “Data Valuation” as one of the essential features of Data Management in a company and valuing of data and its disclosure is a recommended procedure under the DGPSI (Data Governance and Protection Standard of India) framework of compliance.
The exact value of the data may be under dispute but the fact that data has a a value is indisputable. In this case, the value of the data has not been specified in rupee terms but whatever is the benefit used by WhatsApp is to be treated as the consideration passed.
Hope Income Tax and GST is not applicable !
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18485</post-id> </item>
<item>
<title>Is Ahmedabad Crash an act of hacking?</title>
<link>https://www.naavi.org/wp/is-ahmedabad-crash-an-act-of-hacking/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sat, 14 Jun 2025 03:11:02 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18482</guid>
<description><![CDATA[For a long time there has been a discussion on whether the computer systems of an aircraft can be manipulated through external interference. The tragic Ahmedabad plane crash will revive this discussion since there are certain indications of the possibility … <a href="https://www.naavi.org/wp/is-ahmedabad-crash-an-act-of-hacking/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
For a long time there has been a discussion on whether the computer systems of an aircraft can be manipulated through external interference.
The tragic Ahmedabad plane crash will revive this discussion since there are certain indications of the possibility of such sabotage. 
Apart from the social media watchers who are revealing some earlier X posts to suggest a terror plan, astrological analysis of the event also indicate the possibility of sabotage. 
It is time the technical concerns, media concerns and astrological concerns may all be put to test with the investigations of the crash.
Let’s us watch the developments.
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18482</post-id> </item>
<item>
<title>When Do Cookies become an issue under DPDPA?</title>
<link>https://www.naavi.org/wp/when-do-cookies-become-an-issue-under-dpdpa/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Thu, 12 Jun 2025 08:16:30 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18477</guid>
<description><![CDATA[We are all aware that Cookies are hosted on websites and they collect some technical information from visitors. Normally cookies are implanted in the user’s system through at a location assigned by the browser. It is a text file and … <a href="https://www.naavi.org/wp/when-do-cookies-become-an-issue-under-dpdpa/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
We are all aware that Cookies are hosted on websites and they collect some technical information from visitors. 
Normally cookies are implanted in the user’s system through at a location assigned by the browser. It is a text file and may contain some information. 
The session cookies are those files which exist during a session and are automatically cleared when the session ends. Persistent cookies are those cookies that remain in the system and are available for future reference.
When a person visits a websites, a “Cookie Consent” is taken in which normally an option is given to provide consent for “Necessary Cookies”, “Statistical Cookies” and “Marketing Cookies”. Necessary cookies are normally mandatory while others can be optional. 
When the person visits the same website again, the web server checks for the existence of the cookie related to the webserver using the cookie identity. Once it is found, it may use the information there in, to record the current session as related to the previous session. The web server may keep its own record of the earlier session and therefore build a profile of the user in its systems. 
Certain cookies (mostly in the category of necessary cookies) are meant only to record the operating system, the browser used which are required for configuration of the web page. If it identifies the person as coming from a mobile, it may present a compatible page to enhance the viewer’s experience. If the information picked up is IP address, it can be analysed to identify the user’s location. Based on the location of the user, the content can also be modified.
In such uses the identify of the individual may not be required and hence the information may remain technical and statistical information of the “De-identified Personal Information” category. 
However it is possible that some cookies which are “Persistent Cookies” and not deleted after the session, may capture more identifiable data of the individual and store it for future use. In such cases, a question arises whether the Cookie is a “Personally identifiable information” as per the data protection laws such as GDPR or DPDPA.
If a person is normally visiting a website and does not provide any of the information such as his name, email address etc in the process, the Cookie can only access statistical and technical information. In such cases it may not be a “Personally identifiable information” . If however the web server maintains such data which is linked to some other identified data in its possession and can link the current session with the personal information already available with the server, then the cookie gathered information along with the available information together becomes personally identifiable and comes under data protection laws.
The consent to be taken by the web site therefore depends on what is the configuration of the Cookie and whether any personal data of the visitor is already with the web server and also whether the cookie is a persistent cookie or not.
If cookies are not “Secure Cookies” the data may be transferred on http connections without transit encryption.
Usually the web sites are managed by the hosting company and the data fiduciary may not have a clear understanding of what cookies are in place and what kind of parameters they collect. 
Hence it is necessary for DPOs to collect this information and construct their cookie policy appropriately. In particular we need to understand if cookies collect information that are of personal nature and whether any copies of such information are stored in third party accessible systems.
Currently websites take a consent which is not specifically explaining what is the purpose of the cookie, what type of information it collects, how long it retains, how it is used etc. Hence it may be necessary to list each cookie and obtain consent for each cookie separately. The current practice of taking the consent for all cookies or for categories of cookies like functional cookies or advertising cookies etc. needs to be modified forthwith.
If DPOs donot take control of the cookies on their websites, they may be a source of concern at any point of time. Cookie Control may be simple but needs to be managed along with a periodical audit. 
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18477</post-id> </item>
<item>
<title>The Nature of Business Requirement Document released by Meity for Consent Management</title>
<link>https://www.naavi.org/wp/the-nature-of-business-requirement-document-released-by-meity-for-consent-management/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Thu, 12 Jun 2025 04:13:28 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18474</guid>
<description><![CDATA[Medianama, a well known website has commented on the Business Requirement Document (BRD) released by MeitY with the following caption. “MeitY Explains How an Ideal Consent Management System Should Work Under DPDPA” The perception has been that MeitY has actually … <a href="https://www.naavi.org/wp/the-nature-of-business-requirement-document-released-by-meity-for-consent-management/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
Medianama, a well known website has commented on the Business Requirement Document (BRD) released by MeitY with the following caption.
<a href="https://www.medianama.com/2025/06/223-meity-guidelines-consent-management-system-under-dpdpa/" target="_blank" rel="noreferrer noopener">“MeitY Explains How an Ideal Consent Management System Should Work Under DPDPA”</a>
The perception has been that MeitY has actually released a guideline in extension of the DPDPA Rules on the Consent Management System more particularly for the Consent Managers.
We should however point out that this is a mis conception. The NeGD under MeitY has actually released this document to support a “Code Development Challenge” that it has floated for developing an open source recommendation for Data Fiduciaries. 
“Consent Managers” who register themselves with DPB are also data fiduciaries but their requirement goes beyond managing the consent. They are an intermediary with multiple Data Fiduciaries whose services are used by data principals. 
Further the BRD is a generic platform which requires to be customized by different data fiduciaries.
It is necessary to clarify the purpose of this document as otherwise there would be a difficulty for Data Fiduciaries who may think this is the final guideline from the Ministry.
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18474</post-id> </item>
<item>
<title>Consent Life Cycle for DPDPA Compliance</title>
<link>https://www.naavi.org/wp/consent-life-cycle-for-dpdpa-compliance/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Wed, 11 Jun 2025 07:03:48 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=18466</guid>
<description><![CDATA[“Consent” is the backbone of DPDPA Compliance. “Legitimate Use” is an exception and organizations need to cover as much of their management of Data protected by DPDPA through Consents. As a result most companies are now struggling to trace the … <a href="https://www.naavi.org/wp/consent-life-cycle-for-dpdpa-compliance/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
“Consent” is the backbone of DPDPA Compliance. “Legitimate Use” is an exception and organizations need to cover as much of their management of Data protected by DPDPA through Consents.
As a result most companies are now struggling to trace the life cycle of their “Consent Management Program”.
Consent management program has a close association with the Data Life Cycle in an organization. 
As per <a href="https://www.naavi.org/wp/reversible-life-cycle-hypothesis-of-the-theory-of-data/" data-type="post" data-id="9454">“Naavi’s Theory of Data”</a>, data in an organization goes through a “Reversible Life Cycle”
<img fetchpriority="high" decoding="async" width="450" height="379" data-attachment-id="18467" data-permalink="https://www.naavi.org/wp/consent-life-cycle-for-dpdpa-compliance/life_cycle_of_data/" data-orig-file="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/life_cycle_of_data.jpg?fit=720%2C606&ssl=1" data-orig-size="720,606" data-comments-opened="0" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="life_cycle_of_data" data-image-description="" data-image-caption="" data-medium-file="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/life_cycle_of_data.jpg?fit=300%2C253&ssl=1" data-large-file="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/life_cycle_of_data.jpg?fit=640%2C539&ssl=1" class="wp-image-18467" style="width: 450px;" src="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/life_cycle_of_data.jpg?resize=450%2C379&ssl=1" alt="" srcset="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/life_cycle_of_data.jpg?w=720&ssl=1 720w, https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/life_cycle_of_data.jpg?resize=300%2C253&ssl=1 300w" sizes="(max-width: 450px) 100vw, 450px" data-recalc-dims="1" />
The Reversible Life Cycle hypothesis of the theory recognizes that the status of Data in an organization is dynamic and starts from a No Data” status to “Data” which transforms into personal data, modified personal data, de-identified personal data, re-identified personal data etc until it is forensically erased and the storage medium returns to the “No Data” status.
When we try to identify a lifecycle for “Consent” for DPDPA Compliance, we need to recognize the birth of the Consent, its own development and extinguishing with the lifecycle of the personal data. 
For example, Consent takes birth when a notice is accepted and received by the data fiduciary. 
<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><img decoding="async" width="609" height="583" data-attachment-id="18468" data-permalink="https://www.naavi.org/wp/consent-life-cycle-for-dpdpa-compliance/consent_life_cycle/" data-orig-file="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/consent_life_cycle.jpg?fit=609%2C583&ssl=1" data-orig-size="609,583" data-comments-opened="0" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="consent_life_cycle" data-image-description="" data-image-caption="" data-medium-file="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/consent_life_cycle.jpg?fit=300%2C287&ssl=1" data-large-file="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/consent_life_cycle.jpg?fit=609%2C583&ssl=1" src="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/consent_life_cycle.jpg?resize=609%2C583&ssl=1" alt="" class="wp-image-18468" style="width:401px;height:auto" srcset="https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/consent_life_cycle.jpg?w=609&ssl=1 609w, https://i0.wp.com/www.naavi.org/wp/wp-content/uploads/2025/06/consent_life_cycle.jpg?resize=300%2C287&ssl=1 300w" sizes="(max-width: 609px) 100vw, 609px" data-recalc-dims="1" /></figure></div>
Prior to this stage, data exists in the company but not recognized as personal data. At this stage a data discovery process has to be initiated . The Consent lifecycle starts only when personal data is already there or is about to be collected. 
The birth of the consent starts with the Notice. The notice itself has a generative process starting with the recognition of the need of a set of data aligned to a business requirement. In other words, Business needs data, the Tech department shows how it can be obtained and then the collection mechanism gets activated. At this stage the legal department or the DPO generates the purpose specific notice and tech department hosts it in such form that the acceptance can be provided by the data principal before it enters the production zone for usage.
This itself is a sub process which involves sending of the notice, receiving confirmation, documenting the receipt, noting rejections, request for modifications etc. If we take this into consideration, the origin of consent starts with the business division, passes through the tech and legal divisions before it lands into the Privacy division/DPO.
Once the consented data is in storage, whether it is for one time use or repeated use depends on the consent and accordingly it has to be managed. The access control, retention and deletion etc also depend on the consent and that needs to be managed. Consent is also a reference document whenever the data principal tries to exercise his rights. Consent may have to be retained even beyond the principal data itself for dispute management purpose.
In the Indian context, the consent may also be provided by a recognized consent manager and hence management of consent collection and subsequent operations has to accommodate the consent manager as a third party.
Finally when the consent expires there has to be a mechanism for removing the data from production, archive it to the extent necessary and discard it when relevant. 
The Consent life cycle therefore starts with the “Drafting of the Privacy Notice” and goes through the collection, usage until expiry and disposal.
Once the personally identifiable data is irreversibly anonymised, it becomes “Non Personal Data” and goes out of the cycle. The reversible de-identification and pseudonymisation keeps the data in the status of a “Provisional PII” since they can be re-identified when required. The consent needs to support these activities. Since Consent is basically a permission to support a data processing operation, it is the purpose of consent which determines whether the data can be modified by the data fiduciary in any specific manner. If the purpose is over, the data is deleted and this deletion does not require a specific permission unless “Data Storage” itself is a service. Hence “Irreversible anonymization” is also a process which can be tagged to the completion of the purpose.
De-identification or Pseudonymisation for security purpose is also considered part of the permissions. “Disclosure of pseudonymised personal information” may not be strictly within the permission for processing and has to be handled with care. 
In certain cases the data may belong to more than one individual and may also be a transactional data on which the data fiduciary also has a stake. In such cases the purpose closure needs to be recognized only when all the owners have indicated closure of their respective stakes. 
Consent management process therefore needs to take note of all these complications.
Naavi
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">18466</post-id> </item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//www.naavi.org/wp/%3Ffeed%3Drss2"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//www.naavi.org/wp/%3Ffeed%3Drss2

Home · About · News · Docs · Terms