 I think we already ended up doing a lot of discussion around compliance, laws and all that, and thanks Satish for that insight as well as Venkat for what work has been going on. So today's birds of feather, we wanted to focus on some key things. So there has been a lot of what do you say, mental interest that has been going on thanks to various regulations that are coming in. So we have the India PDP, we have the non-personal data, and now we have some guidelines coming around data sharing, there is this e-commerce law, there is something that the other act also says. So there is a bunch of things that are being spoken about at the same time, especially when it comes to the whole data governance and within data governance privacy as well as the non-personal data and all that. So just to clarify one of the things that we've been seeing around the world and we've been speaking about it as well is that there is a concept of a national law in which we typically call as the horizontal law. So you have to look at the India PDP as a national law where it is going to be so generic in nature that trying to make sense of it or trying to apply it to an industry is going to be a very tough challenge. So there has to be something that will come into the intermediary and that is how the national law works. So the intermediary is where regulated industries are going to come in. So somebody like RBI for banks and insurance will come out with its own set of rules in terms of how the privacy needs to work. People like the IRDA, SEBI will come out of their own rules similar to what we are seeing in the cybersecurity space now. So there is a national IT Act and then each industry has its own cybersecurity framework or rules as well which largely align but gives you more specifics. So as an example you have a right to delete situation in the India PDPV. So India PDPV may say right to delete is available for users as a right that they can exercise. The RBI may further come up and say hey yes you have a right to delete. However in a bank when you go for a right to delete it will likely be a right to forget and not really delete all the data. If you have an ongoing loan or an ongoing contract or you have an account with the bank then they will not be able to delete your data. They may be able to forget you from cross-sell, from sending additional mailers, marketing and all that and whenever it ends you may be able to delete all the data deleted with the condition that we need to store certain data for three years and all that. In the way going forward the same industry or the vertical regulator can also come up with saying hey you know the name of a person needs to be masked. So the India PDP may say this name need not be masked or is not sensitive, need not be encrypted but RBI may come and say no I want you to mask or I want you to encrypt. So that is where rules differ and therefore all our implementations and all need to take care of these configurations differently. Why we thought before we jump into the questions we should bring this out is because we've been hearing a lot of angst around the whole India PDP implementation and all and somewhere we realized that you look at a very generic statement in the India PDP and then everybody just wants to try and interpret it and implement which is going to be a tough call primarily because if you see GDPR also GDPR as per law and then there is an authority which keeps providing guidance. So unless the authority comes and a lot of things in the current bill is kind of leaving it to the authority. So unless the authority comes and really starts spelling out there is a lot of ambiguity that is going to be there plus the industry verticals that are going to come into this. So having said this and given this as a context to Satish and Venkat and anybody else who wants to answer as well. You know one of the initial questions and this is something that everybody has had in their mind is that we currently have so many different regulations that are coming up and speaking about privacy in a way or about data in another way like the NPD PDP. You now have a report from Mithi Ayog which says how data sharing can be done. You have various state governments, industry verticals, you have the regulators of industry then you have the CERTIN or the IT Act on other hand who have their own regulations that keep coming up. What challenges do you see especially from an India standpoint or even a global standpoint when you see, when you have data at the core of your business and you have two kind of look at compliances across so many different varieties. So Satish maybe you can go first and then we can have Venkat and anybody else who wants to contribute as well. Can you just rephrase the last question you asked? So when data is at the core of your business and you now have India PDP that comes then you have a non-personal data build that comes and your data is going to be a convergence of both. Correct, correct. Plus you now when you're working for telecom, telecom as a regulator has its own sets. You're working for an insurance aggregate, they have their own sets. So how do you look at compliance and how do you think this is going to work going forward especially for the data business? Well, I think last week we discussed on the same. So for data business I my take is it is it is becoming difficult and difficult especially a third-party data business then this whole thing. In the sense that is, see all the tech which you have built, it comes at a cost. And especially if you are in data business like Facebook or Google, it becomes another line item in their cost. But for a startup these all come at a cost and it is not like just a initial one-time cost. It keeps on accruing on a month-on-month basis with newer data set coming out and stuff like that. So that is one for a major inhibition and we have to somehow adjust the cost on the sales of the data. So that puts at a little disadvantage in terms of the actual data sales. That is one of the reasons many of these data companies are looking at more of a tool provider rather than being a data provider alone as well. Cross the spectrum. US is still not that strict. So if you look at any thriving data company, US would be the first market there. But in other market I think it is becoming more difficult with all these. But still if you have I would say access to a particular niche data set or a very niche algorithm, which you have some IP rights over it or you have some protection over it, then I still believe you can still be in business and charge a premium and kind of accommodate these whole things. But in terms of running a data business, definitely all these laws are going to make your code tougher going on. There is no second thought about it. Make sense. So like you said, yes, as the going gets tough, we will probably have to find out more workarounds to make sure it happens. Can't rule out business. Correct. And I think just like whatever Venkata showcase, right? The tooling and all has a very big opportunity there. It may not be for data business, but for any business actually. If you're building a SaaS tool which can help you in this compliance aspect using some tech, then that is a great opportunity if you look at it. Yeah. And I guess you just have to make sure that there are enough consumers to avail it as well. Yeah. I don't know what is this liability clauses. Venkat, you want to answer that? Yeah. With one of our customers, I actually signed a contract that says that I will go to jail and my company will shut down. Thankfully, the customer has ended and now we have actual lawyers looking at all the contracts. I think all startups at some point have done that. All the founders. Yeah. Many, many times startups don't have the specialized legal team as well. And if you're running a data business internally, a specialized legal team and this chief data protection officer or however you want to call them, chief security officer. So the founder is everything, no? The chief legal, the chief data officer, whatever. My customers and the prospects that I'm talking to, right? The cost of data overall, the complexity of the data systems, the cost of the engineers as well as the cost of compliance is growing very fast and the economics of the business isn't, it's not clear that it can support all of these huge costs. The ROI is a big question in my, you know, with a bunch of people that I'm talking to. Yeah. I think we have seen that kind of compliance costs coming up for the subness oxley as well. So it also had an initial very high and then somewhere they started leaving it now. This is Rohit here. You know, I feel, hello. Yeah. Yeah, this is Rohit. You see, I feel a data business is to be subject to post of compliance requirements, including registration, monitoring of operation and disclosure application. So this will increase operational data storage cost, you know, and hinder the ability of, say, especially Indian startups to develop their services. So, you know, create pervasive incentives for these companies to remain small, you know, it could be, you know, I'm just, if you want, I'll explain this from a proposed NDP bill, you know, because if you see the proposed NDP bill, proposes mandatory data sharing by anyone collecting the data above a certain threshold, you know. So under the proposed framework, if you see all these tech companies and organizations, they have to meet currently and they find a threshold limit of collecting data or process data, you know. So, you know, this is bound to increase and these businesses will be subject to post of compliance requirements, you know, like including registration and monitoring of operation and disclosure applications. So this is definitely going to increase operational data storage cost, you know. Yeah, so Rohit, just one thing, anyway, the entity is open for discussion right now, plus I think there's a bunch of representations already happening. So yes, I guess everybody understands there are issues there. But now I'm, I mean, right now in this forum, we're more interested in understanding that while all these compliances are there, how as companies or as a data business can people work towards it. So, so before you go forward, Rohit, Venkat, any news there because I mean, we started with compliance with different note, but then tapered off. So just wanted to check with you. What is the particular question? The question that I'd ask Satish in terms of multiple compliances coming in, how as a data business, we can gear up to manage and is it even manageable and is it even feasible? He was mentioning, I think about tools, results of visuals, and then we kind of moved off to a different set of answers. So just bring in back the topic. Correct. I think in my mind, at least I'm not so worried about whether the compliance is horizontal or vertical, vertical means you're just like what, how Satish built out the stack. There is a lot of clarity that this is exactly what needs to happen. And the same thing is, for example, the same set of rules apply for these account aggregators and things like that. My main concern around all of this is whenever I go into any enterprise environment, I find that it is very chaotic. The data engineers are very indisciplined. The data scientists are indisciplined. These analysts export data like crazy into Excel and we don't know after that what happens to the data. My main concern around all of this is we are dealing with a capacity challenge more than anything else. The people with the kinds of mindsets and understanding and the tooling skill to be able to build out all of this stuff. I mean, none of this thing is rocket science. If we put our heads together, we can think of processes tools and so on. The question is, when I meet all of the data engineers, I don't have the confidence in them that I can actually think through all of this stuff. How many Satish's are there in this country, for example? Right? So my emphasis has tended to be more on the people and the process and the organization front and on the technology front. Yes, I mean, it will help greatly if the tools are available, community-wide tools with the knowledge and things like that. But where are the people going to come from? Where are the privacy engineers going to come from? You should tell me. Good question. Even I have the same question. That's why we are trying to train as many people as we can so that at least we start building them up. Or maybe like Satish said, build tools more and probably that's the way to go because at least even in security, we are seeing the same thing. There are no security engineers around. Skills are scarce. Correct. And the other thing, there isn't to go down the tools path. I mean, I guess this by reading between the lines is that there is lack of trust intra-organization also, whether these processors tools are being applied properly and so on. So one reason they would they want to seek tools is that they want a system that is person-independent and something that is auditable by anybody in the organization at any point in time. Yeah, sort of works without bias. Works without bias and now I as a CEO, I feel a little more safer than handing this responsibility to my engineer who I have like doubts about at the back of my mind. Yes, very interesting. Rohit, you were also saying from a cost of compliance point of view, so while these multiple things are coming in, your view was that because of compliance is really going to go up. You want to elaborate on that? Yeah, I mean, if you see, because all these bills are instill and have not been implemented, so I personally feel companies will be subject to excessive compliance and data sharing framework. So when they are subject to this, so this is definitely going to increase the operational and data storage cost. And I'm just saying from a long-term point of view, you could see a lot of startups coming. So they will say it will create kind of a perverse incentive for them to remain small, because I'm just saying from the proposed NDP bill comes into picture, if it becomes a law, and when they talk about volume-based threshold, there's still a lot of ambiguity in that bill. So this kind of talk from volume-based threshold for compliance, it is going to have the same results with such kind of frameworks had for India's manufacturing sector. So the firms prefer to remain small because they don't want to get into the hassles of getting them. They simply want to avoid compliance. Yeah, so rather than being the enabler or the facilitator to create a level playing field, it actually creates a larger issue for people. Makes sense. So your related way, Satish, one question that I have is, now we are seeing a lot of the compliance related discussion happening from a regulation level. But what happens to industries that are not regulated, but are still having a lot of data related, like when you do analytics for let's say manufacturing company, or even to do sales forecasting and all. Now what happens there, and how critical is the whole privacy conundrum for these companies which are not regulated as well? Well, it's pretty fragmented, Samir. I'll draw from my experience when I was in my past companies where I was working in oil industry. So it is driven mostly by, see, most of the compliance is talking about you have around healthcare. That is one thing. And you have recent terms on telecom data. But if you go around it, it is mostly about a data which is related to a person, which is at the end of the day, the person is the crux, the person or a device which is identified to the person. But otherwise, I think it's pretty fragmented. People have their own internal policies. Sometimes there are vertical level policies, which helps you out there. But it is heavily fragmented, building a framework for that. Currently, in my opinion, would be kind of futile. You should be crossing the bridge when you're there. You're creating a niche for that particular vertical. Okay. Venkat, any other views on this? Or you have the same opinion? Hello? I think the economics of this data business is definitely changing. Whether the PDP law comes or not, whether the NDP law comes or not, worldwide, if you look at it, the concerns around data are growing across the board with or without the law. And lots of consumer driven enforcement is also at play. So in all cases, what we are talking about is increasing the data costs. It is not going to be the playground like it was for the past five to 10 years. You can't just produce a model. If you have a data system that is part of your product or your company, it better be defensible. Defensible to internal stakeholders, to your customers, as well as potentially to regulatory authorities. Nobody can escape that. I mean, the increased compliance cost is almost like a given. I think the question here in my mind is how many of the current companies and business models will survive this increased cost and how much of it will not? Because a lot of the costs have been externalized. For example, I know a unicorn in this city that is buying data that has been not exactly stolen, but the process is pretty close to it. Because the literacy level of the end users is very low. Now, if this unicorn were to be caught doing that, the impact on its valuation will be very significant. So those kinds of hidden costs are there in many hidden risks are there in organizations and we don't know how this will play out. A lot of it will work on the enforcement of the law itself. Interesting. So what in a way you are saying is what ties into what I wanted to ask next also is should businesses be worried about the whole privacy and security thing? Irrespective of the law or the regulation. So while the law or regulation gives some structure, otherwise also it looks like businesses should be worried about it and there is enough fallout happening if you are not going down that path. So it's not a question of if it's always a question of when. So Satish Venkatani views you have there. So the thing is it is not just about a fear factor. The thing is this is an opportunity to educate the end users in the right manner. Previously they were taken for granted in terms of collecting their data and flowing it unregulated across layers, across into systems, across companies. So I believe this regulation helps streamline that and user is also much more aware of what is being used for and what are the services being made out of. So I believe at least the PDP, NPD is much controversial in terms of the data sharing and all these things as it was told. But I believe a PDP kind of law if you implemented the right way is actually beneficial and you can target your end users even better than what you are doing before is what I believe. Of course there is a cost of compliance there but I think it is it is done for the wellness of the business as well. You can convert it. The other thing is that today your data business is global business. I mean we are between two companies in Brazil and Mexico and Hungary and everywhere else. Data business is global business. If PDP does not get passed very soon we will be out of the global data business because there is a broad convergence. We did a survey at Scribble as a company. We did a survey of these data production laws across geographies and there are some differences and so on but everybody now thinks that data is serious business. I mean you cannot not regulate it. One way or other I think just the strategic and the national competitiveness level from that perspective PDP is happening right. We might scribble about the details but without that there is no data business. Yes so globally we will become a pariah if we don't have this soon and the way I think it is going now you has also scrapped the US privacy shield which basically means they also don't have the same production. They are going to have the same privacy impacts as we have and so that way yes it's something that is on the anvil whether we like it or not we might as well take steps to take care of it and also ensure that the law gets passed. So in the last three weeks I'll just wait with one more point. I don't want to occupy too much of the channel also. We have been doing at Scribble in the last three, four weeks used to go through the legal conversations that are happening in US and Europe and one thing that is there is that they're looking well beyond privacy law. The data protection the CCPS of the world are considered necessary but not sufficient. Now it's a question of what is going to come down the line. I'm almost sure it's coming but there are new regulations coming and at the same time there is technological innovations happening. So as always regulations have always been in the board where they are falling behind technology and therefore in a way technology or the whole business always feels that any regulation that comes in is coming into curtail me and not really help me grow the business which is a serious thought process that keeps happening. So one of the things you know that I had also been speaking earlier with all of you is where we as a community create standards and also send it to the regulator saying this is one way in which sort of a self-regulation can be done which helps us and the business as well as helps the country framing the right laws as well so that there's less ambiguity in the whole thing. I don't know how we are going to achieve that but at some point maybe that will help. So I mean anybody else has questions any other inputs that you want to speak here anything that you feel is important enough to pick up otherwise you know we can look at an end to recession. I would only say that India needs to implement this PDP bill on a top priority basis you know. Absolutely agree with that you know NPD and all this late or the compliance can come later you know because implementing PDP itself will be a big challenge you know but to start with what Satish said you know India needs to implement PDP bill you know there are a lot of ambiguity with regard to NDP this non-data personnel but you know with a lot of discussions things can improve right but PDP bill has to be implemented on a top priority basis because privacy is going to be a very big thing and especially for if you see this post COVID scenario even the health care sector in India has to award now if health care sector in India has to award you need to have a privacy law in place. Agreed in fact even the NPD one of the data types of NPD is anonymized data from personnel so anyways unless the privacy bill comes in even the NPD will not have the necessary it requires and purely from a business standpoint I agree and then we working with clients and through their contracts with Europe and all or even the US we've been seeing increasingly increasing requirements of how you are doing it and simply because the bill is not there the first kind of opinion is that you may not have anything there because you don't have a local law and it kind of becomes binding they have to do a lot more justifications it is just going to help in a business standpoint. You mentioned about the Niti Ayoka are you talking about DEPA or whatever the data empowerment business NPCA generalization or something else? No no this is on the PDP portions only What is it saying? The no you mentioned about something that came out of Niti Ayoka So the Niti Ayoka was more purely in terms of data sharing what I was saying that even if the Niti Ayoka or NPD we look at all of these are still dependent on the primary privacy bill to be passed only then it can come in. The Niti Ayoka just if I'm not mistaken whatever I've seen it simply puts out saying data sharing has to be done by APIs and all that I don't think it is really taking a position I am trying to create more of a national framework but if any other thoughts I'm happy to hear that. Is this the same as DEPA or some other document? Same as DEPA. Actually DEPA only not same as. So that must be impactful for you in the data business right? Well actually that was a little more targeted towards NPCA and UPI because single vendor market that is not good so they want to generalize that that's how I read it for that kind of data sharing to happen there needs to be regulator and coordinating body because now essentially they're creating an interoperability between like thousands of organizations so I don't I'm not seeing DEPA being extended to every other domain. I don't see how it will happen. My reading is it is going more in the lines of the Aadhar portion than anything else. The way they're trying to put Aadhar is the way they're trying to create use DEPA to create that central infrastructure as well. So I agree with you I don't think it'll go beyond too much or it will become a position paper but it's more within the government rather than impacting the private businesses. Historically India does not have this community led standards development like IETF and things like that. The company cultures and the people who are so resume driven are not as excited even if there are contributions to the community standards from India it tends to be to this international standards. So I'm not sure how this will play out. Yeah I think this is something that we need to look at because at some point whether we become a local chapter and then use that to frame the community or we use the data security council type of thing to create our own bodies but I have a feeling that the amount of innovation and development that is happening here plus the kind of products we are speaking out within India it's best that we do it sooner rather than later because it's going to help us in the effort as well to make the whole regulations thing easier and also the regulators to understand our position. Yeah that's I agree to that Venkat. Community driven thing is very weak in India or any of the items actually unlike say Europe is far ahead in that especially the Scandinavian countries but India I believe is very backward in that.