7.15 Understanding DPIA Requirements
"The Significant Data Fiduciary shall... undertake the following other measures, namely:— (i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;"
— Digital Personal Data Protection Act, 2023
"A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder."
— DPDP Rules, 2025
The Three Statutory Components of DPIA
Section 10(2)(c)(i) specifies that a DPIA must comprise:
- Description of DP rights and processing purposes: Document what personal data is being processed, for what purposes, and what rights data principals have in relation to this processing
- Risk assessment: Identify and analyze risks to data principal rights arising from the processing
- Risk management: Develop and document measures to mitigate identified risks
7.16 When to Conduct a DPIA
Mandatory Annual DPIA
Rule 12(1) creates a clear obligation: SDFs must conduct DPIA at least once every 12 months. The 12-month clock starts from:
- The date of SDF notification (for individually designated entities)
- The date of class notification (for entities falling within a designated class)
New SDFs should prioritize their first DPIA. The 12-month deadline runs from designation, not from when you become aware of it or when you complete other compliance setup. An entity designated on January 1, 2025, must complete its first DPIA by December 31, 2025 — not 12 months after they hire a DPO or establish a compliance team.
Event-Triggered DPIAs
Beyond the annual requirement, prudent practice suggests conducting DPIAs when:
- New processing activities: Launching a new product, service, or feature involving personal data
- Significant changes: Material modifications to existing processing (new data categories, new purposes, new recipients)
- Technology changes: Implementing new systems, platforms, or technologies for data processing
- High-risk processing: Activities involving profiling, automated decision-making, or sensitive data
- Post-incident: Following a breach or near-miss to reassess control effectiveness
- Regulatory changes: When new rules or guidance affect processing activities
7.17 The DPIA Process: Step-by-Step
While DPDPA does not prescribe a specific methodology, the following process aligns with statutory requirements and international best practices:
Step 1: Scoping & Threshold Assessment
Define the boundaries of the DPIA — what processing activities are in scope? For the annual DPIA, this typically covers all significant processing activities. For project-specific DPIAs, define the specific initiative.
Scoping Questions
- What personal data is processed?
- What are the data sources?
- Who are the data principals affected?
- What systems/platforms are involved?
- Who has access to the data?
- Are there cross-border transfers?
Step 2: Processing Description
Document the nature, scope, context, and purposes of processing. This fulfills the first statutory component — "description of the rights of Data Principals and the purpose of processing."
Documentation Elements
- Categories of personal data processed
- Processing purposes and lawful bases
- Data flows (collection → processing → storage → sharing)
- Retention periods
- Data principal rights applicable
- Technical and organizational measures in place
Step 3: Necessity & Proportionality Assessment
Evaluate whether the processing is necessary for the stated purposes and proportionate to the objectives. This reflects the data minimization principle.
Assessment Questions
- Can purposes be achieved with less data?
- Is all collected data actually used?
- Could anonymization/pseudonymization reduce risks?
- Are retention periods justified?
- Is sharing with third parties necessary?
Step 4: Risk Identification
Identify risks to data principal rights. Consider both likelihood and severity of potential harms.
Risk Categories
- Unauthorized access or disclosure
- Data loss or destruction
- Inaccurate data leading to wrong decisions
- Excessive data collection or retention
- Lack of transparency about processing
- Inability to exercise rights
- Discriminatory outcomes from profiling
Step 5: Risk Assessment & Scoring
Assess each identified risk based on likelihood (probability of occurrence) and impact (severity if it occurs). Use a consistent scoring methodology.
Step 6: Mitigation Measures
For each significant risk, identify and document measures to reduce risk to acceptable levels. This fulfills the "management of risk" statutory component.
Mitigation Strategies
- Avoid: Stop the risky processing entirely
- Reduce: Implement controls to lower likelihood or impact
- Transfer: Insurance, contractual allocation to processors
- Accept: Accept residual risk with documented justification
Step 7: Documentation & Sign-off
Compile the DPIA report with all findings, assessments, and decisions. Obtain appropriate sign-offs and establish review schedule.
7.18 Risk Assessment Methodology
Risk Scoring Matrix
A standardized approach to assessing risks ensures consistency and enables comparison across processing activities:
Likelihood × Impact Risk Matrix
Likelihood Assessment Factors
| Factor | Low | Medium | High |
|---|---|---|---|
| Data Volume | <10,000 records | 10,000-1 million records | >1 million records |
| Access Points | Limited, controlled | Multiple internal users | External parties, public APIs |
| Historical Incidents | No prior incidents | Minor incidents occurred | Significant incidents history |
| Control Maturity | Mature, tested controls | Controls exist, some gaps | Nascent or absent controls |
Impact Assessment Factors
| Factor | Low | Medium | High |
|---|---|---|---|
| Data Sensitivity | Basic identifiers only | Financial, behavioral | Health, biometric, children |
| Harm Potential | Minor inconvenience | Financial loss, reputation damage | Physical harm, severe discrimination |
| Reversibility | Easily reversible | Reversible with effort | Irreversible or permanent |
| Vulnerable Populations | Adults with capacity | General public | Children, patients, employees |
7.19 DPIA Documentation Template
A well-structured DPIA document serves as both a compliance record and a working tool for risk management:
1. Executive Summary
2. Processing Description
2.1 Purpose of Processing: [Detailed description of why data is processed]
2.2 Categories of Personal Data: [List all data elements]
2.3 Data Sources: [How data is collected]
2.4 Data Recipients: [Who receives/accesses the data]
2.5 Data Flows: [Diagram showing data movement]
2.6 Retention Periods: [How long data is kept]
3. Data Principal Rights Analysis
3.1 Applicable Rights: [Which DPDPA rights apply]
3.2 Rights Exercise Mechanisms: [How DPs can exercise rights]
3.3 Response Procedures: [How requests are handled]
4. Risk Assessment
4.1 Risk Register: [Detailed list of identified risks]
4.2 Risk Scoring: [Likelihood × Impact analysis]
4.3 High-Risk Areas: [Focus on critical risks]
5. Mitigation Measures
5.1 Existing Controls: [Current safeguards in place]
5.2 Recommended Additional Measures: [New controls needed]
5.3 Implementation Timeline: [When measures will be implemented]
5.4 Residual Risk Assessment: [Risk level after mitigation]
6. Approvals & Sign-off
7.20 DPB Reporting Requirements
"A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit."
— DPDP Rules, 2025
What Must Be Reported
The DPB report focuses on "significant observations" — not the entire DPIA. This includes:
- High-risk findings: Risks rated as high or critical
- Compliance gaps: Areas where processing doesn't meet DPDPA requirements
- Material changes: Significant changes from previous DPIA
- Remediation status: Progress on addressing prior findings
- Residual risks: Accepted risks that remain after mitigation
The DPB report should be comprehensive enough to demonstrate thorough assessment, but not so voluminous that significant issues get buried. A well-structured executive summary with detailed annexures for high-risk items works well. Remember — the DPB may use this report to identify entities for closer scrutiny, so accuracy and completeness matter.
7.21 Case Study: E-Commerce Platform DPIA
Background: ShopMax India, a major e-commerce marketplace, was designated as an SDF in March 2025. The company processes personal data of 8 crore registered users and 50 lakh merchants. Processing includes purchase history, payment information, delivery addresses, behavioral analytics, and personalized recommendations.
Key DPIA Findings:
1. Recommendation Engine Risk (High)
- Issue: AI-powered recommendation engine uses extensive behavioral profiling without transparent disclosure
- Risk: Potential manipulation of purchase decisions; discrimination in product visibility
- Mitigation: Enhanced consent for profiling; algorithmic transparency disclosures; discrimination testing
2. Third-Party Seller Access (Medium-High)
- Issue: 50 lakh merchants have access to customer order data
- Risk: Potential misuse of customer data; inadequate merchant data protection practices
- Mitigation: Mandatory merchant data protection certification; technical access controls; audit rights
3. Payment Data Processing (Medium)
- Issue: Card data stored for quick checkout feature
- Risk: Potential breach exposure of financial data
- Mitigation: PCI-DSS compliance verification; tokenization enhancement; breach notification protocols
4. Children's Data (Medium)
- Issue: No robust age verification; potential purchases by minors
- Risk: Processing children's data without verifiable parental consent
- Mitigation: Age-gate implementation; parental consent mechanism for youth accounts
DPIA Outcome: Board approved processing to continue with mandatory implementation of all mitigation measures within 6 months. High-risk algorithmic issues prioritized for immediate action. DPB report filed highlighting recommendation engine and merchant access as significant observations.
7.22 Key Takeaways
✅ Part 3 Summary
- Annual mandatory requirement — SDFs must conduct DPIA at least once every 12 months from designation
- Three statutory components — Description of rights/purposes, risk assessment, risk management
- Seven-step process — Scoping → Description → Necessity → Identification → Assessment → Mitigation → Documentation
- Risk matrix approach — Assess risks using Likelihood × Impact methodology for consistency
- Comprehensive documentation — DPIA report should cover all required elements with clear sign-offs
- DPB reporting required — Rule 12(2) mandates reporting significant observations to the Board
- Event-triggered DPIAs — Beyond annual cycle, conduct DPIAs for new/changed high-risk processing
- Board involvement essential — DPIA findings and residual risk acceptance require Board-level engagement
- Remediation tracking — Document implementation of mitigation measures and verify effectiveness
- Penalty context — SDF obligation breach including DPIA failures can attract up to ₹150 Crore penalty