Top 10 operational impacts of India’s DPDPA – Data protection impact assessments
This article provides insight on data protection impact assessments in relation to India's DPDPA.
Published: 8 Aug. 2024
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
The operationalization of India's data protection law, the Digital Personal Data Protection Act, 2023, establishes how data fiduciaries can collect and process the personal data of data principals — the individuals whose data is processed.
Data fiduciaries determine the purpose and means of data processing; that is, they control the data processing activity. In contrast, data processors merely process data on behalf of a data fiduciary.
The DPDPA also recognizes another class of entities — significant data fiduciaries — that are subject to a heightened set of requirements under the law. Among these is the requirement to conduct a data protection impact assessment.
What are DPIAs?
A DPIA is an assessment of processing activities carried out to identify privacy risks and to develop and document ways to minimize and manage those risks. It flows from the privacy-by-design principle, which requires organizations to systematically include privacy considerations in the early stages of any new project or processing activity. A documented assessment of risks helps an organization identify and minimize risks to individuals from the beginning and demonstrates its commitment to data protection.
The DPDPA describes a DPIA as a process that sets out a description of the data principals' rights, the purpose of processing their personal data, and an assessment and management of the risks to their rights.
Who must conduct DPIAs?
Only significant data fiduciaries are required to conduct DPIAs under the DPDPA. This class of entities will be defined by the government based on certain factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the state, and public order.
Companies that process large volumes of data or deal primarily with sensitive information are likely to be designated significant data fiduciaries. The government could potentially set out a threshold linked to a data fiduciary's user base, among other alternatives. For reference, India's intermediary liability regime recognizes a class of intermediaries as "significant social media intermediaries" if they have over five million registered users in India.
Only requiring significant entities to conduct DPIAs is a departure from global regimes, such as the EU General Data Protection Regulation, which requires all data controllers to conduct DPIAs — but only for limited processing activities with a high risk to individuals' rights and freedoms.
In any case, while only significant data fiduciaries face this mandate, some organizations may consider adopting DPIAs as part of their overall privacy-by-design approach. Data protection impact assessments could help them comply with the requirement to implement organizational and technical measures to protect data under the DPDPA — something all data fiduciaries must do.
When should DPIAs be conducted?
Under the GDPR, a DPIA must be carried out when the processing of personal data is likely to result in high risk to the individuals, such as cases involving systematic and large-scale profiling of individuals with significant effects, large-scale processing of special categories of data, or large-scale, systematic monitoring of a publicly accessible place.
Indicatively, this could include scenarios such as a financial institution running credit checks, a hospital maintaining patients' medical records or an organization combining datasets collected through different processing operations using new technologies such as Internet of Things devices. The assessment of whether an activity poses a high risk is left to the data controllers.
In contrast, the DPDPA does not specify thresholds or triggers for when DPIAs must be conducted. Rather, the act only requires significant data fiduciaries to conduct periodic DPIAs every 12 months. Under the GDPR, the threshold for conducting DPIAs depends on the nature of a data processing activity, such as a new technology or profiling individuals on a large scale.
Under the DPDPA, the threshold is based on whether an entity is classified as a significant data fiduciary. Therefore, any company that qualifies as a significant data fiduciary must conduct a DPIA of its data processing activities every 12 months. Further, significant observations from the DPIA must also be submitted to the Data Protection Board of India.
What should a DPIA cover?
While the DPDPA is not prescriptive on what a DPIA should cover, businesses based in India could take a cue from global regimes to prepare for DPIA processes and imagine what the assessment should contain.
Data principals' rights
A DPIA should identify the individuals whose personal data will be collected and used, document their rights and, presumably, the manner in which the rights can be exercised — for instance, by writing to the data protection officer via the email address identified in the privacy policy or through designated dashboards — as well as the internal processes followed to enable individuals to exercise their rights.
While not expressly called out in the DPDPA, a DPIA should also document the types of personal data collected — such as a data principal's name, phone number or IP address — and the way in which their data is collected — like through email, mobile applications or a form on a website.
Purpose of processing
A DPIA should describe the processing activity and why personal data is required for that activity. For instance, an e-commerce platform asks data principals to provide their addresses and passes them on to a delivery agent to complete deliveries of online purchases. The DPIA should document how the data is collected, how it is passed on to the delivery agent and why.
Assessment of risks to individuals' rights
A DPIA should document the kind of risks individuals may face from data processing. While the DPDPA only refers to risks to the rights of data principals, this appears to be a more general reference to risks individuals could face from the data processing.
Building on the e-commerce example, the DPIA could identify and document the risk of harassment a buyer could face if their address and phone number, collected by the platform, were passed on to delivery agents without appropriate checks. Similarly, an organization considering instituting a biometric-based attendance system should identify risks to employees if the biometrics are exposed or the service provider faces a data breach.
The DPIA should contain an assessment of the risk, indicating whether there is a high, medium or low risk based on some objective criteria. For instance, the U.K. Information Commissioner's Office requires organizations to look at both severity of impact — whether there is potential for severe harm or minimal impact — and the likelihood of harm — whether the risk is remote or imminent— to quantify the risk.
Management of risk
A DPIA should identify and document measures to mitigate the risks identified. These could be technical, contractual or organizational, and indicatively could include minimizing the personal data collected, anonymizing the data, using a different technology, training staff, making changes to privacy notices and instituting processes for periodic checks on service providers, among others.
Using the e-commerce example once more, the e-commerce company could decide to provide delivery agents with applications that only give them temporary access to buyers' addresses to minimize the risk of harassment a buyer could face. The agents in this hypothetical situation would only be able to place calls to buyers through the application, without their phone numbers being exposed.
In addition to conducting a DPIA, significant data fiduciaries must also exercise due diligence to ensure their technical measures do not pose a risk to the rights of data principals.
Organizational processes for conducting DPIAs
Significant data fiduciaries must put internal processes and protocols in place to institutionalize DPIAs, especially since they are also likely to be closely scrutinized during the data audits that they must periodically conduct to comply with the law.
Embedding DPIAs in organizational processes involves developing policies for their conduct, including setting thresholds for when they must be conducted, creating template DPIAs that teams could easily fill in, designating individuals in charge of leading assessments, providing periodic training to staff on running DPIAs, sensitizing teams and setting out an escalation matrix.
While the process may depend on the nature of a business and its structure, it is likely DPOs will play a key role in signing off on DPIAs and weighing in on the risks and mitigation strategies.
All over the world, DPIAs are seen as a key component of a privacy-by-design approach. India's law does not detail the DPIA process and contents, providing businesses flexibility on how to conduct them.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Contributors:
Sreenidhi Srinivasan
Partner, Ikigai Law
Abhinav Wadhwa
Associate, KPMG
AIGP, CIPP/E, CIPP/US, CIPM, FIP
Tags:
Top 10 operational impacts of India’s DPDPA – Data protection impact assessments
This article provides insight on data protection impact assessments in relation to India's DPDPA.
Published: 8 Aug. 2024
Last updated: 20 Jan. 2026
Contributors:
Sreenidhi Srinivasan
Partner, Ikigai Law
Abhinav Wadhwa
Associate, KPMG
AIGP, CIPP/E, CIPP/US, CIPM, FIP
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
The operationalization of India's data protection law, the Digital Personal Data Protection Act, 2023, establishes how data fiduciaries can collect and process the personal data of data principals — the individuals whose data is processed.
Data fiduciaries determine the purpose and means of data processing; that is, they control the data processing activity. In contrast, data processors merely process data on behalf of a data fiduciary.
The DPDPA also recognizes another class of entities — significant data fiduciaries — that are subject to a heightened set of requirements under the law. Among these is the requirement to conduct a data protection impact assessment.
What are DPIAs?
A DPIA is an assessment of processing activities carried out to identify privacy risks and to develop and document ways to minimize and manage those risks. It flows from the privacy-by-design principle, which requires organizations to systematically include privacy considerations in the early stages of any new project or processing activity. A documented assessment of risks helps an organization identify and minimize risks to individuals from the beginning and demonstrates its commitment to data protection.
The DPDPA describes a DPIA as a process that sets out a description of the data principals' rights, the purpose of processing their personal data, and an assessment and management of the risks to their rights.
Who must conduct DPIAs?
Only significant data fiduciaries are required to conduct DPIAs under the DPDPA. This class of entities will be defined by the government based on certain factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the state, and public order.
Companies that process large volumes of data or deal primarily with sensitive information are likely to be designated significant data fiduciaries. The government could potentially set out a threshold linked to a data fiduciary's user base, among other alternatives. For reference, India's intermediary liability regime recognizes a class of intermediaries as "significant social media intermediaries" if they have over five million registered users in India.
Only requiring significant entities to conduct DPIAs is a departure from global regimes, such as the EU General Data Protection Regulation, which requires all data controllers to conduct DPIAs — but only for limited processing activities with a high risk to individuals' rights and freedoms.
In any case, while only significant data fiduciaries face this mandate, some organizations may consider adopting DPIAs as part of their overall privacy-by-design approach. Data protection impact assessments could help them comply with the requirement to implement organizational and technical measures to protect data under the DPDPA — something all data fiduciaries must do.
When should DPIAs be conducted?
Under the GDPR, a DPIA must be carried out when the processing of personal data is likely to result in high risk to the individuals, such as cases involving systematic and large-scale profiling of individuals with significant effects, large-scale processing of special categories of data, or large-scale, systematic monitoring of a publicly accessible place.
Indicatively, this could include scenarios such as a financial institution running credit checks, a hospital maintaining patients' medical records or an organization combining datasets collected through different processing operations using new technologies such as Internet of Things devices. The assessment of whether an activity poses a high risk is left to the data controllers.
In contrast, the DPDPA does not specify thresholds or triggers for when DPIAs must be conducted. Rather, the act only requires significant data fiduciaries to conduct periodic DPIAs every 12 months. Under the GDPR, the threshold for conducting DPIAs depends on the nature of a data processing activity, such as a new technology or profiling individuals on a large scale.
Under the DPDPA, the threshold is based on whether an entity is classified as a significant data fiduciary. Therefore, any company that qualifies as a significant data fiduciary must conduct a DPIA of its data processing activities every 12 months. Further, significant observations from the DPIA must also be submitted to the Data Protection Board of India.
What should a DPIA cover?
While the DPDPA is not prescriptive on what a DPIA should cover, businesses based in India could take a cue from global regimes to prepare for DPIA processes and imagine what the assessment should contain.
Data principals' rights
A DPIA should identify the individuals whose personal data will be collected and used, document their rights and, presumably, the manner in which the rights can be exercised — for instance, by writing to the data protection officer via the email address identified in the privacy policy or through designated dashboards — as well as the internal processes followed to enable individuals to exercise their rights.
While not expressly called out in the DPDPA, a DPIA should also document the types of personal data collected — such as a data principal's name, phone number or IP address — and the way in which their data is collected — like through email, mobile applications or a form on a website.
Purpose of processing
A DPIA should describe the processing activity and why personal data is required for that activity. For instance, an e-commerce platform asks data principals to provide their addresses and passes them on to a delivery agent to complete deliveries of online purchases. The DPIA should document how the data is collected, how it is passed on to the delivery agent and why.
Assessment of risks to individuals' rights
A DPIA should document the kind of risks individuals may face from data processing. While the DPDPA only refers to risks to the rights of data principals, this appears to be a more general reference to risks individuals could face from the data processing.
Building on the e-commerce example, the DPIA could identify and document the risk of harassment a buyer could face if their address and phone number, collected by the platform, were passed on to delivery agents without appropriate checks. Similarly, an organization considering instituting a biometric-based attendance system should identify risks to employees if the biometrics are exposed or the service provider faces a data breach.
The DPIA should contain an assessment of the risk, indicating whether there is a high, medium or low risk based on some objective criteria. For instance, the U.K. Information Commissioner's Office requires organizations to look at both severity of impact — whether there is potential for severe harm or minimal impact — and the likelihood of harm — whether the risk is remote or imminent— to quantify the risk.
Management of risk
A DPIA should identify and document measures to mitigate the risks identified. These could be technical, contractual or organizational, and indicatively could include minimizing the personal data collected, anonymizing the data, using a different technology, training staff, making changes to privacy notices and instituting processes for periodic checks on service providers, among others.
Using the e-commerce example once more, the e-commerce company could decide to provide delivery agents with applications that only give them temporary access to buyers' addresses to minimize the risk of harassment a buyer could face. The agents in this hypothetical situation would only be able to place calls to buyers through the application, without their phone numbers being exposed.
In addition to conducting a DPIA, significant data fiduciaries must also exercise due diligence to ensure their technical measures do not pose a risk to the rights of data principals.
Organizational processes for conducting DPIAs
Significant data fiduciaries must put internal processes and protocols in place to institutionalize DPIAs, especially since they are also likely to be closely scrutinized during the data audits that they must periodically conduct to comply with the law.
Embedding DPIAs in organizational processes involves developing policies for their conduct, including setting thresholds for when they must be conducted, creating template DPIAs that teams could easily fill in, designating individuals in charge of leading assessments, providing periodic training to staff on running DPIAs, sensitizing teams and setting out an escalation matrix.
While the process may depend on the nature of a business and its structure, it is likely DPOs will play a key role in signing off on DPIAs and weighing in on the risks and mitigation strategies.
All over the world, DPIAs are seen as a key component of a privacy-by-design approach. India's law does not detail the DPIA process and contents, providing businesses flexibility on how to conduct them.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Global AI Law and Policy Tracker
US State Privacy Legislation Tracker
IAPP Global Legislative Predictions 2026
