This article is part of a series on the operational impacts of India's DPDPA. The full series can be accessed here.
Published: August 2024
Contributors:
Navigate by Topic
India's new data protection law, the Digital Personal Data Protection Act, establishes how "data fiduciaries" can collect and process the personal data of data principals — the individuals whose data is processed.
Data fiduciaries determine the purpose and means of data processing, meaning they control the data processing activity. In contrast, data processors merely process data on behalf of data fiduciaries.
The DPDPA also recognizes another class of entities — significant data fiduciaries — that is subject to a heightened set of requirements under the law. Among these is the requirement to conduct a data protection impact assessment. While details are anticipated through yet-to-be-published implementing rules, the DPDPA provides some leads on what organizations can expect.
What are DPIAs
A DPIA is an assessment of processing activities carried out to identify privacy risks to individuals and to develop and document ways to minimize and manage the risks. It flows from the privacy by design principle, which requires organizations to systematically include privacy considerations in the early stages of any new project or processing activity. A documented assessment of risks helps an organization identify and minimize risks to individuals from the get-go and demonstrate its commitment to data protection.
The DPDPA describes a DPIA as a process that sets out a description of the data principals' rights, the purpose of processing their personal data, and an assessment and management of the risk to their rights. More details on the process and contents of a DPIA are likely to be prescribed by the Indian government through implementing rules.
Who must conduct DPIAs
The DPDPA requires only significant data fiduciaries to conduct DPIAs. This class of entities will be defined by the Indian government based on certain factors, such as the volume and sensitivity of data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, and security of the state and public order.
Companies that process large volumes of data or deal primarily with sensitive information are likely to be designated SDFs. The Indian government could potentially set out a threshold linked to user base, among others, for this. For reference, India's intermediary liability regime recognizes a class of intermediaries as "significant social media intermediaries" if they have over 5 million registered users in India.
This approach of requiring only significant entities to conduct DPIAs is a departure from global regimes, such as the EU General Data Protection Regulation, under which all data controllers must conduct DPIAs but only for limited processing activities with a high risk to individuals' rights and freedoms.
In any case, while the law only requires SDFs to conduct DPIAs, some organizations may consider adopting DPIAs as part of their overall privacy by design approach. This could also help them comply with the requirement to implement organizational and technical measures to protect data under the DPDPA — something all data fiduciaries must do.
When should DPIAs be conducted
Under the GDPR, a DPIA must be carried out when the processing of personal data is likely to result in high risk to the individuals, including when the processing involves systematic and large-scale profiling of individuals with significant effects, large-scale processing of special categories of data, or large-scale, systematic monitoring of a publicly accessible place.
Indicatively, this could include scenarios such as a financial institution running credit checks, a hospital maintaining patients' medical records or an organization combining datasets collected through different processing operations using new technologies such as Internet of Things devices. The assessment of whether an activity poses a high risk is left to the data controllers.
In contrast, India's DPDPA does not specify thresholds or have triggers for when DPIAs must be conducted. Rather, it requires only SDFs to conduct periodic DPIAs. So, while under the EU GDPR, the threshold for conducting DPIAs is tied to the nature of a data processing activity, such as a new technology or profiling of individuals on a large scale. Under the DPDPA, the threshold is linked to the classification of an entity as an SDF.
It remains to be seen whether the Indian government will require SDFs to conduct and document DPIAs for all processing activities periodically or whether it will introduce thresholds for when DPIAs are to be conducted.
What should a DPIA cover
While guidance is awaited through the rules, Indian businesses could take a cue from global regimes to prepare for DPIA processes and imagine what the assessment should contain.
-
expand_more
Description of data principals' rights
A DPIA should identify the individuals whose personal data will be collected and used, document their rights and, presumably, the way the rights can be exercised — for instance by writing to the data protection officer through an email address identified in the privacy policy or dashboards — and the internal processes followed to enable individuals to exercise their rights.
While not expressly called out in the DPDPA, a DPIA should also document the types of personal data collected, such as a data principal's name, mobile number and IP address, and the way their data is collected, like through email, mobile applications or a form on a website.
-
expand_more
Purpose of processing
A DPIA should describe the processing activity and why personal data is required for that activity. For instance, an e-commerce platform asks data principals to provide their addresses and passes them on to a delivery agent to complete deliveries. The DPIA should document how the data is collected, how it is passed on to the delivery agent and why.
-
expand_more
Assessment of risks to individuals' rights
A DPIA should document the kind of risks individuals may face from data processing. While the DPDPA refers only to risks to "rights" of data principals, this appears to be a more general reference to risks individuals could face from the data processing.
Building on the e-commerce example, for instance, the DPIA could identify and document the risk of harassment a buyer could face if their address and phone number, collected by the platform, were passed on to delivery agents without appropriate checks. Similarly, an organization considering instituting a biometrics-based attendance system should identify risks to employees if the biometrics are exposed or the service provider faces a data breach.
The DPIA should contain an assessment of the risk, indicatively, whether there is a high, medium or low risk, based on some objective criteria. For instance, the U.K. Information Commissioner's Office requires organizations to look at both severity of impact — whether there is potential for severe harm or minimal impact — and likelihood of harm — whether the risk is remote or imminent— to quantify the risk.
-
A DPIA should identify and document measures to mitigate the risks identified. These could be technical, contractual or organizational, and indicatively could include minimizing the personal data collected, anonymizing the data, using a different technology, training staff, making changes to privacy notices and instituting processes for periodic checks on service providers, among other actions.
Using the e-commerce example once more, to minimize the risk of harassment a buyer could face, the e-commerce company could decide to provide delivery agents with applications that only give them temporary access to buyers' addresses. The agents can only place calls to buyers through the application, without their phone numbers being exposed.
Organizational processes for conducting DPIAs
SDFs must put internal processes and protocols in place to institutionalize DPIAs, especially since they are also likely to be scrutinized closely during the data audits they must periodically conduct to comply with the law.
Embedding DPIAs in organizational processes involves developing policies for conducting DPIAs, including setting thresholds for when they must be conducted, creating template DPIAs that teams can easily fill in, designating individuals in charge of DPIAs, providing periodic training to staff on running DPIAs, sensitizing teams and setting out an escalation matrix.
While the process may depend on the nature of a business and its structure, it is likely DPOs will play a key role in signing off on DPIAs and weighing in on the risks and mitigation strategies.
All over the world, DPIAs are seen as a key component of a privacy by design approach. India's law does not set out the details of the DPIA process and contents. While the forthcoming rules are expected to offer some details, we hope they give businesses flexibility on how to conduct them.
The authors thank Ikigai Law Partner Aman Taneja for his input.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.
Top 10 operational impacts of India's DPDPA
The overview page for the full series can be accessed here.
- Part 1: Scope, key definitions and lawful data processing
- Part 2: Individual rights
- Part 3: Obligations of data processing entities
- Part 4: Enforcement and the Data Protection Board
- Part 5: Cross-border data transfers
- Part 6: Comparative analysis with the GDPR and other major data privacy laws
- Part 7: Consent management
- Part 8: Data audits for significant fiduciaries
- Part 9: Data protection impact assessments
- Part 10: Data breaches
Approved