Data PrivacyA Guide to Data Protection Impact Assessment

September 13, 20230


The introduction of the new Digital Personal Data Protection Act, 2023 (hereinafter, “DPDPA”) specifies the conduct the periodic Data Protection Impact Assessment (hereinafter, “DPIA”) by the significant data fiduciaries.

DPIA is a procedure wherein an evaluation is performed to analyse, identify and minimise or nullify the potential risks which may hamper the processing of data by a data controller or fiduciary. It is a significant compliance requirement under the DPDPA and is not a one-time exercise, which also forms an integral part of global best practices.


The main objective behind the inclusion of DPIA as a crucial procedure is to set up a robust data privacy regime that successfully identifies the risks pertaining to data processing and protection. The motive is to analyse the risks and adopt a solution to reduce or eliminate it.

By conducting this procedure on a periodic scale, all kinds of organisations can establish a non-invasive data protection management system for their customers/users. This further helps the organisations to comply with the legal obligation, and lowers the risk of data breaches which successively reduces the chances of hefty penalties and lawsuits.


The DPDPA mandates the conduct of DPIA in a periodic manner comprising the description of the rights of Data Principals, the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals.

It must include what data is being collected, the purpose of collection, potential risks, what sources are included, and further processing activities. This evaluation should be carried out before implementing any changes in the data privacy policies and procedures.

Also, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (hereinafter referred to as the “SPDI Rules”) defined under the Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) also mandates to conduct a periodic audit by a Government officer to ensure compliance with the reasonable security practices and procedures.


At present, MeiTY has not given any further clarifications for the content or procedure in which the DPIA would be conducted however, we can take a glance at the European Union’s (hereinafter, “EU”) stringent General Data Protection Regulation (hereinafter, “GDPR”) law to get an estimate of how a DPIA might look in the Indian context.

GDPR mandates to inclusion a few elements in the assessment and gives the subject organisation liberty to design their own DPIA template. However, in accordance with the best practices, the following parameters should be adhered to prior to initiating DPIA:

  • The need to conduct DPIA
  • Description of the processing of data
  • Consultation from stakeholders and experts
  • Assessment of necessity and proportionality
  • Identify and assess risks
  • Identify measures to mitigate the risks and recording outcomes.


As the Indian business entities await the implementation of DPDPA with bated breath, the revolutionary initiative by the Central Government has been well acknowledged to set up a robust data privacy regime in the country.

Mandating the conducting of periodic DPIA for not only significant data fiduciaries but also all data fiduciaries would strengthen the goal of data privacy for the organisation.

The DPDPA being parallel to the global regulations provides a holistic approach towards building a non-invasive data protection management system for all kinds of organisations in the Indian context.

-Team AMLEGALS, assisted by Ms. Khanak Sharma (Intern)

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.