Data PrivacyA Guide to Data Protection Impact Assessment

INTRODUCTION

The introduction of the new Digital Personal Data Protection Act, 2023 (hereinafter, “DPDPA”) specifies the conduct the periodic Data Protection Impact Assessment (hereinafter, “DPIA”) by the significant data fiduciaries.

DPIA is a procedure wherein an evaluation is performed to analyse, identify and minimise or nullify the potential risks which may hamper the processing of data by a data controller or fiduciary. It is a significant compliance requirement under the DPDPA and is not a one-time exercise, which also forms an integral part of global best practices.

OBJECTIVE OF DPIA

The main objective behind the inclusion of DPIA as a crucial procedure is to set up a robust data privacy regime that successfully identifies the risks pertaining to data processing and protection. The motive is to analyse the risks and adopt a solution to reduce or eliminate it.

By conducting this procedure on a periodic scale, all kinds of organisations can establish a non-invasive data protection management system for their customers/users. This further helps the organisations to comply with the legal obligation, and lowers the risk of data breaches which successively reduces the chances of hefty penalties and lawsuits.

WHAT SHOULD BE INCLUDED IN THE ASSESSMENT

The DPDPA mandates the conduct of DPIA in a periodic manner comprising the description of the rights of Data Principals, the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals.

It must include what data is being collected, the purpose of collection, potential risks, what sources are included, and further processing activities. This evaluation should be carried out before implementing any changes in the data privacy policies and procedures.

Also, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (hereinafter referred to as the “SPDI Rules”) defined under the Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) also mandates to conduct a periodic audit by a Government officer to ensure compliance with the reasonable security practices and procedures.

DPIA UNDER GDPR

At present, MeiTY has not given any further clarifications for the content or procedure in which the DPIA would be conducted however, we can take a glance at the European Union’s (hereinafter, “EU”) stringent General Data Protection Regulation (hereinafter, “GDPR”) law to get an estimate of how a DPIA might look in the Indian context.

GDPR mandates to inclusion a few elements in the assessment and gives the subject organisation liberty to design their own DPIA template. However, in accordance with the best practices, the following parameters should be adhered to prior to initiating DPIA:

• The need to conduct DPIA
• Description of the processing of data
• Consultation from stakeholders and experts
• Assessment of necessity and proportionality
• Identify and assess risks
• Identify measures to mitigate the risks and recording outcomes.

AMLEGALS REMARKS

As the Indian business entities await the implementation of DPDPA with bated breath, the revolutionary initiative by the Central Government has been well acknowledged to set up a robust data privacy regime in the country.

Mandating the conducting of periodic DPIA for not only significant data fiduciaries but also all data fiduciaries would strengthen the goal of data privacy for the organisation.

The DPDPA being parallel to the global regulations provides a holistic approach towards building a non-invasive data protection management system for all kinds of organisations in the Indian context.

-Team AMLEGALS, assisted by Ms. Khanak Sharma (Intern)

For any query or feedback, please feel free to get in touch with rohit.lalwani@amlegals.com or mridusha.guha@amlegals.com