Data PrivacyData Protection Impact Assessment under Data Privacy Era

August 14, 20230

Data Protection Impact Assessment

Data Protection Impact Assessment (DPIA) is a procedure wherein an evaluation is conducted to comprehend the potential risks which are likely to come in way while personal data is processed.

DPIA sets up the way forward to reduce the risk associated with the data processing as much as possible.

All kinds of organisations – whether Micro, Small, and Medium Enterprises (MSMEs), or multinational conglomerates are advised to initiate the process of DPIA.

The process of DPIA into the data management system of the companies is one of the critical prerequisites to comply with the requirement of Digital Personal Data Protection Act,2023.

It is equally significant to understand this aspect in line with the following questions;

1.Whether DPIA is mandatory?

It is pertinent to note that clause (c ) of Section 10 (2) of the DPDPA,2023, the Significant Data Fiduciary shall undertake the DPIA, which shall be a process comprising of the following:

a. description of the rights of Data Principals ,

b.purpose of processing of their personal data,

c.assessment and management of the risk to the rights of the Data Principals, and

d.such other matters regarding such process as may be prescribed under DPDPA,2023.

Yes, it can be safely concluded that DPIA  is a mandatory exercise to carry out by every Significant Data Fiduciary under the enactment.

2.When to carry  out DPIA?

It shall be carried out before carrying out any data processing project.

3.What are the broaden heads of  risks to be assessed?

The risks  should be broadly classified under;

a. Associated with Data Principals

b. Corporate risks, and

c. Compliance risks

4.Whether DPIA should be published?

Yes, it shall be published then only you can have everything documented and specified along with the rights of Data Principals, process to be carried out and risk assessed and  should be duly taking a note of a project with number, date and description.

5.Whether a separate DPIA is to be carried towards each project?

Yes, since every project and assessment can have varied factors to be assessed.

While advising globally on DPIA, it is always our thrust to lay down the best global practices in an organisation when it comes to adopting a holistic approach to this crucial aspect so that unforeseen liabilities due to contravention in data protection can be checked at every stage of data management cycle.

To know more about the issues discussed above, You may please connect with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.