India’s recently enacted Digital Personal Data Protection Act (DPDPA) introduces comprehensive regulations on how “data fiduciaries” handle the personal data of “data principals,” i.e., individuals whose data is being processed. Under this law, data fiduciaries—those who determine the purpose and means of processing—play a central role, while data processors act on behalf of these fiduciaries, executing the actual data processing. One of the notable features of the DPDPA is its classification of certain data fiduciaries as “significant data fiduciaries” (SDFs). This category is subject to additional obligations, including the requirement to perform a Data Protection Impact Assessment (DPIA). While the details of these assessments are still expected in upcoming rules, the Act offers hints about what these obligations may entail.
What is a DPIA?
A DPIA is an assessment of data processing activities designed to identify privacy risks to individuals and outline methods to mitigate these risks. This practice stems from the principle of “privacy by design,” which promotes the proactive inclusion of privacy considerations at the onset of any project or processing activity. By conducting a DPIA, an organization can not only manage risks to individuals but also showcase its commitment to data protection.
Under the DPDPA, a DPIA is described as a process that should cover a description of data principals’ rights, the purpose for processing their personal data, and an assessment of risks to these rights. Further specifics on what should be included in a DPIA will likely be provided by the Indian government in implementing rules.
Who Needs to Conduct a DPIA?
The DPDPA mandates DPIAs only for entities designated as significant data fiduciaries (SDFs). These entities will be identified based on criteria such as the volume and sensitivity of data processed, the risk to individuals’ rights, and broader concerns such as the potential impact on India’s sovereignty, electoral democracy, and public order.
Large companies that process significant volumes of sensitive data are expected to fall within this category. The government might establish a specific user threshold for determining SDFs, similar to its classification of “significant social media intermediaries” with over 5 million users.
In contrast to the EU General Data Protection Regulation (GDPR), which mandates DPIAs for high-risk processing activities regardless of organization size, the DPDPA restricts this requirement to significant entities only. Nonetheless, even entities not designated as SDFs may consider adopting DPIAs as part of their privacy practices to enhance compliance with the DPDPA’s organizational and technical data protection requirements.
When Should DPIAs Be Conducted?
Under the GDPR, a DPIA is necessary when personal data processing activities carry high risks to individuals, such as profiling or large-scale processing of special categories of data. Examples include credit checks by financial institutions or the use of new technologies, such as IoT devices, for large-scale data collection.
However, the DPDPA does not yet define specific triggers for conducting DPIAs. Instead, SDFs are expected to conduct DPIAs periodically. Whether this means that all processing activities require an assessment or only certain high-risk activities remains to be clarified by the government.
Core Components of a DPIA
While we await further details from the Indian government, Indian organizations can start preparing their DPIA processes based on global standards. Here are key components a DPIA may cover:
- Description of Data Principals’ Rights
Outlining data principals’ rights, such as consent withdrawal and data correction, to ensure these are respected throughout processing activities. - Purpose of Processing
Clarifying why personal data is collected, used, or shared to assess whether each purpose is justified and minimally invasive. - Risk Assessment
Identifying potential risks to individuals’ rights, including unauthorized access, profiling risks, and potential breaches, and evaluating the likelihood and impact of these risks. - Risk Management
Documenting strategies to minimize and manage identified risks, demonstrating compliance through mitigation measures.
Embedding DPIAs in Organizational Processes
For SDFs, embedding DPIAs in organizational processes will require the development of internal policies and protocols. Companies will need to set thresholds for when DPIAs are necessary, establish templates, assign responsibilities, train staff, and develop an escalation process for identified risks.
Data Protection Officers (DPOs) will likely play a critical role in overseeing DPIAs, weighing in on risks and mitigation strategies, and signing off on the assessments. The flexibility provided by the DPDPA allows businesses to adapt their DPIA processes to suit their unique operations while still fostering a robust privacy by design approach.
