A DPIA (Data Protection Impact Assessment) is a structured review of how a processing activity affects the rights of the individuals whose personal data it touches. It identifies privacy risks before they materialise, documents how you will reduce them, and produces a record that regulators can inspect. Under India's DPDP Act (DPDPA), it is a recurring legal obligation for Significant Data Fiduciaries.
If your organisation processes large volumes of personal data in India, there is a realistic chance you will be designated a Significant Data Fiduciary (SDF) once the Central Government begins issuing notifications. From that moment, an annual DPIA stops being good practice and becomes a statutory duty backed by a penalty of up to ₹150 crore.
This guide covers what a DPIA is, who must conduct one in India, how the DPDP version differs from the GDPR version most privacy teams know, and a practical 7-step process.
DPIA Meaning and Full Form
DPIA stands for Data Protection Impact Assessment. The DPDP Act does not define the term in Section 2, but Section 10(2)(c) makes it one of the core additional obligations of a Significant Data Fiduciary, and Rule 13 of the DPDP Rules 2025 fills in the operational detail.
In substance, a DPIA answers four questions about a processing activity:
- What personal data is processed, and why?
- What could go wrong for the people whose data it is?
- How likely and how severe is each of those harms?
- What are you doing about it, and is the residual risk acceptable?
The output is a documented assessment: a living record, not a one-off certificate.
Who Must Conduct a DPIA in India
The legal obligation applies to Significant Data Fiduciaries. The Central Government designates SDFs under Section 10 based on factors including the volume and sensitivity of data processed, risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, electoral democracy, security of the State, and public order. (Our guide chapter on Significant Data Fiduciaries covers the designation factors and the other SDF duties in full.)
Rule 13 then sets the cadence and the teeth:
- DPIAs must be conducted at least once every twelve months, with the clock starting on the date the organisation is notified as an SDF, alongside a periodic audit.
- The person carrying out the DPIA and audit must furnish a report of the significant observations to the Data Protection Board of India.
- SDFs must also verify that any algorithmic software they deploy does not pose a risk to Data Principal rights, which in practice folds automated decision-making review into the DPIA exercise.
Not an SDF? You can still be asked hard questions. Section 8 makes every Data Fiduciary responsible for security safeguards and lawful processing, and a voluntary DPIA is the cleanest way to evidence that you assessed and mitigated risk before launching a new product, vendor, or data flow. It is also the strongest defence file you can hand the Board after an incident.
DPIA Under DPDP vs GDPR
Most Indian privacy teams learned DPIAs through GDPR Article 35. The DPDP version is structurally different, and porting your GDPR process across without changes will leave gaps.
| Aspect | GDPR (Article 35) | DPDP Act (Section 10 + Rule 13) |
|---|---|---|
| Who must do it | Any controller, when processing is "high risk" | Significant Data Fiduciaries, by designation |
| Trigger | Risk-based, per processing activity | Time-based: at least every 12 months |
| Regulator involvement | Consult the authority only if residual risk stays high | Significant observations must be reported to the Board |
| Algorithmic review | Implicit in high-risk criteria | Explicit duty to verify algorithmic software |
| Penalty exposure | Up to 2% of global turnover | Up to ₹150 crore for SDF obligation breaches |
Two practical consequences follow. First, DPDP DPIAs are periodic by default: you cannot close one and file it away for three years. Second, the reporting duty means your DPIA output should be written knowing that parts of it may go to the regulator. Vague risk registers and unfinished mitigation plans read very differently when the Board is the audience.
When to Run a DPIA
The statutory minimum for SDFs is annual. A mature programme runs them at two additional moments:
- Before new high-risk processing begins: a new product feature collecting fresh data categories, a new AI or profiling system, large-scale processing of children's data, or onboarding a processor with deep data access.
- After material changes: a new purpose for existing data, a cross-border transfer to a new destination, or a merger that combines datasets.
Running the assessment before the processing starts is the entire point. A DPIA performed after launch is documentation; a DPIA performed before launch is risk management.
The 7-Step DPIA Process
There is no prescribed DPDP template, so the Board will judge substance over format. This sequence satisfies both Rule 13 and GDPR-grade expectations:
- Scope the processing. Describe the activity, the data categories, the Data Principals affected, the systems involved, and every processor in the chain. If you maintain a data inventory, start from it; if you do not, this step builds the first slice of one.
- Establish purpose and lawful basis. Map the processing to consent or a legitimate use under Section 7, and confirm the purpose matches what your notice actually told Data Principals.
- Test necessity and proportionality. Could the purpose be achieved with less data, shorter retention, or fewer recipients? Document the answer honestly. This is the step auditors read first.
- Identify risks to Data Principals. Think in harms, not controls: unauthorised access, function creep, discriminatory outcomes from automated decisions, inability to exercise rights, re-identification. Score each for likelihood and severity.
- Define mitigations. For each material risk, record the control, the owner, and the deadline. Map controls to your existing framework so one piece of evidence serves both your DPIA and your ISO 27001 audit.
- Review the algorithms. For each algorithmic system touching personal data, document what it decides, what data feeds it, and how you verified it does not harm Data Principal rights. This is the DPDP-specific step most GDPR templates miss.
- Sign off, report, and schedule the next one. Senior accountability matters: the DPO (for SDFs) should own the conclusion. Extract the significant observations for Board reporting, and put the next DPIA on the calendar before this one closes.
The most common failure mode is treating step 5 as the finish line. Under Rule 13 the cycle repeats every 12 months, and the next assessment will be compared against this one. Mitigations that stayed open across two annual DPIAs are exactly the kind of significant observation that ends up in front of the Board.
What the Assessment Should Cover
A defensible DPIA file contains, at minimum:
- A plain-language description of the processing and its purpose
- The data categories, sources, recipients, retention periods, and cross-border destinations
- The lawful basis and a copy of the relevant notice
- The risk assessment with scoring rationale
- Mitigations with owners, deadlines, and current status
- The algorithmic verification record
- Sign-off, date, and the scheduled date of the next assessment
Where Vratex Fits
A DPIA is only as good as the inventory and controls evidence behind it. Vratex gives you the risk register and audit trail to run the assessment from live data instead of a one-time questionnaire, and to show the Board a working programme rather than a PDF.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessWhat is the full form of DPIA?+
DPIA stands for Data Protection Impact Assessment: a structured, documented review of the privacy risks a processing activity creates for the individuals whose personal data is involved.
Is a DPIA mandatory under the DPDP Act?+
It is mandatory for Significant Data Fiduciaries, which must conduct a DPIA at least once every twelve months under Section 10(2)(c) of the DPDP Act and Rule 13 of the DPDP Rules 2025. For other Data Fiduciaries it is voluntary but strongly advisable for high-risk processing.
How often must a DPIA be conducted in India?+
At least once every 12 months for Significant Data Fiduciaries. Good practice adds a DPIA before any new high-risk processing activity and after material changes to existing processing.
What is the penalty for not conducting a DPIA?+
Failing to meet Significant Data Fiduciary obligations under Section 10, which include the DPIA duty, attracts a penalty of up to ₹150 crore per the Schedule of the DPDP Act.
Can we reuse our GDPR DPIA for DPDP compliance?+
Partially. The risk methodology transfers, but DPDP adds an annual cadence, reporting of significant observations to the Data Protection Board, and an explicit algorithmic software verification step that most GDPR templates do not include.
What is the difference between a DPIA and a data audit under the DPDP Act?+
Both are annual SDF obligations under Rule 13, but they answer different questions. The DPIA assesses risks to Data Principals from your processing; the audit, performed by an independent data auditor, evaluates your compliance with the Act itself.
Legal Disclaimer: This article is for informational purposes only and does not constitute legal advice. Laws and regulations may change; for advice specific to your organisation's situation, consult a qualified legal professional. While every effort has been made to ensure accuracy, Vratex makes no representations as to the completeness or currency of the information contained herein.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness