India’s DPDP Act 2023 introduces Data Protection Impact Assessments (DPIAs) as a mandatory compliance obligation — but only for a specific category of organisations. Understanding who is required to conduct DPIAs, what they must cover, how often they must be done, and how they compare to GDPR’s DPIA framework is essential for organisations planning their DPDP compliance programme ahead of the May 13, 2027 enforcement deadline.
This guide covers the complete DPIA framework under the DPDP Act: the statutory basis in Section 10, Rule 12 of the DPDP Rules 2025, who qualifies as a Significant Data Fiduciary (SDF), what the annual 12-month DPIA cycle requires, and why non-SDF organisations should consider voluntary DPIAs for high-risk processing.
1. The Legal Basis for DPIA: Section 10 and Rule 12
Section 10(2)(c) of the DPDP Act 2023 establishes the DPIA obligation for Significant Data Fiduciaries:
“Every Significant Data Fiduciary shall, in relation to its personal data processing activities, undertake periodic Data Protection Impact Assessment, comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals.”
Rule 12 of the DPDP Rules 2025 operationalises this by specifying that SDFs must conduct a DPIA and data protection audit once every twelve months from the date of their SDF notification. The DPIA and audit findings, including any “significant observations,” must be reported to the Data Protection Board of India (DPBI).
2. Who Must Conduct a DPIA: Significant Data Fiduciaries
The mandatory DPIA obligation applies exclusively to organisations designated as Significant Data Fiduciaries (SDFs) by the Central Government under Section 10(1). This is a critical distinction from GDPR’s DPIA framework — under GDPR, any controller conducting high-risk processing must conduct a DPIA. Under the DPDP Act, the obligation is triggered by formal government designation, not by processing characteristics alone.
SDF Designation Criteria
Section 10(1) specifies that the Central Government may designate an SDF “having regard to” the following factors:
- Volume and sensitivity of personal data processed — large-scale processing of sensitive categories (health, financial, biometric) increases SDF risk
- Risk of harm to Data Principals — processing that could cause identity theft, financial loss, discrimination, or reputational damage
- Potential impact on sovereignty and integrity of India — data that could be leveraged by foreign actors
- Risk to electoral democracy — voter data, political profiling, or election-adjacent processing
- Security of the State and public order — critical infrastructure and law enforcement-adjacent processing
- Other factors as the government considers necessary — a broad residual category
Likely SDF Candidates
While the formal SDF notification list has not been published as of mid-2026, regulatory guidance and the Act’s stated criteria point to the following categories of organisations as likely SDF designees:
| Sector | Why Likely SDF |
|---|---|
| Large fintech and payment platforms | High-volume financial data; transaction profiling; cross-border data flows |
| Healthcare aggregators and insurers | Sensitive health data at scale; profiling and claims analytics |
| Telecom operators | Location data; communication metadata; national security relevance |
| Large e-commerce marketplaces | Behavioural profiling; payment data; supply chain data at scale |
| Credit information companies | Financial health data for India’s entire creditworthy population |
| Biometric authentication providers (UIDAI ecosystem) | Aadhaar-linked biometric data at national scale |
| Election technology companies | Voter data, political analytics, electoral risk |
| Social media and content platforms | Behavioural data, profiling, minors’ data, public order implications |
A Data Fiduciary that is not formally notified as an SDF is not required to conduct a DPIA under the DPDP Act — even if it processes large volumes of sensitive data. This is a deliberate policy design choice: SDF designation is a government act, not a self-assessment.
3. The 12-Month DPIA Cycle for SDFs
Rule 12 establishes a continuous annual DPIA cycle for SDFs, not a one-time certification exercise. The clock starts from the date of SDF notification. This means:
- The first DPIA must be completed within 12 months of the SDF notification date
- Subsequent DPIAs must be completed annually
- An independent data audit runs concurrently with each DPIA
- Significant observations from both the DPIA and audit must be reported to the DPBI
SDFs that are formally notified before the May 2027 general enforcement deadline will begin their 12-month DPIA cycle from their individual notification date — which may be earlier than the general enforcement date. Organisations that expect to be designated as SDFs should design their DPIA programme now, so it can be operationalised rapidly upon notification.
4. What the DPDP Act DPIA Must Cover
Section 10(2)(c) defines the scope of a DPDP Act DPIA with two required components:
Component 1: Description of Data Principal Rights and Processing Purpose
The DPIA must document, for each processing activity: what personal data is processed, for what purpose, on what legal basis (consent or legitimate use), what rights Data Principals have in relation to this specific processing, and how those rights can be exercised. This is a more Data Principal-centric framing than GDPR’s DPIA requirements, which focus more on controller necessity and proportionality.
Component 2: Assessment and Management of Risk
The DPIA must assess the risks to Data Principals’ rights arising from the processing, and document how those risks are managed. For each identified risk, the DPIA should capture: the nature of the risk (breach, profiling, discrimination, financial harm, reputational harm), the likelihood and severity, the mitigating controls in place, any residual risk after controls, and proposed additional mitigations for unacceptable residual risks.
5. The Independent Data Audit
Running alongside the annual DPIA, Rule 12 requires SDFs to engage an independent Data Auditor to evaluate the organisation’s compliance with the DPDP Act and Rules. The Data Auditor must be external and independent — an internal audit team does not satisfy this requirement.
The auditor’s mandate includes reviewing whether:
- Data processing activities are conducted in accordance with the purposes notified to Data Principals
- Consent and notice mechanisms comply with Rule 3 of the DPDP Rules 2025
- Security safeguards meet Rule 6 requirements
- Data Processor agreements comply with Section 8(2)
- Data Principal rights mechanisms are operational and effective
- Breach detection and notification procedures meet Section 8(6) and Rule 7 requirements
- Previous DPIA findings have been remediated as planned
Significant observations from the audit — findings that represent material compliance gaps or risks — must be reported to the DPBI. This creates a direct regulatory audit trail from independent auditor findings to the Board.
6. DPDP Act DPIA vs. GDPR Article 35 — Key Differences
| Dimension | DPDP Act Rule 12 | GDPR Article 35 |
|---|---|---|
| Who must conduct | Significant Data Fiduciaries only (government-designated) | Any controller with high-risk processing |
| Trigger | Government SDF notification | Risk-based self-assessment by controller |
| Frequency | Every 12 months (fixed cycle) | Prior to new high-risk processing; updated if processing changes |
| Independent audit required | Yes — by independent Data Auditor | No mandatory independent audit (but DPO must be consulted) |
| Regulator involvement | Report significant observations to DPBI | Prior consultation with supervisory authority if residual high risk |
| Scope definition | Defined by Section 10(2)(c) — rights description + risk assessment | Defined by Article 35(7) — systematic description, necessity/proportionality, risk assessment, safeguards |
| Enforceability | May 13, 2027 (full enforcement) | Currently enforceable |
7. Voluntary DPIAs for Non-SDF Organisations
While the DPDP Act only mandates DPIAs for SDFs, voluntary DPIAs are strongly recommended for any organisation conducting high-risk processing — even if not designated as an SDF. Processing activities that warrant voluntary DPIA include:
- AI and automated decision-making — credit scoring, loan approval, fraud detection, recruitment screening using AI models that make decisions affecting individuals without meaningful human review
- Large-scale biometric processing — fingerprint or facial recognition for employee attendance, customer identity verification, or access control at scale
- Children’s data processing — the DPDP Act has strict provisions on children’s data under Section 9; any processing of data attributable to minors warrants DPIA-level scrutiny
- Profiling and behavioural analytics — large-scale tracking and profiling of Data Principals for targeted advertising, credit assessment, or behavioural scoring
- Cross-border data transfers — processing where personal data flows to countries with different protection standards
- New technologies with uncertain privacy impact — blockchain, IoT, generative AI applications that process personal data
A voluntary DPIA serves multiple purposes beyond the DPDP Act: it is a standard requirement for ISO 27001:2022 Annex A control 5.34 (privacy impact assessment), a best practice element of SOC 2 privacy criteria, and demonstrates good faith to regulators in the event of a DPBI inquiry or complaint. For MYITMANAGER clients across cybersecurity, compliance, and data protection services, we recommend DPIA as a baseline practice for any new data product or processing system.
8. Practical DPIA Methodology for the DPDP Act
- Define scope: Identify which processing activities or systems are in scope for this DPIA cycle. For SDFs, this is typically all high-risk processing systems. For voluntary DPIAs, it is the specific processing activity that triggered the assessment.
- Describe Data Principal rights and processing purpose: For each in-scope processing activity, document the data categories, purpose, legal basis, Data Principal rights, and how those rights are exercised. This is the Section 10(2)(c) statutory requirement.
- Identify and assess risks: For each processing activity, identify risks to Data Principals — unauthorised access, inaccurate profiling, discriminatory outcomes, breach and identity theft. Score each risk by likelihood and severity. Use a risk matrix to prioritise.
- Evaluate existing safeguards: Assess the adequacy of existing controls — encryption, access control, data minimisation, consent mechanisms, DPAs, incident response. Identify gaps where residual risk remains unacceptably high.
- Propose mitigations: For each gap, propose specific technical or organisational mitigations. Assign owners, timelines, and success metrics. Document the expected residual risk after each mitigation is implemented.
- Report to DPBI: Compile findings into a DPIA report. Report significant observations to the Data Protection Board as required by Rule 12. Retain the full DPIA report as evidence of compliance.
Need a DPIA Programme Built for DPDP Act Compliance?
MYITMANAGER designs and delivers DPIA programmes aligned to the DPDP Act, GDPR Article 35, and ISO 27001:2022. Our founder holds CISM and CIPP/E certifications and has led privacy assessments for India’s largest consumer platforms. We also provide independent Data Auditor services for Significant Data Fiduciaries.
Get a Free DPIA Readiness Consultation →Frequently Asked Questions: DPIA Under DPDP Act India
Is a DPIA mandatory under the DPDP Act?
Mandatory only for Significant Data Fiduciaries (SDFs) designated by the Central Government under Section 10(1), required annually under Rule 12. Non-SDF organisations are not legally required to conduct DPIAs, but voluntary DPIAs are strongly recommended for high-risk processing.
How often must SDFs conduct DPIAs?
Once every twelve months from the date of SDF notification, under Rule 12 of the DPDP Rules 2025. An independent data protection audit runs concurrently. Significant observations from both must be reported to the DPBI.
Who qualifies as a Significant Data Fiduciary?
An organisation formally designated by the Central Government under Section 10(1) based on the volume and sensitivity of data processed, risk of harm, and national security considerations. As of mid-2026, no SDF list has been published. Designation is a government act — not self-assessed.
What is an independent Data Auditor under the DPDP Act?
An independent external auditor required by Rule 12 to evaluate an SDF’s compliance with the DPDP Act and Rules. Must be independent — not an internal team. The auditor’s significant findings must be reported to the DPBI alongside the DPIA report.
How does DPDP Act DPIA differ from GDPR Article 35?
Key differences: GDPR DPIA is risk-triggered (any high-risk processing); DPDP Act DPIA is designation-triggered (only SDFs). GDPR has no fixed annual cycle; DPDP Act requires DPIAs every 12 months. GDPR requires DPO consultation; DPDP Act requires an independent external Data Auditor. Both require risk assessment and documentation, but the DPDP Act specifically requires reporting significant observations to the DPBI.
Related MYITMANAGER Guides
- DPDP Act Compliance Services — End-to-End Implementation
- Data Processing Agreement Under DPDP Act — Complete Guide
- DPDP Act Data Breach Notification — 72-Hour Response Guide
- DPDP Act for HR and Employee Data — Employer Compliance Guide
- DPDP Act Compliance Checklist India 2026
- Consent Manager India — DPDP Act Requirements 2026
- DPO as a Service — CIPP/E Qualified
Ready to Get Started?
Speak directly with Saurabh Gupta — CISM, CIPP/E, ex-Bain India IT Head.
No sales pitch. Just clarity on your compliance path.
