## TL;DR Summary Data Protection Impact Assessments (DPIAs) help you identify and mitigate privacy risks before they become violations. Under the DPDP Act, DPIAs are mandatory for high-risk processing. We've conducted 40+ DPIAs and share our proven methodology: a 6-phase process taking 2-6 weeks, costing ₹50,000 to ₹3 lakhs depending on complexity. --- ## About the Author **Arpit Garg** *Founder & Chief Privacy Officer, Complynz* Arpit has led 40+ DPIAs across sectors including fintech, healthcare, e-commerce, and EdTech. His DPIA framework has been adopted by multiple organizations as their standard assessment methodology. Connect on [LinkedIn](https://linkedin.com/in/arpitgarg). *This guide reflects our hands-on DPIA experience. AI assisted with organization; all methodologies and examples are from actual assessments.* --- ## What Is a Data Protection Impact Assessment (DPIA)? A DPIA is a systematic process to identify, assess, and mitigate privacy risks associated with data processing activities. Think of it as a "privacy risk review" before you launch a new product, system, or data practice. ### Key Objectives of a DPIA 1. **Identify Risks:** What could go wrong for data subjects? 2. **Assess Impact:** How severe would the consequences be? 3. **Determine Likelihood:** How probable is each risk? 4. **Plan Mitigations:** What controls reduce the risk? 5. **Document Decisions:** Create audit trail for regulators --- ## When Is a DPIA Required Under the DPDP Act? ### Mandatory DPIA Scenarios Based on the DPDP Act and our interpretation of global best practices: | Scenario | Why DPIA Required | |----------|-------------------| | New technology (AI/ML) | Unforeseen privacy implications | | Large-scale processing | Significant impact if something goes wrong | | Systematic monitoring | Potential for surveillance effects | | Sensitive data processing | Higher harm potential | | Automated decision-making | Risk of unfair outcomes | | Children's data | Enhanced protection requirements | | Cross-border transfers | Additional jurisdictional risks | ### Our Recommendation: DPIA Trigger Checklist We use this checklist with clients—if 2+ boxes are checked, conduct a DPIA: - [ ] Processing sensitive personal data (health, financial, biometric) - [ ] Processing data of 10,000+ individuals - [ ] Using new technology or AI/ML systems - [ ] Systematic monitoring of public areas - [ ] Making automated decisions affecting individuals - [ ] Combining datasets from multiple sources - [ ] Processing children's data - [ ] Sharing data with third parties at scale - [ ] Processing that could limit individual rights --- ## Our 6-Phase DPIA Methodology After 40+ DPIAs, we've refined this process: ### Phase 1: Scoping (3-5 days) **Objective:** Define what you're assessing **Key Activities:** - Document the processing activity in detail - Identify stakeholders and schedule interviews - Gather existing documentation (system designs, policies) - Define DPIA boundaries **Deliverable:** DPIA Scope Document **Template: Processing Description** | Element | Description | |---------|-------------| | Processing Name | [e.g., Customer Loyalty Program] | | Business Owner | [Name, Role] | | Data Controller | [Legal entity name] | | Purpose | [Specific, defined purposes] | | Data Categories | [Types of personal data] | | Data Subjects | [Who the data is about] | | Volume | [Approximate number of records] | | Technology | [Systems involved] | | Third Parties | [Vendors, partners involved] | --- ### Phase 2: Data Flow Mapping (2-3 days) **Objective:** Understand how data moves through the system **Key Activities:** - Document data collection points - Map storage locations - Trace processing steps - Identify sharing/transfers - Note retention and deletion **Data Flow Diagram Should Show:** 1. **Sources:** Where does data come from? 2. **Storage:** Where is it kept? 3. **Processing:** What happens to it? 4. **Sharing:** Who else receives it? 5. **Deletion:** How is it removed? **From Our Experience:** Data flows are often more complex than business owners realize. We typically find 2-3 additional data touchpoints that weren't initially identified. --- ### Phase 3: Risk Identification (3-5 days) **Objective:** Identify what could go wrong **Risk Categories We Assess:** | Category | Example Risks | |----------|---------------| | Confidentiality | Unauthorized access, data breach | | Integrity | Data corruption, unauthorized modification | | Availability | System downtime, data loss | | Purpose Limitation | Function creep, unauthorized use | | Data Minimization | Collecting more than needed | | Accuracy | Outdated or incorrect data | | Storage Limitation | Keeping data too long | | Rights | Inability to respond to requests | | Consent | Invalid or unclear consent | **Our Risk Identification Technique:** For each processing step, ask: - What if this data is accessed by unauthorized people? - What if this data is incorrect or incomplete? - What if this processing is done without proper consent? - What if this data is kept longer than necessary? - What if the data subject can't exercise their rights? --- ### Phase 4: Risk Assessment (2-3 days) **Objective:** Evaluate severity and likelihood of each risk **Our Risk Scoring Matrix:** | | Low Likelihood (1) | Medium (2) | High (3) | |---|---|---|---| | **High Severity (3)** | Medium (3) | High (6) | Critical (9) | | **Medium Severity (2)** | Low (2) | Medium (4) | High (6) | | **Low Severity (1)** | Low (1) | Low (2) | Medium (3) | **Severity Factors:** - Number of affected individuals - Sensitivity of data involved - Potential harm (financial, reputational, physical) - Vulnerability of data subjects (children, elderly) - Reversibility of harm **Likelihood Factors:** - Existing controls in place - Past incident history - Attack attractiveness - Complexity of processing - Third-party involvement --- ### Phase 5: Mitigation Planning (3-5 days) **Objective:** Define controls to reduce unacceptable risks **Mitigation Hierarchy:** 1. **Avoid:** Don't process this data at all 2. **Minimize:** Reduce data collected or retained 3. **Secure:** Implement technical controls 4. **Procedural:** Establish policies and training 5. **Accept:** Acknowledge residual risk with justification **Sample Mitigation Table:** | Risk | Score | Mitigation | Residual Score | |------|-------|------------|----------------| | Unauthorized access | 6 (High) | Implement MFA, access logging | 2 (Low) | | Excessive retention | 4 (Medium) | Automated deletion after 2 years | 1 (Low) | | Consent validity | 6 (High) | Granular consent UI, audit trail | 2 (Low) | **From Our Experience:** 80% of high risks can be reduced to low/medium with standard controls. The remaining 20% require creative solutions or business process changes. --- ### Phase 6: Documentation & Approval (2-3 days) **Objective:** Create audit-ready record, obtain sign-off **DPIA Report Structure:** 1. Executive Summary 2. Processing Description 3. Data Flow Diagram 4. Legal Basis Analysis 5. Risk Assessment Results 6. Mitigation Measures 7. Residual Risk Statement 8. Conclusion and Recommendation 9. Approval Signatures **Approval Required From:** - Business Owner - DPO or Privacy Lead - IT Security (for technical mitigations) - Legal (for regulatory interpretation) --- ## What Does a DPIA Cost? ### Our Pricing Guide | Complexity | Timeline | Cost Range | |------------|----------|------------| | Simple (single system, standard data) | 2 weeks | ₹50,000 - 1 lakh | | Medium (multiple systems, some sensitive data) | 3-4 weeks | ₹1 - 2 lakhs | | Complex (AI/ML, multiple third parties, sensitive data) | 4-6 weeks | ₹2 - 3 lakhs | | Enterprise (multi-country, regulatory scrutiny) | 6-8 weeks | ₹3 - 5 lakhs | ### DIY vs. External DPIA | Approach | Pros | Cons | |----------|------|------| | Internal Team | Lower cost, institutional knowledge | May lack expertise, objectivity concerns | | External Consultant | Fresh perspective, specialized expertise | Higher cost, learning curve | | Hybrid | Combines benefits | Coordination needed | **Our Recommendation:** - First 2-3 DPIAs: Use external support to build capability - Ongoing: Internal team with external review for high-risk assessments --- ## Real DPIA Example: AI-Powered Customer Service Chatbot **Client:** Mid-sized e-commerce company **Project:** AI chatbot for customer support ### Processing Description - Chatbot collects customer queries and account information - Uses GPT-based AI to generate responses - Logs all conversations for quality improvement - Shares data with AI provider (overseas) ### Key Risks Identified 1. AI hallucination providing incorrect information (Medium) 2. Conversation logs containing sensitive personal details (High) 3. Cross-border transfer to AI provider (High) 4. Automated decisions affecting customer outcomes (Medium) ### Mitigations Implemented - Human review for escalated queries - PII masking before sending to AI provider - Data Processing Agreement with AI vendor - Clear disclosure that chatbot is AI-powered - Easy opt-out to human support ### Outcome DPIA approved with mitigations. Residual risk: Low-Medium. --- ## Common DPIA Mistakes We See ### Mistake 1: Doing DPIA After Launch **Problem:** DPIA is meant to be prospective, not retrospective **Fix:** Integrate DPIA into project approval process ### Mistake 2: Checkbox Exercise **Problem:** Generic risk lists without real analysis **Fix:** Deep-dive interviews with actual system users ### Mistake 3: No Follow-Through **Problem:** Mitigations identified but never implemented **Fix:** Track mitigations like project deliverables ### Mistake 4: One-Time Assessment **Problem:** Processing changes but DPIA stays static **Fix:** Review DPIAs annually or when significant changes occur --- ## Frequently Asked Questions ### Do we need a DPIA for existing systems? If high-risk processing, yes. Prioritize by risk level. New systems always require prospective DPIA. ### Who should conduct the DPIA? DPO leads, with input from business owners, IT, and legal. External support for complex assessments. ### How long are DPIAs valid? Until processing changes significantly. We recommend annual review at minimum. ### What if DPIA identifies unacceptable risk? Three options: modify processing to reduce risk, implement additional controls, or don't proceed. ### Can we use DPIA templates? Yes, but customize to your processing. Generic templates miss specific risks. --- ## Conclusion DPIAs are your best defense against privacy surprises. They force systematic thinking about risks before they become violations or breaches. **Key Takeaways:** 1. Conduct DPIAs prospectively, before launch 2. Involve all stakeholders, not just IT 3. Focus on real risks, not checkbox compliance 4. Document thoroughly for audit defense 5. Follow through on mitigations --- ## Sources & References 1. Digital Personal Data Protection Act, 2023 - MeitY 2. EDPB Guidelines on DPIA (for methodology principles) 3. ISO 27701 Privacy Impact Assessment guidance 4. Our internal DPIA data (40+ assessments, 2020-2026) --- *Last Updated: February 2026* *[Contact us for compliance guidance →](/contact)*