Data Protection Impact Assessment (DPIA)

By Reina Legal

19th December, 2019

The PDPB, 2019 talks about Data Protection Impact Assessment.

When to undertake a data protection impact assessment?

  • Where the significant data fiduciary intends to undertake any processing
  • involving new technologies or large-scale profiling or use of sensitive personal data or any other processing which carries a risk of significant harm to data principals
  • such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment

Factors for determining significant data fiduciary, namely:

  • volume of personal data processed;
  • sensitivity of personal data processed;
  • turnover of the data fiduciary;
  • risk of harm by processing by the data fiduciary;
  • use of new technologies for processing; and
  • any other factor causing harm from such processing.

A data protection impact assessment shall contain:

  • detailed description of the proposed processing operation;
  • the purpose of processing;
  • the nature of personal data being processed;
  • assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
  • measures for managing, minimising, mitigating or removing such risk of harm.

Penalty – Where the significant data fiduciary contravenes obligation to undertake a data protection impact assessment shall be liable to a penalty which may extend to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.