By Reina Legal
19th December, 2019
The PDPB, 2019 talks about Data Protection Impact Assessment.
When to undertake a data protection impact assessment?
- Where the significant data fiduciary intends to undertake any processing
- involving new technologies or large-scale profiling or use of sensitive personal data or any other processing which carries a risk of significant harm to data principals
- such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment
Factors for determining significant data fiduciary, namely:
- volume of personal data processed;
- sensitivity of personal data processed;
- turnover of the data fiduciary;
- risk of harm by processing by the data fiduciary;
- use of new technologies for processing; and
- any other factor causing harm from such processing.
A data protection impact assessment shall contain:
- detailed description of the proposed processing operation;
- the purpose of processing;
- the nature of personal data being processed;
- assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
- measures for managing, minimising, mitigating or removing such risk of harm.
Penalty – Where the significant data fiduciary contravenes obligation to undertake a data protection impact assessment shall be liable to a penalty which may extend to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.