Introduction

With the rapid growth of technologies, the sensitive data of individuals and organisations has become more prone to attacks and misuse causing financial and reputational harm. In a world where “data is becoming a new currency”¹ the protection of such data is also necessary and mandatory. A Data Protection Impact Assessment (DPIA) is a process for organisations to identify, analyse and mitigate privacy risks associated with the collection of data of individuals and risks associated with the data processing activities. It is the practical implementation of the “Privacy by Design and by Default (Article 25, GDPR)” principle. The GDPR enacted in 2018, set a margin for data protection legislation, introducing strict requirements and penalties for non-compliance. Under the GDPR, Articles 35 and 36 make DPIAs are mandatory for high risk processing such as handling sensitive data. Similarly, under the DPDP Act requires Significant Data Fiduciaries (SDF) appointed by Central Government to conduct DPIA, manage audits, showing India’ efforts and moves towards the protection of data and risk-accountability model. The consequences of not performing or implementing DPIA can be severe as can be seen in the case of UK where UK’s Information Commissioner Office criticised a high school for using facial recognition technology for cashless payment without conducting a DPIA. Therefore with the growing need DPIAs are being mandated for every organisation rather than just a checklist for compliance.

Data Protection Impact Assessment

“A Data Protection Impact Assessment (DPIA) is a risk assessment process designed to identify and minimize the privacy risks associated with new or high-risk data processing activities.” A DPIA is an essential tool for evaluating and showing how an organization meets its data protection obligations. Its purpose is not to eliminate all risks but to reduce potential harm and assess whether the remaining risk is acceptable in light of the benefits of the planned data processing.² The DPIA fundamentally changes how organizations handle data protection, moving from a reactive, post-breach response to proactive, preventive strategy.

Under the GDPR, which came into force in 2018, DPIAs are mandated for processing activities likely to result in higher risk, particularly where sensitive data, large-scale monitoring, or automated decision-making is involved. Articles 35 and 36 formalize this obligation and empower supervisory authorities to intervene when residual risks remain unaddressed.

India’s DPDP Act adopts a different structural approach. Instead on focusing on specific processing activities, it requires entities designated as Significant Data Fiduciaries (SDFs) by the Central Government to conduct DPIAs, undergo periodic audits, and demonstrate accountability. This shows India’s shift toward an entity-centric, risk-accountability model aligned with global privacy norms.

What a DPIA Actually Does?

A DPIA does not eliminate all risk. Its objective is to systematically identify privacy threats, assess their likelihood and severity, and document mitigation measures that reduce risks to an acceptable level. In practice, a DPIA typically includes:

• Mapping personal data flows across systems and third parties.
• Assessing necessity and proportionality of processing.
• identifying risks such as unauthorized access or misuse.
• Defining Technical and organisational safeguard.
• Establishing accountability through documentation and review.

This proactive approach marks a fundamental shift from post-incident remediation to preventive governance.

When is DPIA Required?

Under the GDPR, a DPIA is mandatory when processing is “likely to result in a high risk to the rights and freedom of natural persons.”³ The notion of high risk is not a singular, fixed measure but involves a comprehensive evaluation of the processing’s potential impacts. The GDPR specifies three type of processing that automatically trigger the need for a DPIA:

• “A systematic and extensive evaluation of personal aspects of individuals, based on automated processing, including profiling, that produces legal effects or similarly significant consequences.”
• “Large scale processing of special categories of data e.g. healthcare and biometric data or of personal data relating to criminal convictions.”
• “Systematic monitoring of a publicly accessible area on a large scale.”

Beyond the GDPR’s mandatory requirements, guidance from ICO and EDPB is required signalling high risk processing that may necessitate a DPIA.

By Contrast, the DPDP Act mandates DPIAs for Significant Data Fiduciaries regardless of the specific processing activities under Section 10 of the act.⁴ The Act establishes DPIA as a part of a broader accountability framework applicable to SDFs, alongside requirements such as appointment of Data Protection Officer, independent data audits, and enhanced governance obligations. The DPIA under DPDP rules serves as a systematic risk-governance function. Its objectives include:

• Identifying risks to the rights of Data principals arising from large-scale or sensitive data processing.
• Evaluating whether processing practices align with principles such as purpose limitation, data minimization, and security safeguards.
• Assessing organisational readiness to prevent misuse, unauthorized access, or excessive data retention.
• Demonstrating compliance and accountability to the Data Protection Board of India.

In essence, DPIAs under DPDP are intended to evaluate organisational data practices holistically, not merely individual systems or applications.

DPIAs in Practice: Risks, Challenges, and Case Studies

Cost of Non-Compliance

The failure to carry out a DPIA is not a minor mistake, it can cause a significant breach with serious financial and legal consequences. Under the GDPR, failing to meet the requirements under Article 35, which mandates DPIAs, can lead to penalties of up to €10 million or 2% of a company’s global turnover for less severe infringements and €20 million or 4% of global turnover whichever is greater for severe infringements. The French data protection authority, CNIL, has enforced this rule, fining various organizations, such as a road haulage company €8,000 for non-compliance.⁵

The fines imposed on major corporations clearly demonstrate this cause-and-effect relationship. For instance, British Airways and Marriott International were each fined £18.4 million for security lapses that led to massive data breaches, underscoring the steep financial penalties for weak data protection practices.⁶ Likewise, substantial fines against Meta (for Facebook and Instagram) due to insufficient transparency and wrongfully processing the data of children, violating data protection by design and default point to the systemic issues that a DPIA is meant to address and prevent.⁷

Risks Associated with Non-Compliance

Failing to conduct a DPIA when required, or performing it inadequately, can expose an organisation to a range of severe risks, including the following:

• Legal and financial penalties: “Up to €10 million or 2% of a company’s global turnover for less severe infringements and €20 million or 4% of global turnover whichever is greater for severe infringements in case of GDPR non-compliance and up to ₹250 Crore per violation in case of DPDP Act non-compliance.”
• Reputational damage: A data breach or mishandling of personal data can lead to loss of public trust, leading to lost business, negative press and damaged brand reputation. Conducting a DPIA transparently demonstrates a commitment to privacy, helping to foster trust and mitigate risks.
• Operational and Business disruption: A DPIA helps spot and resolve privacy issues early in a project’s lifecycle. Without it, uncovering a privacy problem late in development can be extremely expensive and time-intensive to correct, potentially requiring a full system redesign, delaying the project’s launch, and wasting valuable resources.
• Harm to Data Subjects: Data protection focuses on safeguarding people. A poorly conducted or missing DPIA can cause real harm, such as identity theft, financial loss, discrimination, emotional distress, or loss of control over personal data.

Challenges in Implementation

Organisations frequently encounter challenges like internal resistance, limited understanding of their own data flows, and the complexity of evaluating risks in modular systems like cloud services. Yet, the DPIA proves most vital when organisations adopt emerging technologies that introduce new risks. Following are the implementation challenges majorly faced by organisations:

• Ambiguity in “High Risk”: Both regulations leave it to organizations to determine if an activity is “high-risk,” which can lead to either failing to perform a required DPIA or unnecessary burden.
• Resource and Expertise: For many organizations, particularly small and medium-sized enterprises (SMEs), conducting a thorough DPIA requires significant investment in specialized talent and tools that they may not have.
• Integration into project lifecycle: Conducting a DPIA late in a project’s development can be costly and disruptive, as fundamental privacy risks may already be inside the system.
• Regulatory Uncertainty: While the GDPR has dedicated regulatory framework, the DPDP Act lacks the same as the rules are not yet defined. This creates significant uncertainty about what constitutes a high-risk activity and how to conduct a compliant DPIA.

Conclusion

The examination of Data Protection Impact Assessments (DPIAs) under the GDPR and India’s DPDP Act highlights their pivotal and lasting importance in modern data privacy. Far from being just a legal requirement, a DPIA is a strategic tool for proactive risk management, a practical guide for embedding privacy-by-design, and a means to demonstrate accountability while fostering trust among stakeholders. Although the GDPR’s activity-based approach and the DPDP Act’s entity-based model pose different regulatory demands, their shared emphasis on privacy and accountability reflects a growing global consensus. This alignment offers multinational organizations an opportunity to streamline their DPIA practices by adopting a unified, principles-based framework that meets the strictest standards. In an era of rapid technological advancement, where emerging technologies like AI bring evolving risks, the DPIA remains an essential, adaptable tool for balancing innovation with the protection of individual rights and freedoms. By prioritizing DPIAs as a strategic necessity, organizations can tackle regulatory challenges, reduce both tangible and intangible risks, and cultivate the trust needed for sustainable success in the digital age.

---