A Comparative Overview of DPIA Requirements under Major Privacy Laws
Article by

Introduction
A Data Protection Impact Assessment (“DPIA”) is a structured process that helps organisations identify, evaluate, and mitigate risks arising from the processing of personal data. It promotes responsible data governance by ensuring that privacy considerations are incorporated at the planning stage of projects and processing activities.
The requirement to conduct DPIAs varies across jurisdictions, data protection frameworks such as the DPDP Act, GDPR, and CCPA recognise their importance in safeguarding individual rights and fostering accountability. This article examines the concept of DPIAs, their significance, and the regulatory approaches adopted under these major privacy laws.
Importance of Conducting a DPIA
Conducting a Data Protection Impact Assessment is an important compliance obligation under data protection laws, particularly for processing activities that are likely to pose a high risk to the rights and freedoms of individuals.
Promoting a Privacy-by-Design Culture: The regular use of DPIAs promotes greater awareness of privacy and data protection within an organisation. It encourages employees involved in the design and implementation of projects to consider privacy issues from the outset and adopt a “data protection by design” approach.
Identifying and Mitigating Risks at an Early Stage: It is not merely a compliance exercise but serves as a practical tool for identifying potential risks and implementing appropriate safeguards before problems arise.
Building Trust and Strengthening Stakeholder Relationships: Conducting DPIAs can strengthen public trust and improve relationships with users by demonstrating a commitment to protecting privacy.
DPIA Requirement under the DPDP Act
Under the framework of the Digital Personal Data Protection Act, 2023 (DPDP Act), conducting a Data Protection Impact Assessment DPIA is a statutory obligation only for entities designated as a Significant Data Fiduciary (“SDF”) by the Central Government.
The Central Government is empowered under Section 10 of the Act to designate a Data Fiduciary or a class of Data Fiduciaries as an SDF after an assessment of factors such as: (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order.
However, the government is yet to make such a notification. Consequently, industries that process large volumes of such sensitive personal data, such as healthcare institutions, financial service providers, AI-driven enterprises, etc., may be more likely to attract scrutiny for designation as Significant Data Fiduciaries and will be required to conduct DPIAs. Furthermore, Rule 13 requires a DPIA to be conducted every 12 Months.
Data Protection Impact Assessment under the GDPR
Article 35(1) of the GDPR provides that where a type of processing, particularly one involving new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, before the processing, assess the impact of the envisaged processing operations on the protection of personal data.
Furthermore, Article 35(3) specifies certain instances in which a DPIA is particularly required. These include: (a) a systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, where decisions produce legal effects concerning the individual or similarly significantly affect them; (b) processing of personal data relating to criminal convictions; and (c) the systematic monitoring of a publicly accessible area on a large scale.
Essentials for Conducting a DPIA: The assessment should evaluate the likelihood and severity of the risk, considering the nature, scope, context, and purposes of the processing, as well as the sources of the risk. It should also identify the measures, safeguards, and mechanisms proposed to mitigate the risk, ensure the protection of personal data, and demonstrate compliance with the GDPR.
Specific Circumstances Triggering a DPIA Requirement: Recital 91 further clarifies the circumstances in which a DPIA is particularly necessary. This includes large-scale processing operations involving substantial amounts of personal data at the regional, national, or supranational level that may affect a large number of data subjects and are likely to pose a high risk due to the sensitivity of the data or the use of new technologies on a large scale.
Scope for Sector-Wide and Common Assessments: Recital 92 recognises that, in certain circumstances, it may be reasonable and economical for a DPIA to extend beyond a single project. This may occur where public authorities or bodies establish a common application or processing platform, or where several controllers introduce a common application or processing environment across an industry sector, market segment, or widely used horizontal activity. In such cases, a broader DPIA may be undertaken to assess the common processing operations.
Organisations that fail to comply with the GDPR are risking severe penalties, including fines of up to 20 million euros or 4 per cent of annual revenue, whichever is higher.
Risk Assessment Under California Consumer Privacy Act (“CCPA”)
CCPA does not expressly use the term “Privacy Impact Assessments.” However, Article 10 requires businesses to conduct a risk assessment whenever a processing activity presents a “significant risk” to a consumer’s privacy.
The Regulations further provide that businesses must prepare and update risk assessments as soon as reasonably possible, and in any event no later than 45 calendar days after any material change relating to the processing activity. In addition, businesses are required to review and update their risk assessments at least once every three years, except for updates necessitated by material changes.
Processing activities that pose “Significant Risk”
The Regulations specifically identify the categories of processing that constitute a significant risk and include:
(a) selling or sharing personal information;
(b) processing “sensitive personal information.
(c) using automated decision-making technology (ADMT) to make a “significant decision” about a consumer;
(d) using ADMT to infer or derive conclusions about a consumer through systematic observation of the consumer or the consumer’s location; and
(e) processing personal information for the purpose of training an ADMT to make a significant decision concerning a consumer, or to train facial-recognition, emotion-recognition, or other technologies that verify a consumer’s identity or conduct physical, biological, or behavioural identification or profiling.
The definition and scope of the terminologies have also been defined by the act, and are as follows:
“Sensitive personal information” includes personal information such as Social Security numbers, driver’s licence numbers, state identification card numbers, passport numbers, account log-in credentials, financial account information, precise geolocation data, racial or ethnic origin, the contents of an individual’s mail, e-mail, or text messages, biometric information, information concerning an individual’s health or sex life, and information relating to an individual whom the business knows to be under 16 years of age, etc.
“Significant decision” refers to a decision that determines access to, or denial of, financial or lending services, housing, insurance, educational enrolment or opportunities, criminal justice outcomes (such as the posting of bail bonds), employment or independent contracting opportunities or compensation, healthcare services, or essential goods and services such as groceries, medicine, hygiene products, or fuel.
ADMT is defined as “any technology that processes personal information and uses computation to replace human decision making or substantially replace human decision making.” The inclusion of various forms of ADMT among the categories of processing that pose significant risk demonstrates the CPPA’s focus on algorithmic systems that can materially affect an individual’s rights and opportunities without meaningful human oversight.
Together, these specified triggers provide a clearer regulatory framework than many earlier U.S. privacy laws for determining when a formal risk assessment is required.
How should an Organisation approach these varying requirements?
Multinational companies operating across multiple jurisdictions often face the challenge of complying with diverse privacy laws that prescribe different criteria and triggers for conducting Data Protection Impact Assessments (DPIAs).
To address these challenges, organisations can integrate DPIAs into a broader privacy-by-design and privacy-by-default framework, enabling them to identify and mitigate privacy risks at an early stage of data processing activities. Even in jurisdictions where DPIAs are not expressly mandated, organisations may adopt them as a best practice in recognition of the significant benefits they offer.
Conclusion
While the GDPR and CCPA provide detailed frameworks identifying situations where impact assessments are required, India's DPDP Act currently limits the obligation to Significant Data Fiduciaries. Although the Central Government is yet to notify such entities, organisations handling large volumes of sensitive personal data, particularly in sectors such as healthcare, financial services, and AI, should closely monitor future developments.
Want to Know More?
Reach out to the experts at gotrust today.




