DPDP DPIA playbook 2026: when the impact assessment becomes mandatory under Rules 2025

DPIA used to be the slide nobody read in a privacy programme deck. That changed on 14 November 2025. Rule 13(1) of the DPDP Rules 2025 requires a Significant Data Fiduciary to "once in every period of twelve months from the date on which it is notified as such, undertake a Data Protection Impact Assessment and an audit." Rule 13(2) then requires the person carrying out the DPIA to furnish a report of significant observations to the Data Protection Board. The DPIA is no longer an internal artefact, it is a regulator-facing one.

Three design choices in the Rules sharpen the obligation. First, Rule 13(3) extends the assessment scope to "algorithmic software" used to host, display, modify or share personal data, requiring documented due diligence that the software is not likely to pose a risk to the rights of Data Principals. That language reads narrow on paper, but Ikigai Law and Cyril Amarchand have both flagged that any material model change in production becomes a fresh DPIA trigger in practice. Second, Rule 13(4) attaches a localisation hook to categories of personal data and traffic data notified by the Central Government, meaning the DPIA must include a transfer impact analysis the day a notification drops. Third, Section 33(2)(e) of the Act tells the Board to weigh "whether the person took any action to mitigate the effects and consequences of the breach and the timeliness and effectiveness of such action" when sizing a penalty. A DPIA that identified a risk and proposed treatment is the single best mitigation evidence a fiduciary can produce.

The Schedule sets the price of getting this wrong. A breach of additional SDF obligations under Section 10 (which is where the DPIA duty sits) can attract a civil penalty up to Rs 150 crore. A linked Section 8(5) failure to take reasonable security safeguards (often surfaced by a missing DPIA) can attract up to Rs 250 crore. The DPIA is the document that demonstrates, to the Board and to your own audit committee, that the risk was assessed before the harm crystallised.

Most boards assume the DPIA clock only starts after SDF designation under Section 10(1). That is the express statutory trigger, but it is not the only one. Four triggers are live as of June 2026, and any one of them obliges a fiduciary to run a DPIA before 14 May 2027.

Trigger 1, SDF designation under Section 10(1). Once MeitY notifies a fiduciary or class of fiduciaries as an SDF (assessing volume and sensitivity of data, risk to Data Principal rights, sovereignty and integrity, electoral democracy, security of the State, and public order), the 12-monthly Rule 13(1) cadence starts. No SDF notifications have been issued as of June 2026, but King Stubb and Kasiva, Ikigai Law and SFLC all flag banking, healthcare and large e-commerce as likely first batches.

Trigger 2, sectoral overlays that already require a DPIA-equivalent. The RBI Master Directions on IT Governance, Risk, Controls and Assurance Practices (November 2023) require Annual Risk and Information Security audits. SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF, 2024) mandates third-party audit and threat-risk assessment for market intermediaries. IRDAI's Information and Cyber Security Guidelines 2023 require annual VAPT and risk assessment. The Ayushman Bharat Digital Mission Health Data Management Policy requires DPIA-equivalent assessments for ABDM-integrated entities. Any regulated entity in these four sectors should treat the DPIA as already mandatory.

Trigger 3, algorithmic processing under Rule 13(3). A material model change (new fairness assumption, new training corpus, new automated decision class) is an implicit DPIA trigger even mid-cycle. Cyril Amarchand reads the rule as requiring evidence of continuous algorithmic due diligence, not a once-a-year sign-off.

Trigger 4, processing of high-risk data classes. Even without SDF status, processing children's data under Section 9 and Rule 10 (verifiable parental consent), biometric or financial data, and large-volume profiling should be DPIA-gated. The DPDPA abandons the SPDI Rules 2011 "sensitive personal data" category, but Section 10(1)(a) preserves "sensitivity" as a designation factor, and the Board will look for a DPIA if these categories are processed at scale.

Once a trigger fires, the DPIA needs a structure that produces evidence the Board would accept under Section 28 powers to summon documents. The five-stage method below is what we run inside DPDP Act 2023 compliance consulting engagements. Each stage has a defined input and a defined deliverable.

Stage 1, scoping and necessity test. Input: the processing activity description from your Record of Processing Activities. Deliverable: a one-page scoping memo naming the lawful basis under Section 4 (consent under Section 6 or a legitimate use under Section 7), the categories of Data Principals, the personal data items, the processors and sub-processors involved, and the retention period. The necessity test asks whether the processing is the minimum required to serve the notified purpose under Section 5.

Stage 2, data flow mapping. Input: architecture diagrams, infrastructure inventory, third-party agreements. Deliverable: an end-to-end data flow showing collection, storage, processing, sharing and deletion, with cross-border legs marked separately. Rule 13(4) localisation hook means any flow leaving India must carry a justification, even if no countries have been notified under Section 16 as of June 2026.

Stage 3, risk identification and scoring. Input: the data flow plus known threat scenarios. Deliverable: a risk register with likelihood, impact and inherent risk score for each identified harm. Use harm categories the Board would recognise: unauthorised access, unlawful disclosure, profiling without consent, automated decisions affecting rights, denial of service to a Data Principal exercising rights under Sections 11 to 13.

Stage 4, control mapping and treatment plan. Input: the inherent risk scores. Deliverable: residual risk scores after applying technical and organisational controls (encryption, pseudonymisation, access controls, breach detection, consent withdrawal mechanics), and a treatment plan for any residual risk above tolerance. This stage is where VAPT findings and code-review evidence get integrated, because the Board will not accept a control description without operating effectiveness evidence.

Stage 5, sign-off and Board reporting pack. Input: the residual risk register and treatment plan. Deliverable: a DPO sign-off memo, the Rule 13(2) significant observations report formatted for DPB submission, and an audit committee summary. The sign-off must name the residual risks the business has consciously accepted and the reviewer date for the next iteration.

The Section 16 proviso explicitly preserves stricter cross-border restrictions under any other law. The same logic runs across the DPDP regime: sectoral regulators continue to apply, and most of them already require something that looks like a DPIA. The matrix below is the version we use in CFO and audit-committee briefings.

Sector and regulator	Pre-existing DPIA-equivalent obligation	What changes on 14 May 2027
Banking and NBFC (RBI)	Master Directions on IT Governance, Risk, Controls and Assurance Practices, November 2023; ARI and IS audits	Rule 13 DPIA layered on top once SDF notified; localisation hook under Rule 13(4) extends RBI 2018 payment data circular
Capital markets (SEBI)	CSCRF 2024 third-party audit and threat-risk assessment for market intermediaries	DPIA required if SDF status notified for KRAs, RTAs or large brokers
Insurance (IRDAI)	Information and Cyber Security Guidelines 2023; annual VAPT and risk assessment	Rule 13 DPIA cadence applies to designated insurers; children-data triggers add Section 9 obligations
Healthcare (NHA, ABDM)	Health Data Management Policy requires DPIA-equivalent assessment for ABDM-integrated entities	Algorithmic due diligence under Rule 13(3) attaches to AI-assisted diagnosis and triage tools
Consumer tech and ad-tech	No express DPIA today, but Section 10(1)(d) "risk to electoral democracy" factor reads as a designation lever	SDF designation likely for platforms with political content or large profiling pipelines
SaaS handling foreign Data Principals	Section 17(1)(d) BPO carve-out preserves foreign-contract processing	DPIA still required for any India-resident Data Principal data; foreign carve-out does not extend to mixed pipelines

Two practical implications. First, regulated entities should not wait for SDF designation to start the DPIA. The sectoral overlays already produce the evidence base the Board will request. Second, the DPIA must explicitly reconcile with the sectoral regime, because penalties stack under separate statutes (the Section 16 proviso and the IT Act Section 70B CERT-In duties are independent of DPDPA penalties).

Consider a fintech NBFC running a consent-driven onboarding flow that pulls credit bureau data, bank account aggregator data and Aadhaar offline KYC. The fintech processes 80 lakh consumer records and is a near-certain SDF candidate under Section 10(1)(a). The DPIA runs in the five stages above.

Stage 1 output: the lawful basis is consent under Section 6, supplemented by legitimate use under Section 7 for ongoing fraud prevention. The notice under Section 5 (and Rule 3 form requirements) lists each data category and purpose separately. The necessity test confirms that bureau data is the minimum required for credit decisioning; geolocation data collected by the app is flagged as out of scope and removed.

Stage 2 output: data flow shows collection in the mobile app, transmission to an in-India PostgreSQL primary, replication to an analytics warehouse, sharing with a co-lender via API, and a vendor SOC operating from outside India. The cross-border leg to the SOC is flagged for Rule 13(4) treatment even though no Section 16 notifications have been issued yet.

Stage 3 output: the risk register identifies eight harms. The highest-scoring is "consent withdrawal not propagated to co-lender" (likelihood high, impact high) because the API contract did not include a withdrawal hook. The second is "automated rejection without human review" which triggers Rule 13(3) algorithmic due diligence.

Stage 4 output: consent withdrawal hook added to the co-lender API, with a 24-hour SLA for propagation. The automated rejection path adds a human review checkpoint and a model card documenting fairness testing. Encryption at rest and field-level tokenisation for Aadhaar reference number added. The penetration testing retest scope is expanded to cover the new API surface, with findings mapped to OWASP API Security Top 10 (BOLA, BFLA) and CWE references.

Stage 5 output: the DPO signs off two residual risks that the business has accepted: the 24-hour withdrawal propagation window (versus immediate) and the co-lender's retention of decisioning logs for 7 years per RBI requirements. The Rule 13(2) report names these residuals, justifies them with reference to Section 33(2) factors, and dates the next iteration at 12 months. The audit committee gets a 4-slide summary tied to a rupee exposure number.

The DPIA is only useful if it produces artefacts that an outside reviewer (your audit committee, an independent data auditor under Section 10(2)(b), the Data Protection Board, a customer doing third-party due diligence) can read and act on. The deliverable set below is what we hand over at the close of every DPIA engagement.

Artefact 1, DPIA report. The full document including scoping memo, data flow, risk register, control mapping, residual risk register, treatment plan and DPO sign-off. Length is usually 30 to 60 pages depending on processing complexity. Stored under privilege where possible, with a non-privileged executive summary released to the Board.

Artefact 2, Rule 13(2) significant observations report. A condensed Board-facing document that names the significant observations, the action taken to address them, and the residuals accepted by the fiduciary. This is the document that goes to the DPB as part of the annual cycle for SDFs. Get the format right: short, evidence-linked, and dated.

Artefact 3, audit committee summary. A 4 to 6 slide deck mapping each significant residual risk to a rupee exposure under the Schedule, naming the control investments funded against it, and forecasting the next review date. This is where DPDP risk becomes a board-level financial discussion rather than a privacy footnote.

Artefact 4, evidence index. A spreadsheet listing every supporting artefact (architecture diagrams, code review reports, VAPT reports, SIEM extracts, vendor contracts, Data Principal grievance logs, consent withdrawal logs) with versions and locations. The Section 28 investigation officer will ask for these; have them in one place.

Artefact 5, control treatment tracker. A live tracker of the remediation items the DPIA produced, with owners, due dates and status. This is the document that proves the DPIA was not a paper exercise. Under Section 33(2)(e), this is also your best mitigation evidence if a breach later occurs in scope of the assessed processing.

Most DPIAs we audit on engagement entry have the same six drafting failures. Each one is fixable in a week, but each one would unwind in front of the Board.

Mistake 1, treating the DPIA as a one-time event. Rule 13(1) sets a 12-month cadence but Rule 13(3) makes algorithmic due diligence continuous. Set a quarterly model-change review checkpoint, not just an annual full DPIA.

Mistake 2, conflating consent and legitimate use. Section 4 lists consent under Section 6 and the legitimate uses in Section 7 as alternatives. Many fintechs route the same processing through both bases without naming which one applies when. The DPIA must pick a primary basis for each processing activity and document the fallback.

Mistake 3, copying the GDPR Article 35 template. GDPR's "high risk to rights and freedoms" gating language has no direct equivalent in DPDPA. The Indian DPIA must reference Section 10(1) designation factors, Section 33(2) penalty factors, and Rule 13 obligations explicitly. A copied template signals the fiduciary did not engage with the actual statute.

Mistake 4, no algorithmic due diligence section. Rule 13(3) is explicit. The DPIA needs a separate sub-section on algorithmic processing, even if the answer is "no automated decisions in scope" (in which case, document why).

Mistake 5, no Section 17 reconciliation. Section 17(1) carves out six exemptions (legal claims, judicial functions, offence investigation, foreign contract processing, M&A, financial defaulter tracing). The DPIA must check whether any apply and document the conclusion. Failing to do this looks like overreach when one of the exemptions clearly applies and the DPIA applied full obligations anyway.

Mistake 6, no link to the breach notification runbook. The DPIA identifies harm scenarios; the breach runbook responds to them. The two documents should cross-reference each other. If the DPIA says "moderate likelihood of credential stuffing impacting 5 lakh users" but the runbook has no playbook for that scenario, the gap will surface in any post-breach Board inquiry under Section 28.

The DPIA is ultimately a board-governance instrument. Section 10(2)(a) requires the SDF DPO to be "responsible to the Board of Directors or similar governing body," so the Board must be able to consume DPIA output. The brief below works for the audit committee or full Board.

Slide 1, regime status. Two dates anchor the discussion: 14 November 2025 (Rules notified, Board operational) and on or around 14 May 2027 (substantive obligations live, including Rule 13). Confirm whether the fiduciary has been notified as an SDF (most have not, yet). Identify which sectoral overlays already apply.

Slide 2, DPIA portfolio. List the processing activities in scope. For each, name the trigger (SDF, sectoral, algorithmic, high-risk class), the lawful basis, and the current DPIA status (not started, in flight, signed off, due for refresh).

Slide 3, residual risk register. Show the top 5 residual risks from completed DPIAs, with rupee exposure mapped to the Schedule heads. Reference the Section 33(2) factors and where the fiduciary sits on each.

Slide 4, treatment plan and budget. Show the FY27 control investments tied to each residual risk. Tie back to standing security investments (VAPT cadence, SOC operations, consent infrastructure, DPO function). Name the auditable milestones the independent data auditor under Section 10(2)(b) will sign off against.

We run DPIA programmes against this structure inside our DPDP consulting engagement and pair them with VAPT evidence to satisfy Section 8(5) reasonable security safeguard obligations. If your Board is asking for a DPIA roadmap in the next quarterly review, the right time to scope is now, because each DPIA takes 4 to 8 weeks per processing activity and the artefacts must exist before the 14 May 2027 substantive commencement.

]]>