A product team ships a new onboarding flow, the security team approves the vendor, and legal updates the privacy notice three weeks later. The risk is not that nobody cared about privacy. The risk is that no one can show, in one place, how the data flow, purpose, controls, vendors, and Data Principal rights were reviewed before launch.
Under the Digital Personal Data Protection Act, 2023, that review becomes mandatory for a specific class of organizations: Significant Data Fiduciaries.
Section 10(2)(c)(i) of the Digital Personal Data Protection Act, 2023 requires a Significant Data Fiduciary to undertake a periodic Data Protection Impact Assessment, and Rule 13 of the Digital Personal Data Protection Rules, 2025 turns that into a once-in-twelve-months DPIA and audit obligation.

The practical answer is narrower and more useful than most PIA DPIA India explainers suggest: a DPIA is legally required under DPDPA when your organization is notified as a Significant Data Fiduciary, but a PIA-style review should be run before high-risk processing changes even if you are not yet formally designated.
The legal obligation may start with designation. The evidence problem starts much earlier.
For DPDPA purposes, the statute uses Data Protection Impact Assessment, not a separate PIA/DPIA distinction. In operating language, teams often call the same review a PIA, privacy risk assessment, or DPIA.
Here is the decision rule:

A Privacy Impact Assessment usually means an internal review of how a project, system, vendor, or process affects personal data. A Data Protection Impact Assessment is the term used in many legal regimes for a more formal risk assessment tied to rights, purposes, and safeguards.
Under DPDPA, the precise statutory term is Data Protection Impact Assessment. Section 10(2)(c)(i) of the Digital Personal Data Protection Act, 2023 describes it as a process comprising a description of the rights of Data Principals, the purpose of processing their personal data, an assessment of risk to those rights, and measures for managing those risks. That is the definition compliance teams should use when building the assessment template.
For internal workflows, “PIA” is still useful. It tells product, engineering, security, procurement, and legal that the review is not only a legal memo. It is a launch gate that asks whether the processing can be explained, limited, protected, and evidenced.
So the clean operating model is:
Section 10 of the Digital Personal Data Protection Act, 2023 is about Significant Data Fiduciaries, not every organization that touches personal data.
Section 10(1) says the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as significant based on relevant factors, including volume and sensitivity of personal data, risk to Data Principal rights, impact on India’s sovereignty and integrity, risk to electoral democracy, security of the State, and public order.
Once an organization is an SDF, Section 10(2) adds three governance duties:
The official Digital Personal Data Protection Act, 2023 text published by MeitY is the source to use for these section numbers. Do not rely on generic privacy summaries for statutory numbering.
The penalty context matters too. Under Section 33 and the Schedule to the Digital Personal Data Protection Act, 2023, breach of additional SDF obligations under Section 10 may attract a penalty up to ₹150 crore, while failure to take reasonable security safeguards to prevent a personal data breach may attract a penalty up to ₹250 crore.
Those figures are not scare copy. They are the ceiling figures in the statutory penalty schedule.
Rule 13 of the Digital Personal Data Protection Rules, 2025 makes the SDF obligation operational. It does three important things.
First, it sets the cadence. Rule 13(1) requires a Significant Data Fiduciary to undertake a Data Protection Impact Assessment and an audit once in every twelve-month period from the date it is notified as an SDF or included in a notified class.
Second, it creates a reporting path. Rule 13(2) requires the person carrying out the DPIA and audit to furnish to the Board a report containing significant observations from the DPIA and audit.
Third, it connects impact assessment to technical risk. Rule 13(3) requires an SDF to observe due diligence to verify that technical measures, including algorithmic software used for hosting, display, uploading, modification, publishing, transmission, storage, updating, or sharing of personal data, are not likely to pose a risk to the rights of Data Principals.
The Digital Personal Data Protection Rules, 2025 Gazette text on MeitY also states in Rule 1 that Rules 3, 5 to 16, 22, and 23 come into force eighteen months after publication in the Official Gazette. The Press Information Bureau’s DPDP Rules, 2025 explainer says the Rules were notified in November 2025 and describes the phased implementation approach.
As of 3 July 2026, compliance teams should track the Gazette commencement and any SDF notification separately, because the annual DPIA clock depends on SDF notification or class inclusion.
A non-SDF may not yet have the formal Section 10 DPIA obligation. That does not make impact assessment optional as a governance practice.
The common wrong fix is to wait for a government notification and then build the DPIA workflow under pressure. By then, the product may already be live, vendor contracts may already be signed, data flows may already be undocumented, and deletion obligations may already be hard to execute.
Run a PIA before launch or material change when any of these triggers appears:
A good internal threshold is simple: if the change affects what personal data is collected, why it is processed, who receives it, how long it is retained, how rights are exercised, or how the risk is controlled, run a PIA.
A weak PIA asks, “Is there personal data?” and then stores the answer in a spreadsheet. A useful PIA creates a record that connects statute, system, owner, risk, control, and evidence.
Build the assessment around these artifacts:

The point is not the document. The point is whether the workflow produces evidence that can be reviewed later by leadership, auditors, customers, or the Data Protection Board.
Legal should not own the entire PIA alone. Security should not own it alone either. A PIA crosses systems and decisions.
A workable ownership model looks like this:
This is where the manual process breaks. If the PIA lives as a legal questionnaire, product teams route around it. If it lives only as a security checklist, notice, consent, rights, and retention can be missed. The workflow has to show who did what, when, and why.
Redacto’s role is not to replace legal judgment. Automation can prepare the decision, route approvals, maintain registers, and surface missing evidence. DPO, legal, security, and business owners still own interpretation, risk acceptance, and regulator-facing accountability.
Redacto’s DPDPA compliance platform lists Privacy Impact Assessment automation, AI-Driven Data Discovery & Mapping, Vendor Risk Management, Automated DSAR Management, Audit & Reporting, and related privacy governance capabilities.
In a PIA workflow, those capabilities matter because the assessment depends on inputs scattered across systems:
Redacto is a stronger fit when the organization is India/DPDPA-first and needs one operating record across consent, PIA, ROPA, vendors, DSAR, and audit evidence. It is not the natural first pick for a global privacy team that mainly needs deep multi-jurisdiction GDPR, CCPA, and sector-specific workflow coverage out of the box.
Redacto also does not publish public pricing; evaluation is license-based and requires contacting Redacto.

The most expensive PIA failures are usually workflow failures, not drafting failures.
Start with one live workflow, not the whole enterprise. Pick a high-risk workflow such as digital KYC, patient onboarding, employee background verification, loan underwriting, loyalty analytics, or customer support recording.
Ask these questions:

A PIA or DPIA is required under DPDPA when the organization is a Significant Data Fiduciary under Section 10 of the Digital Personal Data Protection Act, 2023, with Rule 13 of the Digital Personal Data Protection Rules, 2025 requiring an annual DPIA and audit from notification or class inclusion.
But the safer operating position is to run PIAs before high-risk processing changes, even before formal SDF designation. That gives the company a living evidence trail: what data was processed, why it was needed, which rights were affected, which controls were implemented, who accepted the residual risk, and what proof exists.
This week, pick one high-risk workflow and trace it from data collection to deletion. If you cannot identify the purpose, vendor, rights path, safeguard owner, retention rule, and approval record, do not wait for the formal DPIA deadline. Start the PIA there.

