• This article explores how DPIAs can be used to systematically evaluate data processing activities and determine lawful bases under the DPDP Act.
• One of the most effective tools to evaluate lawful data processing w.r.t DPDP Act compliance readiness is the Data Protection Impact Assessment (DPIA).
• With DPIA, data fiduciaries can effectively identify, assess, and mitigate risks related to unlawful data processing, especially when dealing with large volumes, sensitive categories, or new technologies.

1. Role of DPIAs in Validating Legal Basis For Data Processing

A Data Protection Impact Assessment plays a pivotal role in helping organizations choose the correct legal basis for data processing. It ensures:

• Clarity: Every processing activity is explicitly linked to either consent or a legitimate use.
• Accountability: There’s documented justification for choosing one basis over another.
• Compliance: Processing activities are aligned with the principles of necessity, proportionality, and fairness as mandated by the DPDP Act.
• Traceability: If challenged by the Data Protection Board or auditors, organizations can trace every data use to its legal foundation.

For instance:

• User analytics for product improvement: Generally requires consent, especially if identifiers or tracking cookies are used.
• KYC checks by financial institutions: May qualify as a legitimate use, as required by law or regulatory obligation.
• Employee attendance tracking: Likely a legitimate use under employment-related processing, but still requires safeguards and internal policies

Data Fiduciaries are recommended to conduct DPIAs w.r.t assessing unlawful data processing risks, to remain compliant and avoid enforcement action. The key steps to be taken in this directions by organizations, are as follows:

1. Establish a lawful basis mapping table for all processing activities.
2. Keep records of consent and rationale for legitimate use decisions.
3. Train staff to recognize which processing types fall under consent vs. legitimate use.
4. Use DPIA templates that require justification and stakeholder review of the legal basis.

2. Establishing a lawful basis mapping table for all processing activities.

The important first step in any DPIA is to map data flows and data is processed across the organization. A comprehensive data flow and processing map identifies how personal data enters the system, where it resides, who accesses it, how it is processed or transferred, and how it exits. It includes:

• Data collection points (web forms, apps, physical documents)
• Internal systems (databases, CRMs, ERPs)
• Third-party processors (vendors, cloud services, analytics tools)
• Retention periods and deletion practices

Accurate records of data processing activities ensure that organizations can demonstrate compliance, locate high-risk processes, and apply the correct lawful basis for each type of data use.

3. Justifying Lawful Processing Bases Under the DPDP Act

Under the Digital Personal Data Protection (DPDP) Act, 2023, data fiduciaries are required to establish a clear legal basis for every instance of personal data processing. The Act primarily recognizes two legal grounds for lawful processing:

3.1 Justifying Consent-Based Processing

Consent is the cornerstone of privacy protection under the DPDP Act. To be considered valid, consent must meet the following criteria:

• Free: The data principal (i.e., the individual) must provide consent without coercion or pressure.
• Specific: Consent must be limited to clearly defined purposes; blanket or generalized consent is not valid.
• Informed: The data principal must be fully informed about the purpose, nature, and implications of the data processing.
• Unambiguous: The action indicating consent must be clear and affirmative—pre-ticked boxes or passive acceptance do not qualify.
• Revocable: The data principal must be able to withdraw consent at any time, with ease, and without negative consequences.

Data fiduciaries must maintain auditable records of consent, including timestamps and the language in which it was obtained. Consent is often required in the following scenarios:

• Marketing and profiling activities
• Processing sensitive personal data (e.g., biometrics, health information)
• Collecting data through mobile apps, websites, or digital platforms
• Sharing data with third parties for non-essential services

A Data Protection Impact Assessment (DPIA) must verify that consent is:

• Obtained appropriately,
• Revocable at the data principal’s discretion, and
• Not bundled with terms and conditions, which would make it invalid under the Act.

A contractual relationship with the data principal does not waive the need for consent. For example:

• A subscription agreement does not automatically allow data sharing with advertisers without consent.
• Service agreements must include clear purpose statements for each data use.

The DPIA should ensure that processing activities are not misrepresented as "contractual necessity" and that bundled consent is not used to bypass user rights.

3.2 Justifying Legitimate Use-Based Processing (Processing Without Consent)

While consent is vital, the DPDP Act recognizes that requiring consent for every data operation may not be feasible or necessary. Therefore, it allows specific “legitimate uses” where data can be processed without explicit consent. These uses are enumerated under Section 7 of the DPDP Act and include:

1. Voluntary Disclosure: When the data principal voluntarily provides data (e.g., applying for a job, filling out a public feedback form), the data fiduciary may process it for the stated purpose.
2. Legal or Regulatory Obligation: Processing is permitted if required to comply with a law, court order, or regulatory direction (e.g., tax reporting, criminal investigations).
3. Public Interest and Safety: Processing is allowed in the interest of public health, safety, disaster management, or national security.
4. Employment Purposes: Internal HR functions, salary processing, workplace safety, and other employer obligations may qualify.
5. Fair and Reasonable Purpose: This is a flexible clause, subject to government guidelines, allowing processing for purposes that do not infringe on the data principal’s rights (e.g., fraud detection, credit scoring).
6. Prevention and Detection of Unlawful Activity: Data fiduciaries may process data to prevent or detect fraud, money laundering, and other illegal actions.

These scenarios provide lawful exceptions to consent, but must be applied narrowly and proportionately. Consent exemptions are not a loophole—they are conditional rights granted to data fiduciaries under specific circumstances. The DPIA must ensure that these exceptions are used narrowly and responsibly. Each instance should be justified with documentation and reviewed for proportionality and fairness. DPIAs should assess:

• Whether the processing truly falls under a recognized legitimate use,
• The necessity of using personal data to achieve the stated goal,
• Whether less intrusive alternatives are available,
• The impact on the data principal’s rights, and
• The presence of adequate safeguards and transparency measures
• If the exemption applies to the particular data and purpose
• If the data principal has been notified appropriately
• Whether any harm or discrimination could arise from the exemption

Improper use of consent exemptions can attract scrutiny from the Data Protection Board and result in enforcement actions.

While the Act permits processing without consent for legitimate uses, over-reliance or misclassification can lead to regulatory scrutiny. Common pitfalls include:

• Treating all customer data as voluntarily provided when it was not.
• Bundling multiple data uses under a single legitimate use category without proper assessment.
• Failing to notify data principles even when the law requires it.

The DPIA process must help preempt such missteps by embedding granular reviews, stakeholder involvement, and legal consultation into processing evaluations.

4. Final Thoughts

• From mapping data flows to analyzing consent exemptions, DPIAs must be detailed, documented, and updated regularly. In an evolving regulatory landscape, treating DPIAs as a compliance checklist is not enough—they must become a strategic privacy governance tool.
• Every data processing activity must be supported by a clearly documented legal basis, whether it is consent or a legitimate use. DPIAs help organizations align each activity with the correct basis under the DPDP Act, reducing the likelihood of regulatory breaches or misuse of exemptions.
• With growing reliance on external vendors and cloud services, DPIAs must rigorously evaluate third-party data handling. Proper contracts, DPAs, and audit mechanisms are critical to ensure that data fiduciaries retain control and accountability, even when data leaves their direct systems.
• The digital landscape and legal expectations are constantly shifting. DPIAs must be living documents—regularly reviewed, revised, and expanded as new technologies are adopted or risks emerge. Treating them as strategic tools ensures ongoing compliance and strengthens user trust.