The DPO's DPIA Readiness Checklist: What RBI DPSC §4.2 Actually Requires

Under the DPDP Act (notified 2023, Rules 2025), DPOs are now personally accountable for ensuring Data Protection Impact Assessments are completed before high-risk processing begins — not just for recommending them. Here is exactly what that means in practice, with the specific steps, evidence requirements, and RBI DPSC references your programme needs.

What triggers a mandatory DPIA

Three triggers make a DPIA non-negotiable under the combined DPDP Act and RBI DPSC framework: processing that involves sensitive personal data at scale, systematic monitoring of data principals, and profiling that produces legal or significant effects. For BFSI organisations, the practical implications are immediate.

KYC onboarding with biometric data qualifies under all three criteria. Credit scoring ML models qualify under profiling. AML transaction monitoring qualifies under systematic monitoring. If your organisation runs any of these activities without a completed DPIA, you have a material compliance gap — not a theoretical one.

The 9-step structure every DPIA needs

Most DPIAs we review are structurally incomplete. They have a risk table but no evidence attached. They have safeguards listed but no vendor DPAs linked. Regulators review DPIAs by checking whether evidence exists for each claim — and description without documentation is worthless.

1. Purpose: Specific processing activity, data categories, data subjects, and processing context — not generic descriptions
2. Data inventory: Every data element, source, format, and retention period
3. Necessity and proportionality: Legal basis and why collection is proportionate to purpose
4. Risk identification: Re-identification, unauthorised access, discrimination, profiling harm
5. Risk assessment: Likelihood × impact scores. For BFSI: credit bureau data misuse, biometric retention, cross-sell profiling must be explicitly assessed
6. Safeguards: Specific technical and organisational measures that mitigate each risk — not generic statements
7. Vendor management: All third-party processors, DPAs in place, sub-processor list
8. Evidence: Consent artefacts, DPA copies, retention policy references, control screenshots — attached, not referenced
9. Decision and approval: Multi-role sign-off (privacy, security, legal), residual risk acceptance documented, record immutable after approval

The evidence DPOs consistently underestimate

Consent records, DPA agreements, and control evidence are the three categories most frequently missing from DPIAs at review time. "We have consent" without a retrievable consent record linked to the specific processing activity is insufficient. "Encryption is in place" without a configuration screenshot or audit log reference is insufficient. "Third parties are managed" without attached DPAs is insufficient.

The regulator will ask for each of these during an audit. Build the habit of attaching evidence at the time of writing, not at the time of audit.

Approval chain and immutability

The DPIA approval chain must be documented and tamper-evident. A DPO email sign-off buried in an inbox does not satisfy this requirement. The record needs: who approved, in what role, at what timestamp, and the version of the document they approved. After the final approval, the record must be locked — modification post-approval creates the appearance of retrospective falsification.