Skip to main content

Q4 - What happens if an SDF fails to conduct a Data Protection Impact Assessment (DPIA) before launching a new high-risk product?

Answer

Failure to conduct a DPIA is a serious violation. Consequences include:

  • Investigation by the Board.
  • Orders to suspend or modify the processing activity until compliance is achieved.
  • Financial penalties, potentially running into crores, depending on the risk caused to individuals.
Example

If a large insurance company launches an AI-based health scoring app without a DPIA and the app discriminates against people with pre-existing conditions, the Board can impose heavy fines, require an immediate stop to processing, and order corrective action.