Skip to main content

Q4 - What happens if an SDF fails to conduct a Data Protection Impact Assessment (DPIA) before launching a new high-risk product?

Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), conducting a Data Protection Impact Assessment (DPIA) is a mandatory obligation for all Significant Data Fiduciaries (SDFs) as per Section 10(2)(c). Failure to carry out a DPIA before initiating a new high-risk data-processing activity is treated as a breach of the Act, which can trigger investigation, penalties, and corrective measures by the Data Protection Board of India.

Section 10(2)(c)
Every Significant Data Fiduciary shall undertake periodic data protection impact assessments, periodic audits, and such other measures as may be prescribed to ensure compliance with the provisions of this Act

This means that before launching any new product, feature, or processing activity involving large-scale or sensitive data, the SDF must perform and document a DPIA to identify and mitigate privacy and security risks.

2. Consequences of Non-Compliance

If an SDF launches a high-risk product without conducting a DPIA, the Data Protection Board may:

  • Initiate an inquiry under Section 27–28 to determine the nature and extent of the violation.
  • Impose penalties under Section 33(1) and the Schedule, which lists breaches of SDF obligations under Section 10 as punishable by a fine of up to ₹150 crore
  • Issue corrective directions, including suspension of processing, requirement to conduct an immediate DPIA, or appointment of an independent auditor.

The Board also considers the nature, gravity, and duration of the breach, the type of data involved, and whether the SDF took any mitigation measures afterward.

3. Practical Impact

Failure to perform a DPIA can have serious business consequences:

  • Launch delays if the Board orders a post-facto DPIA or temporary suspension.
  • Damage to trust and compliance ratings with regulators and partners.
  • Potential loss of SDF status or stricter oversight in future audits.
Example

A major e-commerce platform designated as an SDF introduces an AI-based recommendation engine using customer behavior and location data without performing a DPIA. A privacy complaint leads to a Data Protection Board inquiry, which finds that the system lacked risk analysis for profiling and potential discrimination. The Board imposes a ₹75 crore penalty, orders a retroactive DPIA, and directs temporary suspension of the feature until compliance is demonstrated.

Referenced Provisions:

  • Section 10(2)(c) – Mandatory DPIA and periodic audits for Significant Data Fiduciaries.
  • Section 27–28 – Board’s inquiry and enforcement powers.
  • Section 33(1) – Power to impose monetary penalties.
  • Schedule (Entry 4) – Breach of SDF obligations punishable up to ₹150 crore.