Prompt:

Privacy teams are often seen as the "no" department, especially during innovation. DPIAs are meant to guide business, not block it — but what happens when the risk is too high, and business still wants to proceed?

1. What should a privacy professional do if they identify unmitigated high risk in a DPIA, but the leadership wants to move forward anyway?
2. If the organization decides to ignore the DPIA outcome, what are the consequences under GDPR, DPDPA, and similar laws?
3. What role does the supervisory authority or DPA play in such scenarios? How does “prior consultation” work, and when is it mandatory?
4. Give an example (real or imagined) where commercial urgency conflicted with privacy risk — and how it could’ve been handled better.

Mini Case Study:

A food delivery app wants to implement mood detection using facial scanning to offer “comfort food” when users look sad. The technology is AI-driven and works without storing faces — just emotion data linked to device ID.

Their legal team says it’s “okay” because no names are collected.

Their marketing team says it’s “brilliant.”

Their DPO isn’t convinced.

You’re called in to mediate. What would you recommend?