When creating a new Service, the following steps should be considered:

• Register the Service
  The Service must first be registered in the CERN Service Catalogue.

• Identify processing activities and roles
  Service designers must identify the planned processing operations and any potential privacy issues. They must also determine whether the Service acts as a Controlling Service and/or Processing Service of personal data.

• Apply data minimisation and privacy by default
  Services must be configured by default to ensure the minimum necessary collection, processing, and sharing of personal data. This includes limiting data transfers into and out of the Service. Where applicable, such processing activities and data transfers must be documented in the Record of Processing Operations (RoPO).

• Document processing activities (Controlling Service role)
  If the Service acts as a Controlling Service, a RoPO must be completed and reviewed with the relevant stakeholders, including the Office of Data Privacy (ODP).

• Assess and mitigate risks
  If the processing is likely to result in a high risk in the absence of mitigation measures, prior consultation with the ODP is required to determine whether a Data Privacy Impact Assessment (DPIA) must be carried out.

• Ensure security throughout the lifecycle
  Appropriate security measures must be put in place to protect personal data throughout the entire lifecycle of the Service. When the Service is discontinued, all related personal data must either be securely transferred to a competent Service or permanently deleted so that it is no longer accessible.