Data Privacy Impact Assessment



Each Controlling Service shall undertake a Data Privacy Impact Assessment, in accordance with the procedure established by the ODP, prior to undertaking any Processing operation that has one or more of the following characteristics:

  • includes Sensitive Personal Data;
  • poses a high risk to the rights of Data Subjects;
  • involves a significant technological change in the processing; or,
  • results in large-scale or recurrent processing

The Service Owner shall determine whether a Data Privacy Impact Assessment is required; if in doubt, he or she shall consult the ODP.

A single assessment can be carried out for multiple Processing operations that pose similar risks.

Data Privacy Impact Assessments shall be sent to the ODP, which will maintain a record of the assessments carried out. Where the ODP considers that the proposed Processing operation is not proportionate to its stated purpose, it shall recommend how best to adapt the Processing operation. Where such adaptation is not feasible, the ODP can request that the Processing operation not be undertaken.