PART 4Intelligence services processing

CHAPTER 4Controller and processor

General obligations

103Data protection by design

(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.

(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—

(a)the data protection principles are implemented, and

(b)risks to the rights and freedoms of data subjects are minimised.