(1)Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.
(2)A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.
(3)A data protection impact assessment must include the following—
(a)a general description of the envisaged processing operations;
(b)an assessment of the risks to the rights and freedoms of data subjects;
(c)the measures envisaged to address those risks;
(d)safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
(4)In deciding whether a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.