Article 35 of the General Data Protection Regulation (GDPR) requires that Data Protection Impact Assessments (also known as privacy impact assessments) be undertaken in processing activities which are likely to result in a high risk to the rights and freedoms of individuals.
Prior to undertaking such processing activities, the controller (the Department) is required to carry out an assessment of the impact of such processing on the protection of the personal data.
Since the introduction of GDPR on 25 May this year, the Data Protection Unit is considering three such Data Protection Impact Assessments.