Privacy Risk Assessment and DPIA Policy

The Privacy Risk Assessment and DPIA Policy defines how an organization identifies, assesses, treats, approves, reviews, and evidences privacy risks within the PIMS scope. Its purpose is to ensure privacy risks and DPIA obligations are addressed before PII processing creates unacceptable risk to PII principals or to the PIMS. The policy applies to new and materially changed PII processing activities across controller, joint controller, processor, and subprocessor contexts. It also covers systems, applications, services, business processes, suppliers, processors, subprocessors, international transfers, and data-sharing arrangements that affect PII processing. A central feature of the policy is its REG04-based operating model. Privacy risk screening, DPIA screening, risk assessment, treatment plans, residual risk acceptance, consultation decisions, approvals, and review status are documented in REG04, with supporting evidence linked to REG02, REG03, REG08, REG09, REG10, REG11, and REG12. The policy expressly avoids creating separate DPIA, risk, or consultation registers outside REG04. This helps preserve a single evidence trail for screening outcomes, full-DPIA decisions, risk ratings, treatment owners, due dates, residual risk, approval status, and review dates. The policy sets mandatory triggers for privacy risk screening and full DPIA determination. Process Owners / Business Owners must initiate REG04 screening before new or materially changed processing recorded in REG02 begins. Controller processing likely to result in high risk requires a full DPIA before processing begins. The policy calls out processing involving large scale activity, systematic monitoring, profiling, automated decisions, special category PII, criminal conviction or offence data, vulnerable PII principals, innovative technology, and material processing change as matters that must be referred to the Privacy Lead / PIMS Manager before processing starts. It also requires re-screening before using PII for a new purpose, adding a new recipient, introducing a new processor or subprocessor, changing system architecture, or starting a new international transfer. Risk treatment and escalation are also clearly defined. Where privacy risk exceeds the approved acceptance threshold, the Process Owner / Business Owner must record a treatment plan in REG04 before processing proceeds. Security, system design, supplier, contractual, and assurance actions are assigned to the relevant role and must be implemented before go-live, onboarding, renewal, or the approved due date. High residual privacy risk for controller processing requires Top Management approval before processing begins or continues. Where high residual risk remains after treatment, the Privacy Lead / PIMS Manager records the prior consultation decision in REG04, and Top Management approves continuation, suspension, redesign, or consultation actions before the processing proceeds. Governance, monitoring, and enforcement requirements ensure the process remains active after initial approval. The Privacy Lead / PIMS Manager reviews open privacy risks and overdue treatment actions monthly, reports privacy risk and DPIA status quarterly and before management review, and reconciles active REG04 risk records against REG02 processing inventory records. The policy defines metrics for screening coverage, active full DPIAs, overdue reviews, high residual risks, treatment action status, average closure time, supplier actions, security treatment actions, incident-driven reassessment, and audit findings. Exceptions must be requested before deviation, assessed for privacy, legal, certification, operational, and PII principal impact, and given an expiry date not exceeding 90 days. Missing, inaccurate, incomplete, overdue, or unapproved REG04 evidence is treated as a nonconformity in REG12.