# Data protection impact assessment
# Bare Act
# Section 37(1)
Where the significant data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.
# Section 37(2)
The Authority may, by regulations specify, such circumstances, or class of data fiduciary, or processing operation where such data protection impact assessment shall be mandatory, and also specify the instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment.
# Section 37(3)
A data protection impact assessment shall, inter alia, contain
(a) detailed description of the proposed processing operation, the purpose of processing and the nature of personal data being processed;
(b) assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
(c) measures for managing, minimising, mitigating or removing such risk of harm.
# Section 37(4)
Upon completion of the data protection impact assessment, the data protection officer appointed under sub-section (1) of section 30, shall review the assessment and submit the assessment with his finding to the Authority in such manner as may be specified by regulations.
# Section 37(5)
On receipt of the assessment and its review, if the Authority has reason to believe that the processing is likely to cause harm to the data principals the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as the Authority may deem fit.