What this chapter covers
The first question in any NDPA program is whether the law applies to the organization, which data is in scope, and whether the organization acts as a controller, processor, or both.
Scope and definitions under the NDPA
Understand who the NDPA applies to, what counts as personal data, and how controllers, processors, and DPCMIs fit together.
Plain English
What the chapter means in practice.
Operational takeaway
Teams should create a processing inventory before buying tools, changing notices, or promising customers that a compliance program is complete.
Checklist
What to document.
- List every product, website, app, form, vendor, and internal system that touches personal data.
- Identify controller and processor roles per processing activity.
- Record whether the organization may be treated as a DCPMI.
Related workflows