The Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01, are available at here.
The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 (1)).
In line with the risk-based approach embodied by the GDPR, carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
The picture provided for in the Guidelines illustrates the basic principles related to the DPIA in the GDPR:
In addition, the Guidelines address the following topics.
- Scope of DPIA: single processing operation or a set of similar processing operations.
- Already existing processing operations.
- How to carry out a DPIA: when; who is obliged to carry out the DPIA; what is the methodology to carry out a DPIA; is there an obligation to publish the DPIA.
- When shall the supervisory authority be consulted.