The instrument for a privacy impact assessment (PIA) or data protection impact assessment (DPIA) was introduced with the General Data Protection Regulation (Art. 35 of the GDPR). This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. One can bundle the assessment for several processing procedures.
Basically, a data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The assessment must be carried out especially if one of the rule examples set forth in Art. 35(3) of the GDPR is relevant. In order to specify the open-ended wording of the law regarding the basic obligation to perform a privacy impact assessment, the supervisory authorities are involved. In a first draft, the Article 29 Working Party created a catalogue of ten criteria which indicate that the processing bears a high risk to the rights and freedoms of a natural person. These are for example scoring/profiling, automatic decisions which lead to legal consequences for those impacted, systematic monitoring, processing of special personal data, data which is processed in a large scale, the merging or combining of data which was gathered by various processes, data about incapacitated persons or those with limited ability to act, use of newer technologies or biometric procedures, data transfer to countries outside the EU/EEC and data processing which hinders those involved in exercising their rights. A privacy impact assessment is not absolutely necessary if a processing operation only fulfils one of these criteria. However, if several criteria are met, the risk for the data subjects is expected to be high and a data protection impact assessment is always required. If there is doubt and it is difficult to determine a high risk, a DPIA should nevertheless be conducted. This process must be repeated at least every three years.
In addition, the national supervisory authorities have to establish and publish a list of processing operations which always require a data protection impact assessment in their jurisdiction (positive list). They are also free to publish a list of processing activities which specifically do not require a privacy impact assessment (negative list). If a company has appointed a Data Protection Officer, his advice must be taken into account when conducting a DPIA. How and by what criteria the consequences and risks for the data subjects are assessed, remains largely unanswered. The first templates were guided by the inspection schemes of ISO standards or the Standard Data Protection Model.