The instrument for a privacy impact assessment (PIA) or data protection impact assessment (DPIA) was introduced with the EU data protection basic regulation (Art. 35 of the GDPR). This has to do with the obligation of persons responsible to conduct an impact assessment and to document it before starting planned data processing. One can bundle the assessment for several processing procedures.
Basically, a data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. In addition, it must be performed if one of the rule examples set forth in Art. 35 (3) of the GDPR is relevant. The supervisory authorities should specify the formulation adhered to for the basic implementation obligation. In a first draft, the Article 29 Working Party created ten criteria which form an index for high risk to the rights and freedoms of a natural person, such as scoring/profiling, automatic decisions, which lead to legal consequences for those impacted, systematic monitoring, processing of special personal data, data which is processed in a large scope, the putting together or combining of data which was gathered by various processes, data about incapacitated people, or those with limited ability to act, use of newer technologies or biometric procedures, data transfer to countries outside the EU/EEC, and data processing which hinders those involved in exercising their rights. A privacy impact assessment is not necessary if a processing procedure fulfil only one of these criteria. If several criteria are met, however, the risk to those involved is higher, and a data protection impact assessment is absolutely required. If there is doubt, and it is difficult to find the limits, a DPIA must always be conducted. This must be repeated at least every three years.
In addition, authorities must be given a list in their area of responsibility and be published, and the procedural operations must be displayed in which a privacy impact assessment must be performed. They are also free to publish procedural operations must be published that do not specifically require publication. If a company has appointed a Data Protection Officer, his advice must be used when conducting the DPIA. How and by what criteria the impacts and risks for those impacted are assessed are open for the most part. The first templates were related to the inspection schemes of ISO standards or standard data protection models.