A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct Data Privacy Impact Assessments (DPIAs) where privacy breach risks are high to analyse and minimise the risks to their data subjects.
Whenever a new data processing project is taking place the Data Controller should seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
This is obviously going to be a very tough task for many organisations and will require them to detail:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to processing.
A single assessment may address a set of similar processing operations that present similar high risks.