GDPR indicates that a Data Protection Impact Assessment (DPIA) is mandatory in cases where there is a high risk to the rights and freedoms of individuals. This task should be carried out prior to the processing of the data. Preventive measures have to be taken from the beginning.
A methodology that includes different steps has to be followed. GDPR indicates that first, a systematic description of the processing activity to be performed must be made. Also, “the necessity and proportionality of the processing with respect to its purpose” must be assessed. A risk assessment has to be carried out, and the measures to be taken on the basis of those identified risks have to be established.
The data privacy impact assessment, DPIA, must be carried out by the data controller. If he or she has been appointed, it should be done by the Data Protection Officer (DPO).