Podľa metodiky:

"DPIAs are a useful way for data controllers to implement data processing systems that comply with the GDPR and can be mandatory for some types of processings. They are scalable and can take different forms, but the GDPR sets out the basic requirements of an effective DPIA. Data controllers should see the carrying out of a DPIA as a useful and positive activity that aids legal compliance.

Article 24(1) sets out the basic responsibility of the controller in terms of complying with the GDPR: “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”.

The DPIA is a key part of complying with the Regulation where high risk data processing is planned or is taking place. This means that data controllers should use the criteria set out in this document to determine whether or not a DPIA has to be carried out. Internal data controller policy could extend this list beyond the GDPR’s legal requirements.

This should result in greater trust and confidence of data subjects and other data controllers. Where a likely high risk processing is planned, the data controller must:
- choose a DPIA methodology (examples given in Annex 1) that satisfies the criteria in Annex 2, or specify and implement a systematic DPIA process that: o is compliant with the criteria in Annex 2; o is integrated into existing design, development, change, risk and operational review processes in accordance with internal processes, context and culture; o involves the appropriate interested parties and define their responsibilities clearly (controller, DPO, data subjects or their representatives, business, technical services, processors, information security officer, etc.);
- provide the DPIA report to the competent supervisory authority when required to do so;
- consult the supervisory authority when they have failed to determine sufficient measures to mitigate the high risks;
- periodically review the DPIA and the processing it assesses, at least when there is a change of the risk posed by processing the operation;
- document the decisions taken.