The EDPS has adopted and published its lists of the kinds of processing operations that require a data protection impact assessment (DPIA) under Article 39 of the data protection regulation for the EU institutions, as well as those that at first sight do not require a DPIA.
The EDPS adopted these lists after consulting the European Data Protection Board (EDPB) on the draft lists. These lists provide additional guidance to controllers in the EU institutions and complement the accountability on the ground toolkit. In line with the Article 29 Working Party Guidelines on DPIAs, endorsed by the EDPB, these lists provide criteria for controllers to assess whether they need to do a DPIA; the lists are not exhaustive.
DPIAs are a new concept in the data protection regulation for the EU institutions, mirroring equivalent provisions in the GDPR. The DPIA process aims to provide assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of data protection by design where it is needed the most, i.e. for ‘risky’ processing operations.