Under the GDPR, there is a new general accountability obligation to show one complies with the Regulation by conducting a privacy impact assessment when ‘high risk’ processing is carried out. ‘High-risk’ processing includes:
- systematic and extensive profiling that produces legal effects or significantly affects individuals;
- processing sensitive personal data on a large scale; and
- systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).
Please visit: https://gdpr-info.eu/art-35-gdpr/
Article 29 Working Party has issued Guidelines on Data Protection Impact Assessments (WP 248). The European Data Protection Board (EDPB) endorsed the GDPR related WP29 Guidelines.
In Austria, there is a Privacy Impact Exception Regulation (DSFA-AV), which is a list of the types of processing operations for which no privacy impact assessment is required (Article 35 (5) GDPR).
The Austrian Data Protection Authority issued an regulation on processing operations for which a privacy impact assessment is to be carried out (DSFA-V) and explanations to it.