Under the General Gata Protection Regulation (GDPR), controllers must now now:
Keep a record of their processing activities (see here for more details); and
Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.
A DPIA is a process designed to describe the processing, assess its necessity and proportionality and manage the risks to the individuals’ rights and freedoms resulting from thereof.