1. General Data Protection Regulation (EU) 2016/679, Article 36(1): "The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk." This text explicitly states that consultation (and submission of the DPIA) is conditional on unmitigated high risk, not a universal requirement.
2. Information Commissioner's Office (ICO), "Data protection impact assessments": In the section "When do we need to consult the ICO?", the official guidance states: "You must consult the ICO before you begin processing if your DPIA identifies a high risk and you cannot take any measures to reduce this risk." This confirms that not all DPIAs are submitted. The same guidance also links DPIAs to accountability and data protection by design.
3. University of Cambridge, "GDPR: Data Protection Impact Assessments (DPIA)": The university's official compliance documentation states, "A DPIA is a key element of the 'accountability' principle of the GDPR... It is also a key part of the 'data protection by design' approach." This source, from a reputable academic institution, validates that options B and C are core purposes of a DPIA.
