In its Article 35 the GDPR legislates on the Impact assessment on data protection.
7)
The assessment shall contain at least:
a)
a systematic description of the envisaged processing operations and the purposes of the
processing, including, where applicable, the legitimate interest pursued by the controller;
b)
an assessment of the necessity and proportionality of the processing operations in relation
to the purposes;
c)
an assessment of the risks to the rights and freedoms of data subjects referred to in
paragraph 1; and
d)
the measures envisaged to address the risks, including safeguards, security measures and
mechanisms to ensure the protection of personal data and to demonstrate compliance with this
Regulation taking into account the rights and legitimate interests of data subjects and other persons
concerned.
