From guidelines it shows that the DPIA activity is quite complex characterized by:
- Risk management (can be valid to consider the use of ISO 31000) which is conducted on two levels:
- information security,
- assessment of the risk to the rights and freedoms of the people (a particular aspect of DPIA);
- Repeat DPIA whenever possible risks are considered: the nature, the object, the context and purpose of the processing (to be repeated at least every three years);
- The preparation of the Register of processing operations (as required by art. 30 of the EU Regulation 2016/679).
It also shows that, for all existing treatments, you will have to complete the DPIA before the entry into force of the Regulations, the worst since May 25, 2018 (it is not an easy thing, we should start to get busy): video surveillance is a treatment for which always should be implement DPIA activities.
You can find the guideline here.