The WP29 published its guidelines to clarify the outlines of the obligation to conduct impact assessments under Article 35 of the GDPR.

These guidelines provided details of the processing concerned by this obligation and the procedures for implementing these impact assessments.

They developed criteria to assess whether “a high risk to the rights and freedoms of natural persons” exists, and, if so, whether an impact assessment should be conducted.

They also clarified the cases in which an impact assessment would not be mandatory.

The WP29 indicated that processing implemented before May 25th, 2018, was not concerned by the obligation to carry out an impact assessment, but it strongly recommended doing so.

It also clarified when to conduct an impact assessment, who should do it and how to carry it out.