What actions must be taken before requesting prior consultation?
The necessary precondition for prior consultation with the supervisory authority is to carry out Data Protection Impact Assessment to evaluate, in particular, the origin, nature, particularity and severity of the risk to the rights and freedoms of natural persons. The assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk.
The GDPR gives controllers freedom to choose the methodology to carry out a DPIA, but this methodology should be in line with the criteria set out in Annex 2 to the Art. 29 Working Party's Guidelines on Data Protection Impact Assessment and determining whether processing is "likely to result in a high risk” for the purposes of Regulation 2016/679 (WP 248). Those criteria can be used to demonstrate that a specific methodology of a DPIA meets the standards set out in the GDPR.
Helpful information can also be found in the guide prepared by GIODO ‘How to Understand and Apply a Risk-Based Approach?’ in which the next possible steps of actions taken to carry out the overall risk assessment and specific risk assessment were presented.
Close cooperation between controller, data protection officer and processor at each stage of a DPIA is recommended.
Where a DPIA indicates that - due to lack of safeguards, security means and mechanisms mitigating the risk - processing operations would result in a high risk to the rights and freedoms of natural persons, which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, the controller is obliged to consult the supervisory authority whether the intended data processing is compliant with the GDPR.