The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 (1)).
In line with the risk-based approach embodied by the GDPR, carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
EU DPAs have issued blacklist and whitelist for DPIA. Read here.
Read here some Users’ guidance on DPIA under the GDPR published by EU Data Protection Authorities.
On July 17, 2019, the European Data Protection Supervisor (EDPS) adopted and published a list of the types of processing operations that require a data protection impact assessment (DPIA).
For a useful table listing and summarizing the blacklists published up to now, see here
Also, the predecessor of EDPB, i.e. WP29’s Guidelines on Data Protection Impact Assessment (DPIA) published a guideline determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.