Incorporating security, and by extension, Data Protection in the design of procedures, processes and the applications that support them should be a natural occurrence. Unfortunately this is not the case, and security is usually bolted on at the last minute, after all processes were designed (and sometimes, even implemented).
GDPR changes this by incorporating into the law under the term "Data Protection by design and by default". This means that any procedure or process designed with the intention of capturing or processing personal data will have to consider this from the beginning.
Data Protection Impact Assessments
A Data Protection Impact Assessment will allow you to identify and fix problems at an early stage of any process design, reducing implementation costs and potential brand damage associated with a problem in the processing of private data.
A DPIA will also benefit your by helping you identify and address at an early stage any amendments to documentation and policies that can help you address your Accountability and Governance requirements.
Data Protection Impact Assessments will be mandatory with GDPR under certain circumstances:
Where there is a change in technology (therefore, a potential migration of personal data)
Where a profiling operation is likely to significantly affect individuals
Where there is processing on a large scale of special categories of data.
If your Risk Analysis indicates the risk remains high after all mitigation actions are addressed, and you can't do anything more to address those risks, then you must consult the ICO to seek its opinion whether the processing operation is compliant with GDPR
The ICO produced a very useful code of practice for Privacy Impact Assessments, you can find a PDF version here.
This code of practice will also show you how to link PIAs to other processes such as risk management and project management.
GDPR is coming into force on 25th May 2018.
< 9. Data Breaches 11. Data Protection Officers >