Article 35 of the GDPR requires data controllers to engage in Data Protection Impact Assessments (DPIAs) for certain high-risk processing. This measure is controversial. On the one hand, it generates substantial costs, and might amount to mere "box ticking" rather than an in-depth analysis of the risks the process involves. On the other hand, it might require firms to seriously consider privacy harms at an early stage of the project, as well as limit the early involvement of the DPAs in the supervision of firms. Discuss the various benefits and detriments of this new measure, with view to sources such as those from the UK'sICO (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/) and IT Governance blog (https://www.itgovernance.co.uk/blog/gdpr-six-key-stages-of-the-data-protection-impact-assessment-dpia). You might also want to do some online research about the successes and failures of Privacy Impact Assessmentshttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=2222322 (the cousin, if you will, of DPIAs) in other countries.