A DPIA is not always compulsory in the case of IoT development (see “In what cases must I carry out a DPIA” subsection within “Data Protection Impact Assessment”, “Main Tools and Actions”, Part II of these Guidelines). It depends on whether the risks associated with the processing are high or not, according to Article 35(3) of the GDPR. However, it is highly recommended as it supports accountability. For instance, DPIA is compulsory if processing involves a systematic monitoring of a publicly accessible area on a large scale, or it is intended at evaluating or scoring vulnerable populations. In any case, the WP29 included some fundamental criteria in its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.
In case of doubt, consultation of the competent supervisory authority prior to processing is highly recommended (see the “Data Protection Impact Assessment” section of the “Main Tools and Actions”, Part II of these Guidelines).
The CNIL created an excellent tool aimed at providing advice on how to perform a Privacy Impact Assessment, which includes a well-designed and practical advice. Consulting it is highly recommended: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-piaf-connectedobjects-en.pdf
If a DPIA is necessary:
1A29WP, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, Adopted on 4 April 2017 As last Revised and Adopted on 4 October 2017, at: https://ec.europa.eu/newsroom/article29/items/611236/en . ↑
2CNIL, Privacy Impact Assessment. Application to IoT devices. February 2019. At: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-piaf-connectedobjects-en.pdf ↑