When is an organization required to conduct a Data Protection Impact Assessment (DPIA)?

An organization is required to conduct a Data Protection Impact Assessment (DPIA) primarily when the processing of personal data is likely to result in high risk to the rights and freedoms of individuals. This requirement stems from the General Data Protection Regulation (GDPR), which mandates that a DPIA is necessary for processing activities that could significantly affect individuals, especially in situations involving large-scale data processing, systematic monitoring, or the processing of special categories of data.

The essence of the DPIA is to assess the risks posed by data processing activities, implement measures to mitigate those risks, and ensure compliance with data protection principles. When an organization identifies that its data processing may lead to high risks, conducting a DPIA becomes essential to protect individuals and demonstrate accountability under GDPR.

The other options hint at scenarios where a DPIA may be important but do not capture the primary trigger for its requirement. While processing sensitive categories of data can be a factor leading to high risk, it is not a standalone requirement. Similarly, although a supervisory authority can mandate a DPIA in certain situations, the overarching principle remains that the assessment is driven by the potential risk posed to individuals' rights and freedoms. Therefore, option B encapsulates the fundamental guideline for when a DPIA is required.