(90) In such a case, the controller should carry out a data protection impact assessment prior to processing in order to assess the specific likelihood and severity of that high risk, taking into account the nature, scope, context and objectives of the processing and the source of the risk.
„We do not need IT documentation, we know how to operate."
Are you sure about that?

