The supervisory authority shall establish and make public a list of the kind of operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1.Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk …Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk …The ico is required by article 35 (4) to publish a list of processing operations that require a dpia.This list complements and further specifies the criteria referred to in the european guidelines.Experience shows that conducting a dpia also requires at least a basic knowledge of general data protection and data security issues (depending on the composition of the dpia team).