The controller must carry out a Data Protection Impact Assessment (DPIA) before they starts a processing that may lead to high risk for the data subjects.
DPIA is particularly essential before any processing that involves new technology, profiling, automated decision-making that has legal effects on the individual or processing of special categories personal data or other processing that may lead to high risk for the data subjects.
The primary purpose of a DPIA is to map out the risks related to the processing that requires extra caution. So the controller also has the opportunity to implement routines and safeguards to eliminate the risks.
A DPIA is also an important measure to demonstrate accountability, following Article 5(2) of the GDPR.