Answer: You would need an Inventory of Processing Activities only if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal convictions and offenses.
A DPIA is necessary only if the type of processing is likely to result in a high risk to the rig hts and freedoms of individuals. To assess whether something is ‘high risk’, the GDPR is clear that you need to consider both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than a remote chance of some harm. The DPIA Register in the EU GDPR Documentation Toolkit has the first questions set up as threshold questions. If your answer to any of those questions is "Yes", then you need a DPIA.
2. Do we have to always perform both of these activities every time we use the customers' data? Does this only apply to customer's data that resides in EU?
Answer: No, you just need to do it once as long as the processing stays the same. It should only be undertaken if the personal data processed is of data subjects in the Union.