Articles

DPIA Template: Follow These Steps for Your Data Protection Impact Assessments

Written by Matt Davis, CIPM (IAPP) | April 5, 2024

The GDPR contains plenty of requirements, penalties, obligations, rights, and definitions—but it doesn’t contain a specific template for DPIAs, or data protection impact assessments. 

If you’re struggling to identify exactly what your DPIA is supposed to contain, you can review this blog to find out how to start. We’ll walk through what a DPIA is, the actual template itself, and then guidance on how you can make the DPIA process and workflow faster and easier. 

DPIAs: The Basics 

DPIAs are covered in Article 35 of the GDPR. Here’s what Article 35 has to say about DPIAs: 

Where a type of processing [...] is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 

It goes on to list three specific circumstances where a DPIA is required, though this list is not exhaustive: 

  • Data processing activities that involve automated decision-making. 
  • Processing special categories of data (such as data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and others). 
  • Systematic monitoring of a public area. 

Generally speaking, any major project that involves personal data should have a DPIA associated with it. 

For more details, take a look at What Is a DPIA (Data Protection Impact Assessment)? 

Sample DPIA Template

1. Identify the need for a DPIA

Provide a summary of why you believe the project needs a DPIA. What does it aim to achieve, and what type of processing does it involve? Refer to supporting documents, such as project proposals, as needed.

2. Describe the processing


You’ll want to detail the nature, scope, context, and purpose of the processing. That includes answering questions like: 

  • Nature of the processing: How do you intend to use the data? Will you share it with others? Are there high-risk processing activities involved?  
  • Scope of the processing: Does the data include special category data or data related to criminal offences? How much data will you collect and process? When will you delete the data? How many individuals will be affected by the processing, and how many geographical regions will be involved? 
  • Context of the processing: What is your relationship with the data subjects? Do they know about how you intend to use their data, and do they have control over that process? Are there any public concerns associated with the intended use of the data? Are other frameworks, codes of conduct, or certification schemes involved? 
  • Purpose of the processing: What are your intended goals? What are the benefits of the processing for both your organization and the broader world? 

3. Consult With Experts and Record Their Responses

What other experts and stakeholders will you include in your DPIA, and what was their feedback? Did you speak with the individuals likely to be impacted by the processing, information security and privacy experts, or downstream processors?

4. Assess necessity and proportionality

This step in your DPIA is all about determining whether the processing really needs to or should occur in the first place. Do you have a solid lawful basis for the processing? Does the processing actually achieve your goal, and are you only collecting the data that you absolutely need to do so? Are there alternative approaches that don’t require data collection? Ask yourselves questions along these lines and record the relevant information here. 

5. Identify and Assess Risks

Make sure to identify and list the sources and nature of various risks that could be associated with the processing. For each of these risks, score their:  

  • Likelihood of harm—is it remote, possible, or probable? 
  • Severity of Harm—is it minimal, significant or severe? 
  • Overall risk—is it low, medium, or high? 

6. Identify Measures to Reduce Risk

Based on the risks you previously identified, list out the measures you could take to reduce or eliminate them, focusing especially on the high and medium risks. 

Then, describe the impact you’ve had on the identified risk, including: 

  • Whether the risk has been eliminated, reduced, or is merely being accepted. 
  • Whether there is low, medium, or high residual risk. 
  • Whether the intervention has been approved as being sufficient. 

7. Sign Off and Record Outcomes

Create a record of approvals and outcomes. This should include: 

  • Who approved various measures, their integration into the project plan, as well as the date and responsibility for completion. 
  • Who approved the residual risks. If any residual risk was found to be high risk, then your local data protection authority should be consulted first. Their approval or disapproval ought to be recorded here. 
  • What advice your DPO provided, such as compliance, risk reduction measures from step 6, and whether the processing can proceed. 
  • Whether the DPO’s advice was accepted or overruled, by whom, and for what reasons. 
  • Who reviewed the responses of consulted experts, whether decisions departed from these individuals’ view, and why. 
  • How the DPO assesses ongoing project compliance with the DPIA over time. 

The Core Challenge 

Filling out a form according to these instructions is straightforward enough—but the reality of implementing them on a per-project basis is complex. 

DPIAs need to be conducted before work can begin, and they must be maintained as work goes on. That means multiple stakeholders need to be aligned in terms of what their contributions must be and when they must be made. Consider the different parties involved: 

  • Your organization’s DPO. 
  • Project leads. 
  • The data subjects and other impacted individuals. 
  • Security, privacy, and other subject matter experts. 
  • Downstream processors, such as your vendors. 
  • Your local data protection authorities. 

Some of these stakeholders can’t be rush (like your local data protection authority), which means receiving timely information from the parties you have a working relationship with (such as your colleagues, DPO, and vendors) is essential. 

Moreover, assessments like these need to be conducted on a regular basis and maintained on a regular basis. As they build up, it can be easy for a DPO or other privacy professional to lose track of which DPIAs are out of date, which are awaiting input from DPIA stakeholders, and so on. 

That’s why DPOs and privacy professionals should look for a data privacy management platform with a built-in assessments module. In the Osano platform, you can: 

  • Assign stakeholders action items. 
  • Send automated reminders.  
  • Schedule regular review cadences. 
  • Review status of current assessments. 
  • Store and centralize assessments. 

That’s not to mention the library of other assessment types and custom assessment functionality in Osano—or its suite of additional privacy solutions. 

Schedule a demo of the Osano Platform today! Or, if you’d like to walk through the DPIA process on your own to understand requirements, download a DPIA template here.