Data Protection Impact Assessments are an important part of data protection
compliance, particularly the data protection by design and default approach advocated by the
GDPR. When a project is likely to result in a high risk to the individuals
whose personal data will ultimately be involved, the law requires that you
carry out a DPIA. Even when a DPIA is not legally required, it is still a
useful exercise when planning a project that will involve the use of
In simple terms, a DPIA helps you to identify and minimise the risks
associated with personal data and data protection in your project. Not only
should you identify the risks themselves, but also the likelihood and
severity of them.
It is vitally important to note that a DPIA is a serious exercise. If a
high risk is identified that cannot be mitigated satisfactorily, you must
consult with the Information Commissioner’s Office before starting to
process personal data for the relevant purpose or purposes.
This template is a shorter and simpler version of our GDPR Data Protection
Impact Assessment and is designed to be more open and flexible while still
following the criteria set out in the GDPR. Rather than setting out a
prescriptive set of granular questions under every heading, many sections
in this DPIA template simply set out the key issues to be considered,
enabling you to tailor the DPIA to your project more easily.
Under the GDPR, you must carry out a DPIA if you plan to:
- Carry out systematic and extensive profiling that will have significant
- Process sensitive personal data (or data about criminal offences) on a
large scale; or
- Systematically monitor public spaces on a large scale.
These may well not apply to many small businesses, but the Information
Commissioner’s Office (ICO) has additional criteria that call for a
- Using new technologies;
- Using profiling or sensitive personal data to determine individuals’
access to services;
- Profiling individuals on a large scale;
- Processing biometric or genetic data;
- Matching or combining data from multiple sources;
- Collecting personal data from a source other than an individual without
providing the individual with a privacy notice (known as ‘invisible
- Tracking individuals’ location or behaviour;
- Profiling children or targeting services to them; or
- Processing data that may endanger individuals’ physical health or safety
if a security breach occurs.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Data Protection Impact Assessment (Short Form) contains the following
1. Project Summary
2. Is a DPIA Required?
4. Necessity and Proportionality
6. Solutions to Identified Risks
7. Approved Solutions
8. Integration of DPIA Outcomes into Project Plan
9. Approval and Sign-Off
This Data Protection Impact Assessment (Short Form) is in open format.
Either enter the requisite details in the highlighted fields or adjust the
wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.