Data Protection Impact Assessment Template

A Data Protection Impact Assessment (DPIA), also known as a Privacy Impact Assessment (PIA), is a key part of GDPR compliance when using personal data in certain ways, as described below.

This document has been recently updated to include new screening criteria and a significantly more detailed section on data subjects, and personal data collection, holding, and usage. We will also be considering new risk and solution examples in due course.

Note: A Data Protection Impact Assessment is not something to be taken lightly, particularly if it is required under the GDPR or by the ICO according to the screening criteria outlined below.

If a high risk is identified and you cannot mitigate it satisfactorily with a solution, you must consult the ICO before starting to process personal data for the relevant purposes.

This template is designed to help you to identify and reduce the privacy risks posed both to individuals and to your business by new projects involving the use of personal data.

The purpose of a DPIA is to document the identification of privacy risks in a new project, the proposed solutions, the evaluation of those solutions, the agreed solutions, and the integration of those solutions into the overall project plan. Ideally, risks will be eliminated or significantly minimised, allowing the project to proceed unhindered and protecting the rights of individuals.

Under the GDPR, you must carry out a DPIA if you plan to:
- Carry out systematic and extensive profiling that will have significant effects;
- Process sensitive personal data (or data about criminal offences) on a large scale; or
- Systematically monitor public spaces on a large scale.

These may well not apply to many small businesses, but the Information Commissioner’s Office (ICO) has additional criteria that call for a DPIA:
- Using new technologies;
- Using profiling or sensitive personal data to determine individuals’ access to services;
- Profiling individuals on a large scale;
- Processing biometric or genetic data;
- Matching or combining data from multiple sources;
- Collecting personal data from a source other than an individual without providing the individual with a privacy notice (known as ‘invisible processing’);
- Tracking individuals’ location or behaviour;
- Profiling children or targeting services to them; or
- Processing data that may endanger individuals’ physical health or safety if a security breach occurs.

What’s more, even if your proposed project does not meet the above criteria, it can still be good practice to carry out a DPIA. By identifying risks early and building solutions into a new project, you are far less likely to inadvertently stumble and fall foul of the GDPR. Not only can the fines be significant, but perhaps more importantly, a mistake involving personal data and privacy could cost you your reputation and end up doing more damage than a fine ever could.

This DPIA template begins with a summary of the proposed project, followed by a series of screening questions, many of which are based on the above criteria. Details of internal and external parties (such as data processors, individual data subjects, key staff members etc.) to be consulted follow. The DPIA then sets out details of the personal data to be collected and how it is to be processed, stored, retained, and shared. Details of your lawful basis or bases for processing should also be provided here.

The next three sections of the DPIA cover risk identification. Please note that the potential risks already included in the template should be used as a starting point only. The included risks are not exhaustive and great care must be taken to ensure that you have identified all possible risks associated with your project. Each risk should be assessed in terms of its severity of impact, and the likelihood that it will occur. Space is provided for notes or comments, but do not detail solutions at this point. Space is provided for that later in the assessment.

The eighth section of the DPIA looks at proposed solutions. Each risk identified should be addressed here. In some cases, one solution will address multiple risks. Please note that the possible solutions already included in the template should be used as a starting point only. The included solutions are not exhaustive and great care must be taken to ensure that you have established suitable solutions for all risks associated with your project. Each solution should be evaluated carefully.

Next come the approved solutions. These should be drawn from the evaluations of proposed solutions in the previous section.

It is important to tie your chosen solutions into your overall project plan. Section 10 of the DPIA maps out this process and includes space to detail specific actions to be taken in response to identified risks and solutions.

The final section should be used to approve and sign-off the completed DPIA.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Data Protection Impact Assessment is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.