Sample DPIA template

This template is an example of how you can record your DPIA process and outcome.
It follows the process set out in our DPIA guidance, and should be read alongside
that guidance and the Criteria for an acceptable DPIA set out in European guidelines
on DPIAs.

You should start to fill out the template at the start of any major project involving
the use of personal data, or if you are making a significant change to an existing
process. The final outcomes should be integrated back into your project plan.

Submitting controller details

Name of controller 25 din
Subject/title of DPO Mr. XYZ
Name of controller contact /DPO Mr. PQR
(delete as appropriate)

DPIA template
20180622
v0.4 1

1
Step 1: Identify the need for a DPIA
Explain broadly what project aims to achieve and what type of processing it
involves. You may find it helpful to refer or link to other documents, such as a
project proposal. Summarise why you identified the need for a DPIA.

What the Project wishes to achieve: Project Proposal

What type of processing is involved:
Why is there a need to conduct DPIA:

DPIA template
20180622
v0.4 2

2
Step 2: Describe the processing
Describe the nature of the processing: how will you collect, use, store and
delete data? What is the source of the data? Will you be sharing data with anyone?
You might find it useful to refer to a flow diagram or other way of describing data
flows. What types of processing identified as likely high risk are involved?

Describe the scope of the processing: what is the nature of the data, and does
it include special category or criminal offence data? How much data will you be
collecting and using? How often? How long will you keep it? How many individuals
are affected? What geographical area does it cover?

DPIA template
20180622
v0.4 3

3
Describe the context of the processing: what is the nature of your relationship
with the individuals? How much control will they have? Would they expect you to
use their data in this way? Do they include children or other vulnerable groups? Are
there prior concerns over this type of processing or security flaws? Is it novel in any
way? What is the current state of technology in this area? Are there any current
issues of public concern that you should factor in? Are you signed up to any
approved code of conduct or certification scheme (once any have been approved)?

DPIA template
20180622
v0.4 4

4
Describe the purposes of the processing: what do you want to achieve? What
is the intended effect on individuals? What are the benefits of the processing – for
you, and more broadly?

Step 3: Consultation process

Consider how to consult with relevant stakeholders: describe when and how
you will seek individuals’ views – or justify why it’s not appropriate to do so. Who
else do you need to involve within your organisation? Do you need to ask your
processors to assist? Do you plan to consult information security experts, or any
other experts?

DPIA template
20180622
v0.4 5

5
Step 4: Assess necessity and proportionality
Describe compliance and proportionality measures, in particular: what is
your lawful basis for processing? Does the processing actually achieve your
purpose? Is there another way to achieve the same outcome? How will you prevent
function creep? How will you ensure data quality and data minimisation? What
information will you give individuals? How will you help to support their rights? What
measures do you take to ensure processors comply? How do you safeguard any
international transfers?

DPIA template
20180622
v0.4 6

6
Step 5: Identify and assess risks

DPIA template
20180622
v0.4 7

7
Describe source of risk and nature of Likelihood Severity Overall
potential impact on individuals. Include of harm of harm risk
associated compliance and corporate risks as
necessary.

Remote, Minimal, Low,

possible or significant medium
probable or severe or high

DPIA template
20180622
v0.4 8

8
Step 6: Identify measures to reduce risk

DPIA template
20180622
v0.4 9

9
Identify additional measures you could take to reduce or eliminate risks
identified as medium or high risk in step 5

Risk Options to reduce or Effect on Residual Measure

eliminate risk risk risk approve
d

Eliminated Low Yes/no

reduced medium
accepted high

DPIA template
20180622
v0.4 10

10
Step 7: Sign off and record outcomes
Item Name/position/date Notes

Measures approved by: Integrate actions back into

project plan, with date and
responsibility for completion

Residual risks If accepting any residual high

approved by: risk, consult the ICO before going
ahead

DPO advice provided: DPO should advise on

compliance, step 6 measures and
whether processing can proceed

Summary of DPO advice:

DPO advice accepted If overruled, you must explain

or overruled by: your reasons

Comments:

Consultation responses If your decision departs from

reviewed by: individuals’ views, you must
explain your reasons

Comments:

This DPIA will kept The DPO should also review

under review by: ongoing compliance with DPIA

DPIA template
20180622
v0.4 11

11