Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment (DPIA)
Project: {{PROJECT_NAME}} Processing Activity: {{PROCESSING_ACTIVITY_NAME}} Version: {{VERSION}} Date: {{DATE}} Author: {{AUTHOR}} DPO: {{DPO_NAME}} ({{DPO_EMAIL}}) Status: Draft | DPO Review | Approved | Requires Supervisory Authority Consultation Reviewers: {{REVIEWERS}} Classification: Confidential
Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1 | {{DATE}} | {{AUTHOR}} | Initial draft |
| 1.0 | {{DATE}} | {{DPO_NAME}} | DPO reviewed and approved |
DPIA Trigger Checklist
A DPIA is required if ANY of the following apply:
| # | Trigger | Applies? | Notes |
|---|---|---|---|
| 1 | Systematic and extensive evaluation of personal aspects (profiling, automated decision-making with legal/significant effects) | {{YES/NO}} | {{NOTES}} |
| 2 | Large-scale processing of special category data (health, religion, ethnicity, sexual orientation, criminal records) | {{YES/NO}} | {{NOTES}} |
| 3 | Systematic monitoring of publicly accessible areas (CCTV, tracking) | {{YES/NO}} | {{NOTES}} |
| 4 | Processing of biometric or genetic data | {{YES/NO}} | {{NOTES}} |
| 5 | Processing of data concerning vulnerable data subjects (children, employees, patients) | {{YES/NO}} | {{NOTES}} |
| 6 | Innovative use of technology with unpredictable privacy impact | {{YES/NO}} | {{NOTES}} |
| 7 | Cross-border transfer outside EEA without adequate protection | {{YES/NO}} | {{NOTES}} |
| 8 | Processing data that prevents data subjects from exercising rights | {{YES/NO}} | {{NOTES}} |
DPIA Required: YES / NO Reason: {{REASON_IF_TRIGGERED}}
1. Processing Activity Description
1.1 Activity Overview
Activity Name: {{PROCESSING_ACTIVITY_NAME}} System/Product: {{SYSTEM_NAME}} Business Unit: {{BUSINESS_UNIT}} Processing Owner: {{OWNER_ROLE}} ({{OWNER_EMAIL}})
Description of Processing: {{DETAILED_DESCRIPTION_OF_WHAT_IS_BEING_PROCESSED_AND_HOW}}
Trigger / Business Justification: {{WHY_IS_THIS_PROCESSING_NECESSARY_BUSINESS_CASE}}
1.2 Processing Operations
| Operation | Data Category | Technology | Location |
|---|---|---|---|
| Collection | {{DATA_CATEGORY}} | {{METHOD}} | {{LOCATION}} |
| Storage | {{DATA_CATEGORY}} | {{DB_TECHNOLOGY}} | {{LOCATION}} |
| Processing / Analysis | {{DATA_CATEGORY}} | {{TOOL}} | {{LOCATION}} |
| Sharing / Transfer | {{DATA_CATEGORY}} | {{PROTOCOL}} | {{RECIPIENT_LOCATION}} |
| Deletion / Anonymization | {{DATA_CATEGORY}} | {{METHOD}} | {{LOCATION}} |
2. Necessity & Proportionality Assessment
2.1 Purposes of Processing
| Purpose | Specific Description | Legitimate? |
|---|---|---|
| {{PURPOSE_1}} | {{SPECIFIC_DESCRIPTION}} | YES — {{JUSTIFICATION}} |
| {{PURPOSE_2}} | {{SPECIFIC_DESCRIPTION}} | YES — {{JUSTIFICATION}} |
2.2 Data Minimization Assessment
| Data Element | Collected | Strictly Necessary? | Alternative If Not Necessary |
|---|---|---|---|
{{FIELD_1}} |
YES | YES — {{WHY}} | N/A |
{{FIELD_2}} |
YES | YES — {{WHY}} | N/A |
{{FIELD_3}} |
YES | PARTIAL — {{EXPLAIN}} | Collect only {{SUBSET}} |
{{FIELD_4}} |
YES | NO — {{WHY}} | Remove from collection |
Fields recommended for removal: {{FIELDS_TO_REMOVE}}
2.3 Lawful Basis
| Processing Activity | Lawful Basis | Justification |
|---|---|---|
| {{ACTIVITY_1}} | Contract (Art. 6.1.b) | {{JUSTIFICATION}} |
| {{ACTIVITY_2}} | Consent (Art. 6.1.a) | {{JUSTIFICATION}} |
| {{ACTIVITY_3}} | Legitimate interest (Art. 6.1.f) | LIA: {{LIA_REF}} |
For special category data (if applicable):
| Data | Special Category | Art. 9 Basis |
|---|---|---|
| {{HEALTH_DATA}} | Health (Art. 9.2.h) | Explicit consent + healthcare provision |
3. Data Subjects & Categories of Data
3.1 Data Subject Groups
| Group | Description | Estimated Volume | Vulnerability Level |
|---|---|---|---|
| {{GROUP_1}} | {{DESCRIPTION}} | {{N}} records | Low / Medium / High |
| {{GROUP_2}} | {{DESCRIPTION}} | {{N}} records | Low / Medium / High |
| Employees | Internal staff | {{N}} records | Medium |
| Minors (< 18) | {{IF_APPLICABLE}} | {{N}} records | High |
3.2 Personal Data Categories
| Category | Data Elements | Sensitivity | Volume |
|---|---|---|---|
| Contact information | Name, email, phone | Standard | {{N}} |
| Identity | Date of birth, national ID | Standard | {{N}} |
| Location | IP address, physical address | Standard | {{N}} |
| Behavioral | Usage patterns, preferences | Standard | {{N}} |
| Financial | {{IF_APPLICABLE}} | High | {{N}} |
| Health | {{IF_APPLICABLE}} | Special category | {{N}} |
| Biometric | {{IF_APPLICABLE}} | Special category | {{N}} |
4. Data Processing Purposes & Legal Basis
| Processing Purpose | Personal Data Used | Legal Basis | Retention Period |
|---|---|---|---|
| {{PURPOSE_1}} | {{DATA_FIELDS}} | Contract (Art. 6.1.b) | {{PERIOD}} |
| {{PURPOSE_2}} | {{DATA_FIELDS}} | Consent (Art. 6.1.a) | Until withdrawn |
| {{PURPOSE_3}} | {{DATA_FIELDS}} | Legitimate interest | {{PERIOD}} |
| Fraud detection | Behavioral + financial | Legitimate interest | 2 years |
| Legal compliance | Identity + transaction | Legal obligation | {{REGULATORY_PERIOD}} |
5. Data Flow Mapping
flowchart TD
DS([Data Subject]) -->|Provides data| COLLECT[Collection Point\n{{FORM/API/IMPORT}}]
COLLECT -->|Validates| APP[Application Layer]
APP -->|Stores| DB[(Primary Database\n{{COUNTRY}} — {{ENCRYPTION}})]
APP -->|Logs| LOGS[Log System\n{{COUNTRY}} — PII masked]
DB -->|Syncs| DW[(Analytics\n{{COUNTRY}} — Pseudonymized)]
DB -->|Transfers| PROC1[Processor 1\n{{PROCESSOR}} — {{COUNTRY}}]
DB -->|Transfers| PROC2[Processor 2\n{{PROCESSOR}} — {{COUNTRY}}]
DB -->|On request| EXPORT[Data Export\nBack to data subject]
DB -->|On erasure| ANON[Anonymization Service]
ANON -->|Anonymized| DB
style DB fill:#ffcccc,stroke:#cc0000
style DW fill:#ffffcc
style PROC1 fill:#ffe4cc
style PROC2 fill:#ffe4cc
Data processors (GDPR Art. 28):
| Processor | Service | Data Shared | Country | DPA Signed |
|---|---|---|---|---|
| {{PROCESSOR_1}} | {{SERVICE}} | {{DATA_CATEGORIES}} | {{COUNTRY}} | Yes — {{DATE}} |
| {{PROCESSOR_2}} | {{SERVICE}} | {{DATA_CATEGORIES}} | {{COUNTRY}} | Yes — {{DATE}} |
6. Risk Assessment Matrix
6.1 Risk Scoring Scale
| Score | Likelihood | Severity |
|---|---|---|
| 1 | Remote — unlikely to occur | Negligible — minimal impact on data subjects |
| 2 | Unlikely — could occur in exceptional circumstances | Limited — short-term, minor inconvenience |
| 3 | Possible — could occur in some circumstances | Significant — real, non-negligible impact |
| 4 | Likely — will probably occur | Severe — serious impact on rights and freedoms |
| 5 | Near-certain — expected to occur | Maximum — irreversible harm (e.g., identity theft, discrimination, physical danger) |
Risk Score = Likelihood × Severity
- 1-6: Low — acceptable with basic controls
- 7-12: Medium — requires mitigation
- 13-19: High — requires strong mitigation before processing
- 20-25: Critical — consult supervisory authority before proceeding
6.2 Risk to Data Subjects
| Risk ID | Risk to Data Subjects | Likelihood | Severity | Score | Existing Controls | Residual Risk |
|---|---|---|---|---|---|---|
| R1 | Unauthorized access to personal data (breach) | 3 | 4 | 12 | Encryption, access control, MFA | MEDIUM |
| R2 | Data used for purpose beyond original consent (purpose creep) | 2 | 3 | 6 | Purpose limitation controls, audit | LOW |
| R3 | Inaccurate data leading to incorrect decisions | 3 | 3 | 9 | Data quality checks, subject access | MEDIUM |
| R4 | Data retained beyond necessary period | 2 | 2 | 4 | Automated retention jobs | LOW |
| R5 | {{SPECIFIC_RISK_1}} | {{L}} | {{S}} | {{L×S}} | {{CONTROLS}} | {{RESIDUAL}} |
| R6 | {{SPECIFIC_RISK_2}} | {{L}} | {{S}} | {{L×S}} | {{CONTROLS}} | {{RESIDUAL}} |
| R7 | Cross-border transfer without adequate protection | 2 | 4 | 8 | SCCs in place, adequacy checks | MEDIUM |
| R8 | Data subject unable to exercise rights (erasure/portability) | 2 | 3 | 6 | Self-service endpoints, 30-day SLA | LOW |
7. Mitigation Measures
| Risk ID | Mitigation Measure | Owner | Deadline | Status |
|---|---|---|---|---|
| R1 | Implement field-level encryption for {{HIGH_RISK_FIELDS}} | Engineering | {{DATE}} | TODO |
| R1 | Deploy intrusion detection system | Platform | {{DATE}} | TODO |
| R3 | Add data validation at ingestion with rejection of invalid records | Engineering | {{DATE}} | TODO |
| R5 | {{MITIGATION}} | {{OWNER}} | {{DATE}} | {{STATUS}} |
| R6 | {{MITIGATION}} | {{OWNER}} | {{DATE}} | {{STATUS}} |
| R7 | Conduct SCCs review for {{TRANSFER}} — verify adequacy | Legal / DPO | {{DATE}} | TODO |
Residual risk after mitigation: All residual risks assessed as LOW or MEDIUM are acceptable for proceeding. No CRITICAL or HIGH residual risks remain.
DPO Conclusion: ☐ Acceptable — proceed with processing | ☐ Requires supervisory authority consultation
8. DPO Consultation Record
DPO Name: {{DPO_NAME}} Consultation Date: {{DATE}} DPO Input:
{{DPO_COMMENTS_AND_RECOMMENDATIONS}}
DPO Recommendation:
- Approved — risks are acceptable and adequately mitigated
- Conditional approval — subject to implementing mitigations by {{DATE}}
- Rejected — risks not adequately addressed — redesign required
- Escalate to supervisory authority — high residual risk remains
DPO Signature: _________________________ Date: _____________
9. Supervisory Authority Consultation (if required)
Consultation Required: YES / NO Reason: {{REASON}}
If YES — Prior consultation details:
10. DPIA Review Schedule
Next scheduled review: {{DATE}} or when any of the following occurs:
- Significant change to the processing activity or technology
- Data breach or near-miss related to this processing
- New risks identified post-implementation
- Change in applicable regulations
- Processor relationship changes
- Annually (at minimum)
Review Owner: {{DPO_NAME}} Review Log:
| Date | Reviewer | Changes Made | Outcome |
|---|---|---|---|
| {{DATE}} | {{NAME}} | Initial DPIA | Approved |
Approval
| Role | Name | Date | Signature |
|---|---|---|---|
| Author | |||
| DPO | |||
| Processing Owner | |||
| Legal Counsel | |||
| Management |