Data Protection Impact Assessment (DPIA) Template

⚠️ When to Use This Template: A DPIA is required for processing that is likely to result in a high risk to individuals' rights and freedoms. This includes:

New technologies or systems processing personal data
Large-scale processing of special category data (e.g., health data)
Systematic monitoring or profiling
Processing that could result in discrimination or exclusion

Assessment Details

Project/System Name:

[Enter project or system name]

DPIA Reference Number:

[E.g., DPIA-2024-001]

Date Started:

[Date]

Prepared By:

[Name and role]

DPO Consulted:

[Yes/No - Date of consultation]

Step 1: Identify the Need for a DPIA

Screening Questions

Answer these questions to determine if a DPIA is required:

Does the processing involve special category data (e.g., health data) or criminal conviction data on a large scale?

Does the processing involve systematic monitoring of publicly accessible areas on a large scale?

Does the processing use new technologies or innovative applications?

Does the processing involve profiling or automated decision-making with significant effects?

Does the processing involve processing children's data on a large scale?

Does the processing prevent data subjects from exercising their rights or accessing services?

Does the processing combine or match datasets from different sources?

Does the processing involve data about vulnerable data subjects?

Outcome of Screening:

[If YES to 2+ questions, a DPIA is likely required. Document reasoning here.]

Step 2: Describe the Processing

2.1 Nature of Processing

What is the purpose of the processing?

[Describe what you're trying to achieve and why]

What is the nature of the processing?

[Describe how data will be collected, used, stored, deleted]

What is the scope of the processing?

[How much data? How many individuals? Geographic scope? Duration?]

What is the context of the processing?

[Relationship with data subjects, nature of data, expectations, prior collection, sensitivity]

2.2 Data Categories

What categories of personal data will be processed?

[e.g., • Contact details (name, email, phone) • Demographic data (age, gender, location) • Special category data (health information, etc.)]

Are you processing special category data? If yes, specify:

[Health data, racial/ethnic origin, religious beliefs, etc.]

What categories of data subjects are involved?

[Employees, customers, service users, children, vulnerable individuals, etc.]

2.3 Legal Basis

What is the lawful basis for processing (Article 6)?

[Consent / Contract / Legal obligation / Vital interests / Public task / Legitimate interests]

If processing special category data, what is the Article 9 condition?

[Explicit consent / Health/social care / etc.]

If relying on legitimate interests, what is the legitimate interest and have you conducted a balancing test?

[Document legitimate interest and balancing against data subject rights]

Step 3: Consultation Process

3.1 Internal Consultation

Who has been consulted internally?

[e.g., • Data Protection Officer - [Date] • IT Security Team - [Date] • Clinical Director - [Date] • Project stakeholders - [Date]]

Summary of feedback from internal consultation:

[Key concerns, suggestions, recommendations]

3.2 Data Subject Consultation

Have data subjects been consulted? If yes, how?

[Surveys, focus groups, user testing, feedback mechanisms]

If not, why not?

[Justification if data subjects not consulted]

What were the data subjects' views?

[Summary of feedback, concerns, suggestions]

Step 4: Assess Necessity and Proportionality

Necessity and Proportionality Assessment

Is the processing necessary to achieve the purpose? Could you achieve the same outcome without processing, or by processing less data?

[Justify why processing is necessary and proportionate]

Are you processing the minimum amount of personal data necessary?

[Demonstrate data minimisation]

How will you ensure data accuracy?

[Processes for keeping data accurate and up to date]

How long will you retain the data and why?

[Retention periods and justification]

Step 5: Identify and Assess Risks

Assessing Risk: Consider risks to individuals' rights and freedoms, not just organisational risks. Think about:

Physical, material, or non-material damage
Loss of control over personal data
Discrimination or identity theft
Financial loss or damage to reputation
Loss of confidentiality
Unauthorised reversal of pseudonymisation
Economic or social disadvantage

Risk Assessment Matrix

Likelihood: Low / Medium / High

Severity: Minimal / Significant / Severe

Overall Risk: Low / Medium / High

Risk Description	Likelihood	Severity	Overall Risk	Affected Individuals
[e.g., Unauthorized access to sensitive health data]	[Low/Med/High]	[Min/Sig/Sev]	[Low/Med/High]	[Service users]
[Risk 2]
[Risk 3]
[Add more rows as needed]

Step 6: Identify Measures to Mitigate Risks

Risk Mitigation Measures

For each risk identified above, document mitigation measures:

Risk	Mitigation Measures	Responsible Person	Residual Risk	Status
[Risk 1]	[e.g., Encryption, access controls, MFA, security monitoring]	[Name/Role]	[Low/Med/High]	[Planned/ In Progress/ Complete]
[Risk 2]
[Risk 3]

Security Measures

Specific technical and organisational measures to protect personal data:

Encryption in transit (TLS 1.3)

Encryption at rest (AES-256)

Multi-factor authentication

Role-based access controls

Regular security audits/penetration testing

Staff training on data protection and security

Incident response procedures

Regular backups with secure storage

Secure disposal procedures

Additional security measures:

[Document any additional measures specific to this processing]

Step 7: Sign Off and Record Outcomes

Outcome of DPIA

Can the risks be mitigated to an acceptable level?

[YES / NO - Explanation]

Are any risks still high after mitigation?

[If YES, you must consult the ICO before proceeding]

Overall Conclusion:

[APPROVED / APPROVED WITH CONDITIONS / REJECTED / REFER TO ICO]

Conditions or recommendations (if applicable):

[Any conditions that must be met before proceeding]

Approvals

Role	Name	Date
Prepared By:	[Name]	[Date]
Data Protection Officer:	[DPO Name]	[Date]
Approved By (Senior Management):	[Name & Title]	[Date]

Step 8: Integrate Outcomes into Project Plan

Integration and Monitoring

How will the DPIA outcomes be integrated into the project?

[Document how recommendations will be implemented]

Who is responsible for implementation?

[Names and roles]

What is the implementation timeline?

[Key milestones and dates]

How will compliance be monitored?

[Monitoring approach and frequency]

When will this DPIA be reviewed?

[Review date - should be reviewed if major changes occur or at least annually]

Appendices

Supporting Documentation

Attach or reference supporting documents:

Data flow diagrams
System architecture diagrams
Consultation responses
Security assessment reports
Privacy notices
Data Processing Agreements
Other relevant documentation