GDPR Data Protection Impact Assessment – free template

Under the new General Data Protection Regulation, it is mandatory to perform a DPIA in certain circumstances. This is an assessment in which you determine the impact of a personal data processing activity before commencing with it. We have created a DPIA template to aid in this compulsory review, which includes all mandatory elements and all official guidelines. You can use this template to determine whether you need to do a DPIA, to execute the DPIA, and also to test previously executed DPIA’s.

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a document in which you record the consequences of a new processing activity, or changes to a current processing activit. By carrying out such research, an organization is forced to think about privacy and security risks in advance instead of afterwards. A DPIA is a mandatory element of GDPR regulation.

When should you perform a DPIA?

A DPIA is mandatory when a processing activity will likely have a high risk to the rights and freedoms of the involved data subjects (the people whose personal data is processed). This is certainly the case when an organization:

1. systematically and extensively evaluates personal data, such as profiling;
2. processes special categories of personal data on a large scale;
3. systematically monitors data subjects in a publicly accessible area on a large scale.

To determine whether there might be a high risk, the supervisory authorities use the following heuristics. There is a high risk to the rights and freedoms of data subjects when two or more of the following nine criteria apply:

1. evaluation of people or scoring;
2. automated decision making with legal effect or comparable substantive effect;
3. systematic monitoring;
4. special categories of personal data or other sensitive data;
5. processing of personal data on a large scale;
6. matching or merging of data sets;
7. personal data on vulnerable persons;
8. innovative use of a new technological or organizational solution;
9. restricting or blocking access to a right, service, or contract.

If all is well, you will already have a register of processing activities. You will have to test all activities from this register to see whether they meet the above criteria. When in doubt, it is wise to also create a DPIA document, and to record the answers to the question above. This way, you document your decision whether or not to do DPIA. If the Dutch supervisory authority starts asking questions, you can use this documentation to show that you have thought about and implemented privacy measures.

How does one do a DPIA?

To do a DPIA the correct way, you can walk through our template step by step. It contains all the questions that you have to answer. This initial draft can be created by an information analyst or project manager. However, it is not the intention that the DPIA is done by one person. Depending on the situation, you must involve other departments, consult experts, and perhaps even reach out to representatives of external parties. If your organization has a Data Protection Officer, he or she must be consulted.

Our English DPIA template can be downloaded here.

Structure of the DPIA template

The template consists of the following elements:

1. Organizational details
2. Details of the processing
3. Should a DPIA be performed
4. Systematic description of the data processing
5. Assessment of necessity and proportionality
6. Assessment of privacy risks
7. Measures
8. Advice from the DPO
9. Advice from stakeholders and representatives
10. Prior consultation

There are two optional checklists in the appendix: a list of questions from NOREA and a GDPR DPIA checklist.

Process and further steps

The GDPR states that you must perform a DPIA before the actual processing, in e.g. the design phase of a project. You cannot start the new processing activity before there is a good DPIA. After performing a good and complete DPIA, there are three possible outcomes:

1. You can start with the new data processing, but must make sure to implement the measures and recommendations as well.
2. You may not start the new data processing. The DPIA might have indicated that the project does not comply with the GDPR. You must go back to the drawing board and create a new design.
3. You must request a ‘prior consultation’ from the Dutch supervisory authority. If it becomes clear from the DPIA that the processing poses a high risk, and your risk mitigation measures are not sufficient, then it is mandatory to take this step.

Sources and more information

We have developed his template based on the GDPR itself and other documents recommended by the Dutch supervisory authority. In particular, we made good use of the NOREA PIA guide, as well as the guidelines of the European Working Party “Data Protection Working Party article 29”. If you would like to know more about the GDPR, we advise you to look at this ten step GDPR overview, the procedure for reporting data breaches (Dutch), the template processing agreement (also Dutch), and the template register of processing activities. At ICT Institute, we also offer a 1-day introduction course privacy and GDPR. For more articles about privacy, visit our page with all privacy articles.

Source image: soilse-CC-lock-banner.jpg