GDPR DPIA Template in Notion

Under the GDPR, organisations must perform a Data Protection Impact Assessment (DPIA) whenever a processing activity may pose a high risk to individuals. To make this process easier, we have created a complete DPIA template – with a 6000-words example – for Notion. The template follows the structure of our previous guidance and allows companies working with Notion to perform DPIAs in a clear and consistent manner.

In our earlier article on the Notion ISMS Register Template, we showed how Notion can support ISO 27001 documentation. The new DPIA template builds further on that approach, helping organisations document GDPR responsibilities in the same workspace. It also complements our popular GDPR templates, which are frequently used during privacy assessments and audits.

What is a DPIA?

A Data Protection Impact Assessment is a structured analysis that helps organisations map the consequences of a new or changed processing activity before it begins. The goal is to identify risks, assess their likelihood and impact, and implement measures to reduce these risks to an acceptable level.

Conducting a DPIA for potentially high-risk activities is a mandatory requirement under the GDPR. Organisations must demonstrate that they have assessed risks and designed appropriate safeguards before launching high-risk processing activities.

When and how to perform a DPIA?

According to GDPR Article 35, a DPIA is required when a processing activity is “likely to result in a high risk to the rights and freedoms of individuals.” Examples include:

• Processing special-category data on a large scale

• Profiling or automated decision-making

• Systematic or large-scale monitoring (e.g. organisation-wide CCTV)

European supervisory authorities, including the Autoriteit Persoonsgegevens in the Netherlands, may use a checklist of topics and activities for when a DPIA is warranted.

The new Notion template follows the same step-by-step method used in our detailed guide on the DPIA. The most important feature of the template are the questions to be answered in a step-by-step fashion. The questions (and instructions) follow the GDPR guidance referenced at each step. Each step has a detailed example that you can use to adapt to your situation. See the example below.

The initial draft can be prepared by a project manager or analyst, but legal, HR, IT and security input is often required. If the organisation has a Data Protection Officer (DPO), they must be consulted as part of the process.

Structure of the Template

The template starts with a “pre-DPIA” section to determine whether a DPIA is necessary.

Description of the processing activity. This section captures what the organisation plans to do, why the processing is taking place, and whether the situation concerns a new or existing system. Clear description is essential for scoping the DPIA.

Personal data and data subjects. The template provides tables to document all data categories, types of data subjects, and whether any special-category or legally identifying data (e.g., license plates) are involved.

Processing activity and purpose. A processing activity, like recording, viewing, storing, exporting video, is described with respect to the used personal data. It is linked to the relevant purpose and legal basis which helps justifying the necessity and proportionality of each action.

Pre-DPIA screening checklist. A checklist with the Dutch AP’s mandatory DPIA criteria and the “two or more risks” heuristic for high-risk processing. By answering to this section, you evaluate whether a DPIA is needed.

Data storage, international transfers and retention period. Location of data (EU, US), applicable transfer mechanisms (e.g., SCCs), and retention period are described in a structured way.

Processing method. Describing how personal data are processed, specifying the (technical) tools and methods used.

Third-party involvement. Controllers, processors and sub-processors can be documented clearly, including whether a DPA is in place and which departments have access. In case you maintain a register of suppliers, this comes in handy with the the Notion ISMS template and its AI features.

Legal basis. Each purpose must be necessary and proportionate, and supported by a valid legal basis under the GDPR (primarily legitimate interest and consent, and in some cases legal obligation, when cooperating with law enforcement).

Necessity and proportionality. This step evaluates whether each processing activity is strictly necessary for achieving the intended purpose and whether the impact on individuals is proportionate.

Data subjects’ rights. For each right (access, erasure, objection, etc.), the template explains how the organisation fulfils these obligations and whether any exceptions apply.

Risk assessment. The template uses a structured likelihood-and-impact model, the same approach we use in our advisory work. Risks such as internal misuse, external compromise and excessive monitoring are assessed with clear motivations.

Mitigation measures and residual risks. Measures are mapped to the risks they reduce, with space for justifying whether any remaining risks are acceptable.

DPO advice and consultation. If a DPO is appointed, the template ensures their review is documented, along with consultation feedback from employees or their representatives.

Prior consultation. If high residual risks remain, the template includes guidance for prior consultation with the supervisory authority.

Conclusion

This DPIA template is designed for teams that want a practical, GDPR-compliant workflow inside Notion. It follows the structure used in our own audits and training sessions and can be easily adapted to different processing activities, from CCTV to HR systems or AI tools. The template is available free to use on the Notion Marketplace and is fully compatible with our main Notion ISMS template.

If you would like help implementing a DPIA for GDPR compliance or building your ISO 27001 ISMS, you can contact us below or explore our free GDPR templates for further guidance.