template
Data Protection Impact Assessment (DPIA) Template
A UK GDPR DPIA template to assess and reduce privacy risk in new projects, covering necessity, proportionality, risk scoring and ICO consultation triggers.
Related service: Data Protection & UK GDPR
A Data Protection Impact Assessment (DPIA) helps you identify and reduce the privacy risks of a project before it starts. Under the UK GDPR a DPIA is mandatory where processing is likely to result in a high risk to individuals — for example large-scale use of special category data, systematic monitoring, or new technologies. Complete this template early and revisit it as the project develops. Replace every [bracketed] field with your own detail.
1. Project overview
- Project / processing name: [name]
- DPIA author: [name / role]
- Date started: [date]
- Description of the processing: [what you plan to do, how data flows, what technology is involved]
- Why you need it: [the aim and the benefits]
2. Do you need a DPIA?
Answer yes/no. If you answer yes to any high-risk trigger, a DPIA is required:
- Systematic and extensive evaluation or profiling with significant effects
- Large-scale processing of special category or criminal offence data
- Systematic monitoring of a publicly accessible area on a large scale
- Use of new or innovative technology
- Processing that could deny people access to a service or contract
- Involves children or other vulnerable individuals
Outcome: [DPIA required / not required — record your reasoning either way]
3. Describe the processing
- Nature: [how data is collected, used, stored and deleted]
- Scope: [types and volume of data, number of individuals, geographic area, retention]
- Context: [relationship with individuals, their expectations, current concerns, any relevant guidance or codes]
- Purposes: [what you want to achieve and the intended effect on individuals]
4. Consultation
- Stakeholders consulted: [e.g. individuals or their representatives, staff, processors, DPO]
- Views gathered and how they were addressed: [summary]
5. Necessity and proportionality
- Lawful basis (Article 6): [basis and justification]
- Special category condition (Article 9), if applicable: [condition]
- Is the processing necessary to achieve the purpose? [explain]
- Could you achieve the same outcome another, less intrusive way? [explain]
- How do you ensure data quality, minimisation and individuals’ rights? [explain]
6. Identify and assess risks
For each risk, record the source, the likelihood, the severity and the overall risk level.
| Risk to individuals | Likelihood (low/med/high) | Severity (low/med/high) | Overall risk (low/med/high) |
|---|---|---|---|
| [e.g. unauthorised access to health data] | [ ] | [ ] | [ ] |
| [e.g. data used beyond expectations] | [ ] | [ ] | [ ] |
| [add rows as needed] | [ ] | [ ] | [ ] |
7. Measures to reduce risk
For each risk above, record the mitigating measures and the residual risk.
| Risk | Measure to reduce or eliminate | Residual risk | Measure approved? |
|---|---|---|---|
| [risk] | [control] | [low/med/high] | [yes/no] |
8. Sign-off and outcome
- Residual high risk remaining? [yes/no — if yes, you must consult the ICO before starting]
- DPO advice (if appointed): [summary and whether followed]
- Decision: [proceed / proceed with changes / do not proceed]
- Approved by: [name / role]
- Date: [date]
- Review date: [date]
DPIAs can be daunting the first time. We can guide you through one, or review a completed DPIA, as part of a fixed-fee engagement — see our data protection and GDPR service. For related reading, see our information governance guides.