Skip to content
360 Cyber Compliance

template

Data Protection Impact Assessment (DPIA) Template

A UK GDPR DPIA template to assess and reduce privacy risk in new projects, covering necessity, proportionality, risk scoring and ICO consultation triggers.

Related service: Data Protection & UK GDPR

A Data Protection Impact Assessment (DPIA) helps you identify and reduce the privacy risks of a project before it starts. Under the UK GDPR a DPIA is mandatory where processing is likely to result in a high risk to individuals — for example large-scale use of special category data, systematic monitoring, or new technologies. Complete this template early and revisit it as the project develops. Replace every [bracketed] field with your own detail.

1. Project overview

  • Project / processing name: [name]
  • DPIA author: [name / role]
  • Date started: [date]
  • Description of the processing: [what you plan to do, how data flows, what technology is involved]
  • Why you need it: [the aim and the benefits]

2. Do you need a DPIA?

Answer yes/no. If you answer yes to any high-risk trigger, a DPIA is required:

  • Systematic and extensive evaluation or profiling with significant effects
  • Large-scale processing of special category or criminal offence data
  • Systematic monitoring of a publicly accessible area on a large scale
  • Use of new or innovative technology
  • Processing that could deny people access to a service or contract
  • Involves children or other vulnerable individuals

Outcome: [DPIA required / not required — record your reasoning either way]

3. Describe the processing

  • Nature: [how data is collected, used, stored and deleted]
  • Scope: [types and volume of data, number of individuals, geographic area, retention]
  • Context: [relationship with individuals, their expectations, current concerns, any relevant guidance or codes]
  • Purposes: [what you want to achieve and the intended effect on individuals]

4. Consultation

  • Stakeholders consulted: [e.g. individuals or their representatives, staff, processors, DPO]
  • Views gathered and how they were addressed: [summary]

5. Necessity and proportionality

  • Lawful basis (Article 6): [basis and justification]
  • Special category condition (Article 9), if applicable: [condition]
  • Is the processing necessary to achieve the purpose? [explain]
  • Could you achieve the same outcome another, less intrusive way? [explain]
  • How do you ensure data quality, minimisation and individuals’ rights? [explain]

6. Identify and assess risks

For each risk, record the source, the likelihood, the severity and the overall risk level.

Risk to individualsLikelihood (low/med/high)Severity (low/med/high)Overall risk (low/med/high)
[e.g. unauthorised access to health data][ ][ ][ ]
[e.g. data used beyond expectations][ ][ ][ ]
[add rows as needed][ ][ ][ ]

7. Measures to reduce risk

For each risk above, record the mitigating measures and the residual risk.

RiskMeasure to reduce or eliminateResidual riskMeasure approved?
[risk][control][low/med/high][yes/no]

8. Sign-off and outcome

  • Residual high risk remaining? [yes/no — if yes, you must consult the ICO before starting]
  • DPO advice (if appointed): [summary and whether followed]
  • Decision: [proceed / proceed with changes / do not proceed]
  • Approved by: [name / role]
  • Date: [date]
  • Review date: [date]

DPIAs can be daunting the first time. We can guide you through one, or review a completed DPIA, as part of a fixed-fee engagement — see our data protection and GDPR service. For related reading, see our information governance guides.

Want this as a ready-to-use document?

We can tailor this to your organisation and complete it with you as part of a transparent, fixed-fee engagement.

Talk to us about this