Iubenda logo
Start generating


Table of Contents

Data Protection Impact Assessment (DPIA) template

What should a DPIA template include? When is it necessary to perform a Data Protection Impact Assessment?
In this post, we’ll tell you everything you need to know about DPIAs and link to our free DPIA template.

DPIA template

What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment is a process that can help you analyze and minimize the risks connected to the processing of personal data. According to Article 35 of the GDPR, a DPIA is only mandatory when the processing could result in a high risk to the rights and freedoms of users (for instance, when you introduce a new processing technology).

Here “high risk” data processing activities include:

  • large-scale processing of sensitive data;
  • systematic monitoring of a publicly accessible area (e.g. CCTV);
  • profiling, that is situations where there are extensive automated evaluations of personal data that is intended to influence decisions that can affect the user’s life significantly.

DPIAs can also be required in other circumstances, such as the processing of data concerning vulnerable persons (e.g. children, the elderly), data transfers across borders outside the EU and data that is being used in profiling (e.g. credit scores). In these cases, each situation should be evaluated independently.

While publishing a DPIA is not a general legal requirement of the GDPR, it is suggested that you consider publishing all or part of you DPIA as a gesture of transparency, especially in cases where members of the public are affected (for example, where a public authority carries out the DPIA).

Also, if you’re not sure whether your processing activity can be considered “high risk”, it’s recommended to carry out a DPIA anyway, as it is a useful tool for ensuring that you’re complying with the law.

More on data protection

This article is a part of our series on data protection. Read also:

👉 What is a data breach and how to prevent it

What should a DPIA include?

The Data Protection Impact Assessment process should be recorded in writing, but there isn’t a pre-established template that you should follow, only some basic elements to include:

  • full descriptions of the data processed;
  • the purpose of the processing activity (and where applicable, information on the legitimate interests of the data controller);
  • an evaluation of the scope and necessity of the processing activity in relation to the purpose;
  • an assessment of the risk posed to users;
  • measures in place to address that risk.

DPIA template

While there isn’t a standard structure to follow for a Data Protection Impact Assessment, a template can always come in handy.

Click here to download this free DPIA’s template (.docx direct download)

iubenda’s tip

Not sure where to begin in with your DPIA? A good place to start is in examining your processing activities and assessing the types of data you collect, the level of sensitivity and therefore the level of security required. For this, keeping accurate records is key! In fact, keeping records of you processing activities is also a GDPR requirement.

Learn more about how iubenda’s Register of Data Processing Activities can help you to easily keep up-to-date records of your processing activities.

About us


GDPR compliance for your site, app and organization


📬 Want the latest news on Data Protection and Privacy delivered to your inbox? Join the list @ dponewsletter.com

See also