What should a DPIA template include? When is it necessary to perform a Data Protection Impact Assessment?
In this post, we’ll tell you everything you need to know about DPIAs and link to our free DPIA template.
A Data Protection Impact Assessment is a process that can help you analyze and minimize the risks connected to the processing of personal data. According to Article 35 of the GDPR, a DPIA is only mandatory when the processing could result in a high risk to the rights and freedoms of users (for instance, when you introduce a new processing technology).
Here “high risk” data processing activities include:
DPIAs can also be required in other circumstances, such as the processing of data concerning vulnerable persons (e.g. children, the elderly), data transfers across borders outside the EU and data that is being used in profiling (e.g. credit scores). In these cases, each situation should be evaluated independently.
While publishing a DPIA is not a general legal requirement of the GDPR, it is suggested that you consider publishing all or part of you DPIA as a gesture of transparency, especially in cases where members of the public are affected (for example, where a public authority carries out the DPIA).
Also, if you’re not sure whether your processing activity can be considered “high risk”, it’s recommended to carry out a DPIA anyway, as it is a useful tool for ensuring that you’re complying with the law.
This article is a part of our series on data protection. Read also:
The Data Protection Impact Assessment process should be recorded in writing, but there isn’t a pre-established template that you should follow, only some basic elements to include:
While there isn’t a standard structure to follow for a Data Protection Impact Assessment, a template can always come in handy.
Click here to download this free DPIA’s template (.docx direct download)
Not sure where to begin in with your DPIA? A good place to start is in examining your processing activities and assessing the types of data you collect, the level of sensitivity and therefore the level of security required. For this, keeping accurate records is key! In fact, keeping records of you processing activities is also a GDPR requirement.
Learn more about how iubenda’s Register of Data Processing Activities can help you to easily keep up-to-date records of your processing activities.
GDPR compliance for your site, app and organization
📬 Want the latest news on Data Protection and Privacy delivered to your inbox? Join the list @ dponewsletter.com