EDPB Adopts First Harmonized DPIA Template to Standardise Assessments Across Europe

On 14 April 2026, the European Data Protection Board published Version 1.0 of a harmonized template for Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR, accompanied by an explanatory document. The template - adopted at the Board's March plenary meeting - was released for public consultation, with comments accepted until 9 June 2026.

Until now, DPIA templates have varied across EU member states, with each national supervisory authority offering its own format, guidance, and level of detail. For organisations operating across multiple jurisdictions, the result has been inconsistency: the same processing activity assessed using different structures, different terminology, and different expectations depending on which member state's template was used. The harmonized template is designed to address this fragmentation directly.

The template is structured into seven main sections (numbered 0 through 6) that walk the controller through the full DPIA lifecycle. Section 0 captures foundational information - identification of controllers, processors, and sub-processors, the internal name of the processing activity, its timeline, and a technical sheet. Subsequent sections address the systematic description of the processing, the necessity and proportionality assessment, the identification and assessment of risks to data subjects' rights and freedoms, and the measures envisaged to address those risks.

Following the close of the public consultation, the EDPB intends to finalise the template, after which all national data protection authorities will begin adopting it either as their sole template or as a meta-template with which national-specific versions will be required to be compatible. The initiative forms part of the EDPB's broader Helsinki Statement commitment to making GDPR compliance simpler and more consistent across Europe.

Acompli perspective: A harmonized DPIA template is long overdue - and it raises the bar for what regulators will consider an adequate assessment. Organisations should review their current assessment processes against the EDPB's seven-section structure now, rather than waiting for the final version. The template's emphasis on identifying processors and sub-processors reinforces the need for accurate data mapping and well-maintained records of processing, while its risk assessment framework aligns closely with the structured approach that NIS2 and the AI Act are also demanding.