DPIA Template

A DPIA template is the structured set of fields a Data Protection Impact Assessment must contain under GDPR Article 35(7) — a systematic description of the processing, an assessment of its necessity and proportionality, an assessment of the risks to individuals, and the measures to address them. Because the Regulation fixes the content rather than the format, a correct template starts from Article 35(7) rather than a vendor's form. Getting the fields right is the easy half: a DPIA is only defensible if each answer can be traced to its evidence and the residual-risk decision is recorded. This guide enumerates the fields, points to the official templates, and covers how to keep the assessment true.

What fields must a DPIA template include?

The mandatory contents are fixed by Article 35(7) of the EU and UK GDPR. A DPIA template must contain, at minimum, these four elements:

1. A systematic description of the processing — the envisaged operations and their purposes, including any legitimate interest pursued, the data and data-subject categories, recipients, retention and the systems involved.
2. An assessment of necessity and proportionality — whether the processing is necessary for, and proportionate to, those purposes, including the lawful basis and the measures that keep it proportionate.
3. An assessment of the risks to the rights and freedoms of data subjects — the likelihood and severity of harm, before controls (see inherent vs residual risk).
4. The measures envisaged to address the risks — safeguards, security measures and mechanisms to protect the data and to demonstrate compliance, and the residual risk that remains after them.

To these four, a defensible template adds:

• DPO advice — the data protection officer's advice, recorded under Article 35(2).
• Views of data subjects — sought where appropriate under Article 35(9).
• The sign-off and residual-risk decision — the named approver, the conclusion, and whether a high residual risk triggers Article 36 prior consultation with the supervisory authority.

Is there an official DPIA template?

There is no single mandatory form, but the supervisory authorities publish their own templates that satisfy Article 35(7), and any of them is a valid starting point:

• The UK ICO publishes a DPIA template.
• Ireland's DPC publishes a sample DPIA template.
• The EDPB and CNIL publish templates and CNIL's open-source PIA tool.

The Regulation fixes the content, not the format, so the test is whether the template captures the Article 35(7) elements and is actually filled in and kept current — not which document you start from. For when a DPIA is required in the first place, see the DPIA software guide and the DPIA requirements for Ireland and the UK.

Is a Word or spreadsheet DPIA template enough?

A Word or spreadsheet template is a reasonable way to capture the fields, and for an occasional DPIA it can be the whole record. Its limit is provenance: it stores only what someone last typed, and it cannot show where an answer came from, who approved it, or whether the residual-risk decision still holds. Those are the first questions a DPC or ICO inquiry asks, and a missing or inadequate DPIA is independently sanctionable under Article 83(4)(a). The fields are the same; the difference is that a governed workflow keeps each answer's source evidence, the DPO advice and the approval, and surfaces the DPIA for review when the processing changes. See DPIA software for how a tool should hold these fields, and how to conduct a DPIA for the step-by-step.

Common questions about the DPIA template

Primary sources

1. GDPR Article 35 (EUR-Lex, Regulation (EU) 2016/679)
2. DPC — Data Protection Impact Assessments (and sample template)
3. ICO — Data Protection Impact Assessments (DPIAs) and template

Related research