COMPLETE GUIDE TO THE BEST DATA PROTECTION IMPACT ASSESSMENT (DPIA)


The Best Guide for Conducting an Effective Data Protection Assessment (Samples and Templates)

Organizations looking for guidance on DPIA GDPR will often search for the ICO DPIA template or another GDPR DPIA template they can use to conduct a required data protection impact assessment for a change project, new process, or something else.

However, it’s also important to understand why you’re doing a DPIA assessment, exactly what it’s for, and when a data protection risk assessment is or is not required for the data you’re collecting.

In this AGS insight article, we will tell you everything you need to know about doing the data protection impact assessment GDPR calls for. We’ll also provide links to a data impact assessment template that you can use for your assessment.

You’ll also find a link to the ICO DPIA template from the UK’s Information Commissioner’s Office, as well as a simple decision tree for determining whether or not you’re required to do a data processing impact assessment for privacy.

Social Impact Assessment Toolkit


Data Protection as Organizations Transition from Paper to Digital

As more information has transitioned from paper to digital, data privacy regulations to protect that data have become necessary. One of the most well-known of these is the General Data Protection Regulation (GDPR) which covers any data collected from citizens of the European Union (EU).

If an organization is subject to GDPR, no matter what country it’s in, it needs to become familiar with this data privacy regulation. This includes the data protection impact assessment GDPR requires.

When personal individual data is at high risk, a data impact assessment needs to be done to ensure appropriate measures are taken to prevent the data from being exposed either accidentally or through a data breach.

data protection impact assessment

How to Use a Data Privacy Impact Assessment Template


What is a Data Protection Impact Assessment?

A data protection impact assessment is a structured evaluation of a service, process, project, or organizational change that requires the collection of personal data. This data impact analysis is done to mitigate risk associated with personal data collection, transmission, and storage.

The EU’s GDPR requires that a data protection impact analysis be performed when any activity, especially one dealing with new technology, is likely to involve a high risk “to the rights and freedoms of individuals.”

In layman’s terms, this means if you are collecting sensitive personal data and there is any risk of exposure, you are required to assess and evaluate that risk and your mitigation strategies using a data protection risk assessment template.

Data protection impact assessment GDPR guidelines do not say what format the DPIA template should be in, so you’re free to choose between a DPIA template Excel version or ICO DPIA template in Word or PDF, or use a cloud-based data privacy impact assessment template.

DPIA GDPR is a necessary compliance process, and not performing it when required can lead to administrative fines for non-compliance (as much as 2% of the total worldwide annual turnover the preceding financial year).

Privacy Assessment Toolkit


What is a DPIA Used For?

A data impact assessment, besides being required by GDPR, is also helpful to an organization in a number of ways.

A data protection impact assessment template may be used when:

  • Undertaking an organizational change management project
  • Adding a new business process
  • Introducing a new workflow
  • Adding a new product or service
  • Beginning a new project
  • Planning an event
  • Introducing a new software
  • Working with new marketing tools or vendors

A GDPR DPIA template helps you lay out reasons why you’re collecting personal data, the goal of that data collection, risks associated when collecting the data, and recommendations for minimizing the risks.

Here are some of the things that a GDPR impact assessment is used for.

Increase Data Privacy Awareness

Not everyone involved with starting a new project has data privacy in mind when they begin. This could leave any data they’re collecting during the project at risk of being compromised.

For example, during a change project, employee personal information may be collected, such as an address, phone, email, and more. Doing a DPIA assessment improves a project team’s awareness of the need to protect any sensitive data they collect and have a plan for how to decommission that data once it’s no longer needed.

Data Privacy Compliance

Of course, the most obvious thing a data protection assessment is used for is to comply with GDPR requirements and avoid non-compliance penalties.

But beyond the DPIA GDPR requirement, a data protection risk assessment can also help with compliance related to other data privacy regulations, such as HIPAA, which is used in the healthcare industry. 

Identify Potential Problems at the Start of a Project 

If the way you have data being shared during a project puts it at risk of a breach, doing a data processing impact assessment for privacy at the beginning of the project can ward off potential problems.

You don’t want to have a project or new process implementation halted midstream because of a data breach. That could be devastating to your project.

You can use a data impact assessment template to identify any potential problem areas when there is still plenty of time to fix them before you begin collecting individuals’ data.


AGS’ Data Protection Impact Assessment Toolkit

Data Protection Impact Assessment Template

AGS’ DPIA Template was designed referencing GDPR guidelines. Learn more about this impact assessment toolkit.


Proactively Resolve Potential Issues

A data impact analysis for GDPR allows you to be proactive when it comes to project planning. Some of the questions include asking why you’re collecting the data and what benefit it has to your project.

Going through these steps at the beginning of a project, using a DPIA template Excel or the cloud version, allows for proactive resolution of any issues. You might also realize there is some data that you really don’t need to collect, thereby mitigating risk.

Enhance Communications with Individuals/Clients

One of the recommendations when undertaking a data protection impact analysis is to involve those whose data is being collected in the process. It forces you to think about data privacy from the point of view of the subject.

Going through the steps laid out in a data protection risk assessment template opens a conversation with individuals/clients/employees that are having data collected and emphasizes the need to explain the why and how.

So, a data protection impact assessment can enhance communication and foster trust and transparency.

Reduce Potential Costs

According to the “2020 Cost of a Data Breach Report” from IBM, the average data breach costs an organization $3.86 million. That’s a lot of money saved if you avoid a breach by doing the DPIA GDPR requirement.

Costs for emergency cybersecurity fixes identified during the middle or at the end of a project can also be mitigated by performing a data privacy impact assessment at the start of a project to uncover any vulnerabilities.

Data Protection Assessment Toolkit


DPIA GDPR | When is a Data Protection Assessment Needed?

It’s important to understand when you should conduct a data privacy impact assessment and when it’s not required to do so.

According to the DPIA GDPR regulation, it’s not necessary to conduct a data impact assessment for privacy for every type of data collection activity.

Article 35 (1) of GDPR states that the use of a data protection impact assessment template is required when the data processing or collection activity is “likely to result in a high risk to the rights and freedoms of natural persons.”

As this applies to a GDPR impact assessment, it means if the nature of the data collected is sensitive enough to result in an infringement on the rights of the individual. For example, if you’re only collecting a person’s name, this would not generally be considered “sensitive” information that could cause harm if breached.

However, if you’re collecting the person’s name and internet browsing habits, then that could be considered personal information that would require you to use a GDPR DPIA template for an assessment.

DPIA Risk Reporting

Data Protection Impact Assessment Reporting

Reporting examples from AGS’ Data Protection Impact Assessment Toolkit

What Type of Information Needs a DPIA Assessment?

When is a data protection impact analysis needed and when can you forgo the DPIA template?

According to the GDPR explanation of when a data processing impact assessment for privacy is needed, you’re required to use one when:

  1. There is a systematic and extensive evaluation of individuals based on automated processing, and on which decisions are based that produce legal effects concerning the individual.
  2. There is processing on a large scale of special categories of data or of personal data relating to criminal convictions and offenses.
  3. There is systematic monitoring of a publicly accessible area on a large scale.

The “special categories” of data noted in item two include:

  • Biometric data
  • Data related to sexual preferences
  • Genetic data
  • Health data
  • Political opinions
  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Trade union memberships

There may also be special exceptions from a “supervisory authority” (Article 35 (5)), which excuses a certain activity from needing to have a data impact assessment template.

GDPR DPIA Requirement

Decision Flow for a Data Impact Assessment Template.

An example of an activity that would NOT need to have a data privacy impact assessment template, would be collecting emails for and sending an email newsletter.

An example of an activity that WOULD need a data impact analysis would be monitoring and data collection of employee internet activity while at work.

Economic Impact Assessment Toolkit


How Do You Conduct a Data Protection Impact Assessment?

If you’re required to use a data protection risk assessment template for a certain data processing/collection activity, it should be done at the start of a project during your planning stages and before you begin any data processing.

Ideally, you want to use an impact assessment template that is flexible and gives you options to use it the way you like. For example, you may want a DPIA template Excel sheet so you can create different types of reports from the data yourself.

Or you may prefer a data protection impact assessment template that’s a cloud tool, accessible from any device online and that makes collaboration with others easy.

One example of a DPIA GDPR template you could use is AGS’ Impact Assessment Template, which is available in an Excel or cloud version and provides real-time analytics.


Example of AGS’ Input Template for a DPIA

Data Protection Impact Assessment Toolkit

AGS Data Protection Impact Assessment Template


Who Conducts the Data Impact Assessment?

Ultimately, the controller is responsible and accountable for the data protection impact assessment GDPR requirement. However, anyone may carry out the GDPR impact assessment, either inside or outside the organization.

If your organization has a Data Protection Officer (DPO), they are also generally involved with putting together or reviewing the GDPR DPIA template or ICO DPIA Template. The controller is tasked with getting the advice of the DPO and that advice should be included on the DPIA assessment template.

It’s also required by the DPIA GDPR rules that the controller seeks out the views and input of “data subjects or their representatives, where appropriate.”

What are the Minimum Inclusions in a Data Protection Assessment?

You can make a data protection risk assessment as detailed as you like. But you do need to be aware of the minimum items to include, per the DPIA GDPR guidelines.

You should at a minimum include the following in your data impact assessment template:

  • A description of the process and its purpose
  • An assessment of the necessity of the data processing
  • The proportionality of the processing
  • An assessment of the risks to the rights and freedoms of data subjects
  • Measures created to address the risks
  • Measures created to demonstrate compliance with the DPIA GDPR regulation

Next, we’ll take a look at the steps you can take to conduct a data privacy impact assessment and where you can find a DPIA template Excel, PDF, or cloud version to use.

What kind of data should you collect for a DPIA?

AGS’s DPIA Template was set up according to GDPR data collection requirements.


Steps for a Data Protection Impact Assessment GDPR

The main purpose you’re working to accomplish when using a data privacy impact assessment template is to review any data collection or processing activities of a new product/process/system/project, and the risk associated with your organization’s use of that data.

Second, you want to make a concerted effort to identify ways to mitigate any identified risk and document them in your data privacy impact assessment template.

While complying with a data protection impact assessment GDPR requirement can seem daunting at first, if you take it in steps, it does not have to be an overly cumbersome or time-consuming task.

Step 1: Describe Your Process & Why a GDPR Impact Assessment is Needed

In this step, you want to fully lay out the process, product, system, or project being implemented that as a result will require the collection of personal individual information.

It may be helpful for you to refer to other documents, such as a project assessment, that will provide you with a basic description of the process. You can then, copy/paste that into your data protection impact assessment template.

You also want to specifically include the “why” of how you’ve determined that you need a GDPR DPIA template for compliance.

Step 2: Describe the Nature of the Data Collection & Processing

Next, you’ll want to describe in detail the processing activity itself. It may be helpful to create a roadmap of what happens to the personal data from start to finish and include that in your Excel or ICO DPIA template.

Some of the types of information that you’ll want to include in your DPIA assessment are:

  • How data is collected
  • How data is stored
  • How data is used
  • When/how will data be deleted after use?
  • What is the data source?
  • Who will have access to the data? (Just your organization? A vendor?)

Step 3: Describe the Data Category and Volume

One of the indicators that a data protection assessment needs to be done is if there is a “large scale” data collection. So, you’ll want to describe not only the types of data you’re collecting (special category, etc.) but also the volume and scope of that data collection.

Other things you can include in this data protection assessment step are how often you’ll be collecting data (daily, one time only, etc.), how many individuals you’ll be collecting data from, and how long you’ll be keeping and using that data.

Step 4: Describe Data Collection from the Individual’s Standpoint

One of the requirements of the controller conducting the data processing impact assessment is to get the viewpoint of those individuals whose data is being collected. This is the step to do that.

Here, you’ll want to discuss your organization’s relationship with those whose data is being collected (employees, customers, website visitors, etc.) and how much control they have over this collection.

For example, note whether or not you offer an opt-out option for this data collection.

Some of the information you may want to include in this DPIA GDPR assessment step is:

  • Is your use of the individuals’ data an expected one?
  • Does the data collection include children?
  • What type of control do the individuals have over the data you’ve collected from them?

 Step 5: Describe the Purpose/Benefit of the Data Processing

Here you can summarize in your data privacy impact assessment why your organization is collecting and processing this data. This should include what the benefit is to your organization.

You’ll also want to include details on your lawful basis for collecting and processing this data and how you will ensure data is only used for the intended purpose.

Step 6: Assess and Classify Risk

In order to mitigate the risk associated with the collection and processing of personal data, you need to first identify what those risks may be.

For example, one risk may be that data stored in a cloud storage account could be breached. Another risk may be associated with data leakage and accidental sharing by employees for other purposes.

You’ll want to include an area on your data protection impact assessment template to list the different types of risk you’ve identified that could result in “a high risk to the rights and freedoms of natural persons.”

It’s helpful if you classify the risk areas as high, mid, low in the categories of the likelihood of harm, the severity of impact, and overall risk.

Step 7: Describe Solutions to Minimize Risk

For every risk you’ve identified, you want to describe a suggested solution to minimize or eliminate that risk.

You can do Step 7 along with Step 6 if you like, by using a GDPR DPIA template that allows you to put the identified solution in a column next to each identified area of risk.

Step 8: Document Your Consulting Process for the GDPR Impact Assessment

Finally, you’ll want to document how you compiled this DPIA assessment. This includes which individuals or groups were involved in the process.

dpia gdpr

Steps for DPIA GDPR Compliance

For example: Did you include your DPO in the review of the data protection assessment? Did you make an effort to include those individuals whose data is being collected or a representative in the process? If not, why?

Include in this last step any approvals needed to conduct the recommendations listed in Step 7 and your steps forward to ensure compliance with GDPR and/or another data privacy regulation.

Social Impact Assessment Toolkit


Top Data Protection Impact Assessment Template

To accomplish all the steps for a data privacy impact assessment, it helps to use a good DPIA GDPR template. This can be in any format you choose, just so it allows you to input the information required by GDPR for your data impact assessment and provides a comprehensive assessment report.

Here are a few options.

AGS Data Protection Impact Assessment Tool (Excel or Cloud)

For the best experience and most versatility, you can use AGS’ Data Protection Impact Assessment Tool.  This includes both a template database for data entry and an analytics dashboard where data is charted for you automatically.


Example of Analytics from AGS DPIA Toolkit

AGS Cloud - Real-Time Analytics for an Impact Assessment

Real-Time Analytics for an Impact Assessment


You get to choose your DPIA GDPR template!

  • DPIA template Cloud version
  • DPIA template Excel version

You can find the AGS Data Impact Assessment Template here.

ICO DPIA Template (MS Word)

One of the more well-known data protection impact assessment templates is from the Information Commissioner’s Office (ICO), an independent UK authority that upholds information rights and data privacy guidelines.

Note, this data privacy impact assessment template does not include generated analytics.

You can download the MS Word format ICO DPIA template here.

Create Your Own

You can also choose to use the steps outlined above as a guide and create your own DPIA GDPR template in any program of your choice.

This will involve a bit more time, and if you want to have helpful analytics to use for your final DPIA GDPR report, you’ll have to create reports, pivot tables, and graphs from scratch in a spreadsheet program.

Privacy Assessment Toolkit


Conclusion | GDPR Impact Assessment for Data Privacy

It’s important to understand the requirements of a data protection impact assessment because if you collect or process any data from EU citizens, you may be required to complete one for a new project, tool, product, or process.

Beyond the DPIA GDPR requirement, doing a data privacy impact assessment is a good idea to ensure that your organization is being responsible when it comes to data collected from individuals, especially sensitive data.

Using a good DPIA template can make a world of difference in how long a data privacy impact assessment takes. It can also provide you with a framework to ensure that no information required by the GDPR is left out.

A data protection impact assessment is not only a required process for GDPR, it’s also a good IT security and data privacy practice that will enrich your organization and improve your overall trust and security posture.


Data Protection Impact Assessment FAQ

What is a data protection impact assessment?

A data protection impact assessment is a structured evaluation of a service, process, project, or organizational change that requires the collection of personal data. This data impact analysis is done to mitigate the risk associated with personal data collection, transmission, and storage.

The EU’s GDPR requires that a data protection impact analysis be performed when any activity, especially one dealing with new technology, is likely to involve a high risk “to the rights and freedoms of individuals.

How do you conduct a data protection impact assessment?

If you’re required to use a data protection risk assessment template for a certain data processing/collection activity, it should be done at the start of a project during your planning stages and before you begin any data processing activities.

Ideally, you want to use an impact assessment template that includes a space to add the information that is required to be included by the GDPR.

What is a DPIA used for?

A GDPR DPIA template helps you lay out reasons why you’re collecting personal data, the goal of that data collection, risks associated when collecting the data, and recommendations for minimizing the risks.

Here are some of the things that a GDPR impact assessment is used for.
• Increase Data Privacy Awareness
• Data Privacy Compliance
• Identify Potential Problems at the Start of a Project
• Proactively Resolve Potential Issues
• Enhance Communications with Individuals/Clients
• Reduce Potential Costs

Who should complete a DPIA?

Ultimately, the controller is responsible and accountable for the DPIA. However, anyone may carry out the GDPR impact assessment, either inside or outside the organization.

If your organization has a Data Protection Officer (DPO), they are also generally involved with putting together or reviewing the GDPR DPIA template. The controller is tasked with getting the advice of the DPO and that advice should be included on the DPIA assessment template.

It’s also required by the DPIA GDPR rules that the controller seeks out the views and input of “data subjects or their representatives, where appropriate.


Note: Content on OCM Solution's ocmsolution.com website is protected by copyright. Should you have any questions or comments regarding this OCM Solution page, please reach out to Ogbe Airiodion (Change Management Lead) or the OCM Solutions Team today. OCM Solution was previously known as Airiodion Global Services (AGS).

Images: https://pixabay.com/photos/binary-code-privacy-policy-woman-4437419/, https://www.pexels.com/photo/man-and-woman-sitting-at-the-table-3122277/