Data Protection Impact Assessment (DPIA) Template

Purpose: Assess privacy risks for a new product, service, or processing activity. This single-file application supports a generic DPIA structure aligned to common GDPR/ICO expectations.

0) DPIA Metadata

DPIA ID / Reference

RoPA Reference (if applicable)

Version

Status

1) Project & Roles
ⓘDefine the accountability structure. Use 'iO consulting' placeholders as a guide for auditor-friendly responses.

UK GDPR

EU GDPR

Project Name

DPIA Date

Data Controller

Processor(s)

Business Owner / Product Owner

DPO / Privacy Lead

DPO / Privacy Contact

Technical/System Owner

2) Screening (DPIA Trigger)
ⓘAssess if processing is 'likely to result in high risk'. If unsure, iO consulting recommends proceeding with the full assessment.

High-risk indicators

Special category No Yes

Children/minors No Yes

Large scale No Yes

Transfers No Yes

ADM/Profiling No Yes

Record why a DPIA is or isn't required and whether residual high risk could trigger regulator consultation.

Screening Notes (why DPIA is required / not required)

3) Systematic Description of Processing

Data Subjects

Processing Overview

Data Sources

Recipients / Accessors

4) Purpose, Lawful Basis & (If Applicable) Special Category Condition

Primary Purposes

Art. 6 Lawful Basis

If Legitimate Interests, complete/attach an LIA; if Consent, ensure easy withdrawal and avoid imbalance of power.

Special category (Art. 9) — complete only if special category is processed

Art. 9 Condition

Special Category Notes

5) Necessity & Proportionality

Why is processing necessary?

Less intrusive alternatives considered

Proportionality controls

6) Data Minimisation & Categories
ⓘAudit Tip: Explicitly listing what you DO NOT collect is a strong signal of privacy-by-design to regulators.

Personal data captured (tick what applies)

Explicitly exclude where possible: diagnosis/treatment, injury details, medical images, free-text health notes.

Minimisation notes

7) Data Flows, Hosting, Subprocessors

Hosting Region

Subprocessors

Data flow notes

International transfers (complete if transfers occur)

Destination countries

Transfer mechanism

Transfer Impact Assessment (TIA)

TIA reference / link

8) Telemetry, Cookies/SDKs, and Communications

Telemetry/analytics collected

Consent/opt-out model (where applicable)

9) Automated Decision-Making / Profiling (Art. 22)

If ADM/profiling is used: logic and outputs

Safeguards

10) Access Controls & Security

Controls (tick what applies) Security notes

11) Incident Response & Breach Notification

Incident response plan reference

Breach notification process

12) Retention & Deletion

Retention (primary records)

Retention (logs/telemetry)

Retention (backups)

Deletion process + verification

13) Transparency & Data Subject Rights

Privacy notice URL / delivery

DSAR contact

DSAR handling SLA

Identity verification approach

14) Safeguarding (if minors)

Complete if "minors = yes"

Age gate / age estimation Parental/guardian consent & verification No 1:1 chat (MVP) Time-of-day messaging limits Named safeguarding lead

Safeguarding notes

15) Risk Register (Likelihood × Impact)

Risk Distribution Matrix

Use this to document risks to individuals (not just to the business). Residual risk should reflect mitigations.

Risk scenario	Impact (1–5)	Likelihood (1–5)	Mitigations / controls	Residual notes / owner

16) Consultation, Residual Risk Decision & Approvals

Consultation

DPO consulted?

Accountability Score: 0% Book Audit