DPIA Template | The DPO Diary

1

Project / Processing Overview

Project / Processing Name

DPIA Reference Number

Project Owner / Lead

DPO Contact

Assessment Date

Next Review Date

Describe the Processing

2

Necessity and Proportionality

What is the Purpose of the Processing?

What is Your Lawful Basis for Processing?

Consent — The individual has given clear consent Contract — Necessary for a contract with the individual Legal Obligation — Necessary to comply with the law Vital Interests — Necessary to protect someone's life Public Task — Necessary for official functions or public interest Legitimate Interests — Necessary for legitimate interests (requires balancing test)

Justify Your Lawful Basis

Is the Processing Necessary?

Is the Processing Proportionate?

Data Minimisation Checklist

Have you considered whether you can:

Collect less data to achieve the same purpose?
Use anonymised or pseudonymised data instead?
Reduce the retention period?
Limit who has access to the data?

3

Data and Individuals Involved

Special Category Data

If any special category data is involved (marked with ⚠️), you must identify an additional condition under Article 9 UK GDPR for processing this data.

Article 9 Condition (if applicable)

Categories of Individuals Affected

Employees / Staff Customers / Clients Suppliers / Contractors Members / Subscribers Patients / Service users ⚠️ Children (under 18) ⚠️ Vulnerable adults Members of the public

Estimated Number of Individuals

Source of Personal Data

4

Data Flows and Processing Operations

How Will Data Be Collected?

Where Will Data Be Stored?

Who Will Have Access to the Data?

Third-Party Processors / Recipients

Retention Period

International Transfers

No international transfers — Data remains in UK/EEA Transfer to adequacy country — Country has adequate protection Standard Contractual Clauses (SCCs) in place Binding Corporate Rules (BCRs) in place Other safeguard (specify below)

Transfer Safeguard Details

5

Consultation

Have You Consulted Relevant Stakeholders?

Data Protection Officer IT / Information Security team Legal / Compliance team Representatives of data subjects Third-party processors Other stakeholders (specify below)

Consultation Summary

Seeking Views of Data Subjects

Article 35(9) requires you to seek the views of data subjects or their representatives where appropriate. This could include surveys, focus groups, or consulting with representative bodies. Document your approach and any reasons for not seeking views.

6

Risk Identification and Assessment

Identify risks to individuals' rights and freedoms. Consider risks relating to the ability to exercise rights, as well as risks of harm.

Risk Assessment Matrix

For each identified risk, assess the likelihood and severity, then describe measures to mitigate.

Risk Description	Likelihood	Severity	Overall	Mitigation Measures

7

Measures to Address Risks

Technical Measures Detail

Organisational Measures

Data protection policies in place Staff training on data protection Data processing agreements with third parties Privacy notice updated / provided to individuals Subject access request process in place Data breach response procedures Processing recorded in Records of Processing Activities Regular review and audit procedures

Organisational Measures Detail

8

DPIA Outcome

Residual Risk Assessment

✓ Low Residual Risk

After mitigation measures, risks are acceptable and processing can proceed

⚠ High Residual Risk

Risks cannot be sufficiently mitigated — prior consultation with ICO required

Outcome Rationale

Prior Consultation Required?

Under Article 36, if you cannot mitigate the high risks identified, you must consult the ICO before proceeding with the processing. The ICO will provide written advice within 8 weeks (or up to 14 weeks for complex matters).

Processing Decision

Proceed with processing — Risks adequately mitigated Proceed with conditions — Additional measures required (specify below) Consult ICO — High residual risk requires prior consultation Do not proceed — Risks too high, processing should not take place

Conditions / Additional Measures Required

9

Approval and Sign-off

Project Owner / Business Lead

Signature

Date

Data Protection Officer