Data Protection Impact Assessment (DPIA) Template

Article 35 DPIA template for high-risk processing activities, covering systematic risk identification, likelihood/severity assessment, and required mitigation measures.

Quick Answer

A DPIA under GDPR Article 35 is mandatory for systematic profiling, large-scale special category data, or public surveillance — requiring a likelihood-severity risk matrix, documented mitigations, DPO consultation, and supervisory authority consultation if residual risks remain high.

Compliance Checklist (8 items)

Confirm Article 35 threshold triggers: systematic profiling, large-scale special data, public surveillance
Describe the processing: purpose, necessity, proportionality, and legal basis
Identify and assess risks to individuals: likelihood × severity matrix
Document technical and organisational measures to mitigate each identified risk
Consult the DPO before finalising — record their advice and any disagreements
For residual high risks: consult the supervisory authority before processing begins
Review the DPIA when the processing context materially changes
Retain the DPIA and make it available to the supervisory authority on request

Penalty if not compliant

Up to €20 million or 4% of global annual turnover; authorities can prohibit processing entirely if a DPIA was required but not conducted.

Frequently Asked Questions

When is a DPIA mandatory?

A DPIA is mandatory when processing is "likely to result in high risk" to individuals. The GDPR specifically requires one for: systematic and extensive profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas.

Can a single DPIA cover multiple similar processing activities?

Yes. A single DPIA can assess a set of similar processing operations with comparable high risks, for example, a DPIA covering all employee monitoring across different systems or departments.

Does the DPIA need to be published?

No mandatory publication requirement exists in the GDPR. However, the ICO and other DPAs encourage transparency and may require it to be shared with the supervisory authority. Some organisations choose to publish summaries as a trust signal.

Need this turned into a real document?

Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.

Get Expert Help →Browse All Templates

DPIAdata protection impact assessmentArticle 35GDPR risk assessmenthigh-risk processing