GDPR

GDPR DPIA Template: When You Need One and How to Complete It

The Article 35 triggers, the EDPB nine criteria, a copy-paste DPIA template, and a step-by-step method — written for US SaaS and healthtech teams selling into the EU.

The short answer

A Data Protection Impact Assessment (DPIA) is a structured risk assessment required by GDPR Article 35 before you start any processing that is “likely to result in a high risk to the rights and freedoms of natural persons.” You must complete it before processing begins. Article 35(3) lists three cases where a DPIA is always mandatory; EDPB-endorsed guidance adds nine risk criteria, and meeting two or more usually means you need one.

What you get below: a plain-English trigger checklist, a copy-paste template mapped to Article 35(7), and a step-by-step method. If you would rather have it facilitated, see our GDPR audit services.

Key takeaways

  • Article 35(3) sets three automatic triggers: large-scale profiling with significant effects, large-scale processing of special-category (Art. 9) or criminal (Art. 10) data, and systematic monitoring of a public area. Meet one, and a DPIA is mandatory.
  • The EDPB nine criteria are the practical test. They originate in WP248 rev.01 from the Article 29 Working Party (endorsed by the EDPB); processing that meets two or more usually requires a DPIA.
  • Article 35(7) fixes the minimum contents: systematic description, necessity and proportionality, risk assessment, and mitigating measures — with mandatory DPO advice under Article 35(2).
  • Skipping a required DPIA is an Article 83(4) lower-tier fine (up to EUR 10M / 2% of worldwide turnover), not the EUR 20M / 4% tier that applies to core-principle breaches.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a documented process for identifying and minimising the data-protection risks of a project before you build or launch it. Its legal basis is Article 35 GDPR, which requires the controller to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data where that processing is likely to result in a high risk to individuals. Recitals 84, 90, and 91 frame it as an accountability instrument for high-risk processing.

A DPIA is not the same thing as your data inventory. Below are the terms you will see used interchangeably online — they are distinct legal instruments.

DPIA (Data Protection Impact Assessment)
An Article 35 risk assessment, triggered only when processing is likely to be high-risk, owned by the controller with DPO advice.
ROPA (Records of Processing Activities)
An Article 30 standing inventory of processing activities that most organizations must keep regardless of risk. It feeds the DPIA but is a separate obligation.
Controller vs processor
The controller determines the purposes and means of processing and owns the DPIA; the processor acts on the controller's instructions (typically your vendors and subprocessors).
Special category data (Art. 9)
Health, biometric, genetic, racial or ethnic origin, political, religious, sex-life, and similar sensitive data attracting extra protection.
Residual risk
The risk to rights and freedoms that remains after your planned mitigations. High residual risk triggers Article 36 prior consultation.

For a broader map of who counts as a controller or processor and when EU territorial scope reaches a US company, see GDPR obligations for US SaaS companies.

When do you need a DPIA? The Article 35 triggers

There are three layers to the “when” question: the three mandatory cases in Article 35(3), the EDPB nine-criteria rule of thumb, and the national supervisory-authority mandatory lists. Work through all three — any one of them can compel a DPIA.

The three mandatory cases in Article 35(3)

Article 35(3) names three types of processing that always require a DPIA:

  • Art. 35(3)(a) — a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, on which decisions are based that produce legal effects or similarly significantly affect the person (this links to Article 22 automated decision-making). Example: an AI feature that scores users to gate access to a product tier or a loan.
  • Art. 35(3)(b) — processing on a large scale of special categories of data (Article 9) or personal data relating to criminal convictions and offences (Article 10). Example: a healthtech platform processing patient health records at scale.
  • Art. 35(3)(c) — systematic monitoring of a publicly accessible area on a large scale. Example: a smart-camera or location-analytics product deployed across public venues.

Healthtech readers processing health data as an Art. 9 special category should also review their overlapping US obligations in our HIPAA compliance guidance — the same dataset often triggers both regimes.

The EDPB nine criteria and the “two or more” rule

Because Article 35(3) is not exhaustive, the Article 29 Working Party published WP248 rev.01 (later endorsed by the EDPB) setting out nine criteria for identifying high-risk processing. As a rule of thumb, processing that meets two or more criteria will usually require a DPIA; a single criterion may be enough in some cases. You may still conclude no DPIA is needed, but you must document that justification.

The EDPB nine high-risk criteria (WP248 rev.01)
#CriterionWhat it meansB2B SaaS / healthtech example
1Evaluation or scoringProfiling and predicting behaviour, performance, or preferencesRisk-scoring users; usage-based churn prediction
2Automated decision-making with legal or similar effectDecisions that affect access to a service or contractAuto-approving or denying accounts or credit
3Systematic monitoringObserving, tracking, or controlling data subjectsEmployee productivity monitoring; session tracking
4Sensitive or highly personal dataArt. 9/10 data or data revealing intimate detailsHealth, mental-wellness, or financial records
5Data processed on a large scaleHigh volume, wide range, long duration, or geographyMillions of end-user accounts across the EU
6Matching or combining datasetsMerging data from separate operations or sourcesEnriching CRM records with third-party data
7Vulnerable data subjectsChildren, employees, patients, or asymmetric relationshipsProducts aimed at children or patients
8Innovative use / new technologyApplying new technical or organisational solutionsGenerative-AI features; new biometric login
9Preventing exercise of a right / use of a serviceProcessing that blocks a right, service, or contractAutomated denial of onboarding or benefits

National DPA mandatory lists (and EU vs UK divergence)

Under Article 35(4), every supervisory authority must publish a list of processing operations subject to a mandatory DPIA — the “blacklist.” Under Article 35(5) they may also publish an optional “whitelist” of operations needing no DPIA. The EDPB issued consistency opinions on the draft lists of the supervisory authorities to align them, but the lists still differ by member state. If you operate in more than one country, you must check each relevant DPA's list.

National mandatory-DPIA lists at a glance
Authority (regime)Example listed processingWhere to find the list
CNIL — France (EU GDPR)14-item list, e.g. large-scale health data, biometric identification of vulnerable people, profiling affecting access to a contractcnil.fr deliberation on mandatory-DPIA processing
DPC — Ireland (EU GDPR)List including large-scale profiling, tracking location/behaviour, processing biometric data to identify individualsdataprotection.ie DPIA guidance
ICO — United Kingdom (UK GDPR)Own 10-item high-risk list (see below) that extends beyond the EDPB nineico.org.uk DPIA guidance

EU vs UK — do not treat them as one regime. The ICO's guidance and template are built for UK GDPR, which has diverged from EU GDPR following the Data (Use and Access) Act 2025 (and the earlier DPDI proposals). CNIL and the EDPB are your EU GDPR references. A US SaaS company selling into both markets must satisfy the relevant EU lead supervisory authority for EU processing and the ICO for UK processing — so label every template by the regime it belongs to.

The ICO also publishes its own high-risk list under UK GDPR that goes further than the EDPB nine: biometric data, genetic data, data matching, invisible processing (where Art. 14 notice is not feasible), tracking geolocation or behaviour, profiling children for marketing, denial of service based on automated decisions, and combining any “European guidelines” criterion with biometric or genetic data. Even for EU-only processing, it is a useful sanity check.

When you do NOT need a DPIA (and how to document it)

Low-risk processing does not require a DPIA. If your screening shows fewer than two EDPB criteria, no Article 35(3) case, and no national blacklist hit, you can decline — but record the screening decision and reasoning so you can evidence accountability. There is also a narrow exemption in Article 35(10): a separate DPIA is not required where processing under Art. 6(1)(c) or (e) has a legal basis in EU or member-state law and a DPIA was already carried out as part of a general impact assessment when that law was adopted — “unless Member States deem it necessary to carry out such an assessment prior to processing activities.”

DPIA decision matrix: the screening questions to run first

Before drafting anything, run a threshold assessment. Our screening questionnaire below maps each question to its trigger so the outcome is defensible. If any row returns “Mandatory” or you hit two or more EDPB criteria, do the DPIA.

Do you need a DPIA? Decision matrix
Trigger sourceConditionSaaS / healthtech exampleDPIA outcome
Art. 35(3)(a)Systematic profiling with legal / similar significant effectAI scoring that gates product accessMandatory
Art. 35(3)(b)Large-scale Art. 9 / Art. 10 dataPatient health records at scaleMandatory
Art. 35(3)(c)Large-scale systematic monitoring of a public areaLocation analytics across venuesMandatory
EDPB nine criteriaTwo or more criteria metInnovative AI + scoring of usersLikely required
National blacklistProcessing appears on the relevant DPA's Art. 35(4) listBiometric login in France (CNIL)Mandatory
Single EDPB criterionOnly one criterion metStandard analytics on a small user baseScreen & document
No triggersLow-risk, routine processingInternal contact databaseScreen & document (no DPIA)

A 10-question screening questionnaire — yes/no items covering profiling, special-category data, large scale, monitoring, children, new technology, matching, and denial of service — is included in the downloadable template so product managers can run it in minutes.

What a DPIA must contain — Article 35(7)

Article 35(7) sets the minimum content of every DPIA. Map each requirement to a section of your template and attach concrete evidence — this is what makes a DPIA defensible if a regulator asks to see it.

Article 35(7) minimum content mapped to template sections
GDPR requirementWhat the regulation asksTemplate sectionEvidence to attach
Art. 35(7)(a)Systematic description of the processing operations and purposes (incl. legitimate interest where relevant)1. Processing description & purposesData-flow diagram, ROPA extract, system inventory
Art. 35(7)(b)Assessment of necessity and proportionality relative to the purposes2. Necessity & proportionality testData-minimisation notes, retention schedule, lawful basis
Art. 35(7)(c)Assessment of the risks to rights and freedoms of data subjects3. Risk register (likelihood × severity)Scored risk table, threat model
Art. 35(7)(d)Measures envisaged to address risks, incl. safeguards, security, and protection mechanisms4. Mitigations & residual riskSecurity controls, DPA clauses, encryption / access evidence
Art. 35(2)Seek the advice of the DPO where one is designated5. DPO adviceDPO opinion, review date
Art. 35(9)Seek the views of data subjects where appropriate6. Stakeholder / data-subject viewsSurvey, consultation notes, or documented rationale for omission

For Art. 35(7)(d) technical measures, you can often map security safeguards you already evidence for SOC 2 — access controls, encryption, change management, and logging — instead of building a parallel control set.

Free GDPR DPIA template (copy/paste)

The field-by-field template below satisfies Article 35(7). Copy it into a document, complete each field, and keep it as a living record. A formatted Word / Google Doc version with the embedded screening questionnaire is available on request from our GDPR team. For comparison, the two canonical free public templates are the ICO sample DPIA template (UK GDPR) and the CNIL open-source PIA software, currently v3.0 (EU GDPR) — both linked in Sources.

DPIA template — sections and fields
SectionFields to complete
0. Screening & thresholdScreening date; triggers met (Art. 35(3) case / EDPB criteria count / national list hit); DPIA required Y/N; rationale
1. Processing description & purposesProject name; purposes; nature, scope, context; data flows; systems and subprocessors; lawful basis (Art. 6) and any Art. 9 condition
2. Data categories & subjectsCategories of personal data; special categories; volume; categories of data subjects; retention period
3. Necessity & proportionalityWhy the data is necessary; minimisation measures; purpose limitation; data-subject rights mechanisms; international transfers and safeguards
4. Risk registerEach risk to rights and freedoms; likelihood (1–4); severity (1–4); inherent risk band
5. Mitigations & residual riskMeasure for each risk; owner; residual likelihood/severity; residual risk band; accept / mitigate / prior consultation
6. DPO advice (Art. 35(2))DPO opinion; agreement / disagreement recorded; date
7. Data-subject views (Art. 35(9))Whether views were sought; method; outcome or documented rationale for not seeking them
8. Sign-off & reviewDecision to proceed; approver and role; date; scheduled review date; Art. 36 prior consultation Y/N

Worked example — AI-based user scoring (SaaS)

A filled excerpt for a feature that scores users to prioritise support and gate a premium tier. This is the kind of populated risk register regulators and AI engines actually quote.

Worked-example risk register excerpt — AI user scoring
RiskLikelihoodSeverityMitigationResidual band
Discriminatory scoring against a protected group34Bias testing; feature exclusion of proxies; human review of adverse decisions (Art. 22)Medium
Opaque logic — data subject cannot contest33Meaningful information about the logic; contest and human-review routeLow
Cross-border transfer of scoring data to US33Assess transfer risk (SCCs / adequacy); data localisation optionMedium
Subprocessor over-retention of training data23Record processor obligations in a GDPR-compliant DPA; retention limitsLow

How to complete a DPIA, step by step

Run the DPIA as an ordered sequence. Each step produces an artifact that maps to a template section.

  1. Screen (threshold assessment). Run the questionnaire against Art. 35(3), the EDPB nine criteria, and the relevant national list. Record whether a DPIA is required.
  2. Describe the processing. Document purposes, data flows, categories of data and subjects, systems, and subprocessors (Art. 35(7)(a)).
  3. Assess necessity and proportionality. Justify each data element against the purpose; apply data minimisation, purpose limitation, and retention limits (Art. 5, Art. 35(7)(b)).
  4. Identify and score risks. Build the risk register, scoring likelihood × severity for each risk to rights and freedoms (Art. 35(7)(c)).
  5. Define mitigations. Assign a measure and owner to each risk; recompute residual risk (Art. 35(7)(d)).
  6. Seek DPO advice. Obtain and record the DPO's opinion (Art. 35(2)); seek data-subject views where appropriate (Art. 35(9)).
  7. Sign off. The controller decides to proceed and an accountable owner signs before processing starts.
  8. Prior consultation if needed. If high residual risk remains, consult the supervisory authority under Art. 36 before processing.
  9. Review. Treat the DPIA as a living document; reassess when the processing, risk, or technology changes.

Risk scoring rubric (likelihood × severity)

Residual-risk bands and required action
Likelihood (1–4)Severity to data subjects (1–4)Residual risk bandRequired action
1–21–2LowProceed; document
2–32–3MediumMitigate, then proceed
3–43–4High (after mitigation)Prior consultation under Art. 36 before processing
3 (example)4 (example)Medium after mitigationProceed with documented bias controls and human review

Roles, ownership, and sign-off

The controller is legally responsible for the DPIA; the DPO advises and monitors (Art. 35(2)). In practice the work is shared across product, security, and legal. A simple RACI keeps ownership clear.

DPIA roles & sign-off (RACI)
TaskProduct / EngSecurityDPOPrivacy counselExec sponsor
ScreeningRCACI
Drafting descriptionRCCCI
Risk scoringCRACI
Mitigation designRRCCI
Sign-offIICCA/R
Prior consultationICRAI
Review cadenceCCA/RCI

R = Responsible, A = Accountable, C = Consulted, I = Informed.

Article 36 prior consultation

Article 36(1) requires you to consult the supervisory authority before processing when the DPIA indicates the processing would result in a high risk in the absence of measures to mitigate it. Under Article 36(2), the authority provides written advice within up to eight weeks of the request, extendable by a further six weeks for complex processing, with notice of any extension within one month. Note the clock only runs once the authority has the information it needs — under Art. 36(3) it can request further information, which resets expectations. The authority can order changes or prohibit the processing entirely.

Prior consultation is the exception, not the rule: most DPIAs mitigate residual risk to an acceptable level and never reach the regulator. Design your mitigations to avoid it.

DPIA vs ROPA vs data map vs LIA

These documents are routinely confused. They have different legal triggers, owners, and outputs — and you may need several.

DPIA vs ROPA vs data map vs LIA
InstrumentGDPR articleWhen requiredOwnerOutput
DPIAArt. 35Only for likely high-risk processingController (DPO advises)Risk assessment & mitigations
ROPAArt. 30Standing obligation for most organizationsController / processorInventory of processing activities
Data inventory / mapSupporting (Art. 30 / 35)Whenever you need to know your data flowsData / security teamData-flow diagrams
Legitimate Interests AssessmentArt. 6(1)(f)When relying on legitimate interests as lawful basisControllerBalancing test

Integrating DPIAs into product and security workflows

The controllers who do this well treat the DPIA as part of data protection by design and by default (Article 25), not a compliance afterthought. Wire the screening questionnaire into your product intake so any new feature touching personal data is triaged automatically. When a DPIA is needed, reuse artifacts you already maintain: the ROPA feeds the processing description, and your existing security control evidence satisfies most of Art. 35(7)(d).

This is where audit and privacy programs converge. If you already run a SOC 2 program, the access controls, encryption, logging, and change-management evidence you produce for the Trust Services Criteria can be attached directly to a DPIA's mitigations section — one evidence set, two purposes. Keep the DPIA a living document and reassess when the processing, risk profile, or technology changes.

Tool or template? GRC platforms (Vanta, Secureframe, OneTrust) automate DPIA workflows and are worth it once you run many assessments per year. For a handful of DPIAs, the copy-paste template plus DPO review is enough — and a CPA-firm-facilitated DPIA sits usefully between the two, giving you an independently reviewed assessment without standing up a platform.

Common DPIA mistakes

These are DPIA-specific failure modes we see repeatedly — not generic compliance advice.

  • Treating the DPIA as a one-off. Article 35 expects reassessment when risk changes. A DPIA filed once and never revisited is stale the moment the feature evolves.
  • No residual-risk analysis. Listing mitigations without recomputing residual likelihood and severity means you cannot tell whether Art. 36 prior consultation is triggered.
  • Skipping DPO advice. Art. 35(2) makes DPO consultation mandatory where one is designated; omitting it is a documented gap.
  • Ignoring data-subject views. Art. 35(9) expects you to seek stakeholder views where appropriate — or record why you did not.
  • Missing national blacklist obligations. Relying on the EDPB nine criteria alone and not checking the relevant DPA's Art. 35(4) list, or conflating the ICO's UK list with EU requirements.
  • Doing the DPIA after launch. Article 35(1) requires it prior to processing. A retrospective DPIA does not cure the breach.

Frequently asked questions

When is a DPIA required under GDPR?

A DPIA is mandatory under GDPR Article 35(1) whenever processing is likely to result in a high risk to individuals' rights and freedoms. Article 35(3) always requires one for large-scale profiling with significant effects, large-scale processing of special-category or criminal data, or systematic monitoring of a public area. EDPB-endorsed guidance adds that meeting two or more of its nine criteria usually triggers a DPIA.

What must a GDPR DPIA contain?

Under Article 35(7), a DPIA must contain at minimum a systematic description of the processing and its purposes, an assessment of the necessity and proportionality of that processing, an assessment of the risks to data subjects' rights and freedoms, and the measures, safeguards, and security controls envisaged to address those risks. The DPO must be consulted under Article 35(2).

What is the difference between a DPIA and a Record of Processing Activities (ROPA)?

A ROPA under Article 30 is a standing inventory of all processing activities most organizations must maintain regardless of risk. A DPIA under Article 35 is a risk assessment triggered only when processing is likely to be high-risk. The ROPA and data map feed the DPIA, but they are separate documents with different legal triggers and owners.

When must you consult the supervisory authority about a DPIA?

Under Article 36, prior consultation with the supervisory authority is required when a completed DPIA shows the processing would still be high-risk even after planned mitigations. The authority provides written advice within up to eight weeks of the request, extendable by a further six weeks for complex cases, and can order changes or ban the processing.

Is a DPIA mandatory for every company?

No. A DPIA is only required when processing is likely to result in a high risk to individuals, per Article 35. Low-risk processing does not need one, though controllers should document the screening decision. National supervisory authorities such as CNIL in France and the ICO in the UK also publish mandatory-DPIA lists that can compel one regardless of the controller's own assessment.

Who is responsible for completing a DPIA?

The data controller is legally responsible for carrying out the DPIA. Under Article 35(2) it must seek the advice of its Data Protection Officer where one is designated. In practice product, engineering, and security teams supply inputs, the DPO or privacy counsel reviews, and an executive sponsor signs off before processing begins.

Does the ICO DPIA template work for EU GDPR?

The ICO's DPIA template is built for UK GDPR, which has diverged from EU GDPR after the Data (Use and Access) Act 2025. Its structure maps cleanly to EU Article 35(7), so it is a useful starting point, but for an EU-facing DPIA you should align to CNIL and EDPB guidance and satisfy the relevant EU lead supervisory authority.

What is the fine for failing to do a required DPIA?

Failing to carry out a required DPIA or to seek prior consultation falls in the lower fine tier under Article 83(4): up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. The higher EUR 20 million / 4% tier under Article 83(5) applies to breaches of core principles and data-subject rights, not to the DPIA obligation itself.

Sources & further reading

  1. EU GDPR — Article 35, Data protection impact assessment (Regulation (EU) 2016/679), and Article 36, Prior consultation; fine tiers at Article 83.
  2. Article 29 Working Party (endorsed by the EDPB) — Guidelines on Data Protection Impact Assessment (DPIA), WP248 rev.01, setting out the nine high-risk criteria.
  3. ICO (UK GDPR) — Data protection impact assessments guidance and its sample DPIA template (.docx).
  4. CNIL (EU GDPR) — Privacy Impact Assessment (PIA) methodology and free open-source PIA software (v3.0).
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. This article is general information, not legal advice; consult a Data Protection Officer or privacy counsel for your specific processing. Last reviewed July 1, 2026.

Need help running or reviewing a DPIA?

Auditsuisse helps US-first SaaS and healthtech teams scope, run, and independently review DPIAs, mapping the security safeguards you already evidence to Article 35(7) — see our GDPR audit services or book a call.

Request Consultation
Back to top ↑