September 24, 2022

Three Free DPIA Templates and How to Use Them 

In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide. 

By now, you should have a firm grasp on what a DPIA is and whether or not you might benefit from conducting one. Now you're looking for a free DPIA template so you can make your own, and this is where we can help. 

In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide. 

You must fill out these templates, but you're not sure how to do it, so that presents a problem. So, let's go over each one and see what you'll need to do to fulfill them and how to do it. Knowing what to do with data and what to include in your assessment makes the process much simpler. 

Free DPIA Template from the UK ICO 

The ICO, or The Information Commissioner's Office, is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO shared a sample DPIA template that you could fill out to meet your business's DPIA requirements. The assessment is completed in seven steps. 

Step 1: Identify the need for a DPIA

Here you need to determine:

  • What the project involves,
  • What data processing is involved, and
  • Why does it trigger the DPIA requirement (if it triggers at all).

Begin by explaining your project, website, or app and what it hopes to provide to users. For example, if you offer users a fitness tracking app that can be connected to a smartwatch and track various health parameters, you must provide detailed instructions. 

Then, describe the data processing involved. Is it just a heart rate monitor, or does it also track your location to keep track of how many steps you take during the day? How does a user create an account? What information does the user need to give? 

Lastly, explain why you think that the way the data is being processed might make it necessary to do a DPIA. As we explained in another article, the DPIA triggers include:

  • Profiling and automated decision-making based on personal data, such as profiling to determine the credit rating of a person,
  • Processing of sensitive personal data, such as health data processed by a fitness app, financial data processed by a personal finance app,
  • Processing of personal data related to criminal convictions or offenses, such as HR software processing criminal records data, or,
  • Systematic monitoring of public areas, such as CCTV monitoring.

In the case of the fitness app, the trigger would be the processing of health and geolocation data. There is no way around the DPIA rules if you handle sensitive information. 

Step 2: Describe the processing

The second step requires you to describe the processing data. Here you have to describe the nature, the scope, the context, and the purposes of processing data. 

This is a very important step. As a result, you'll have a better understanding of the big picture of your data processing and the potential risks. It is recommended to use a flowchart to illustrate the data flow and make the process easier to understand. 

Nature of Processing

In this section, describe the following:

  • How will you collect data?
  • How will you use data?
  • How and where will you store data?
  • How and when will you delete data?
  • What is the source of the data?
  • Will you be sharing data with anyone (third parties such as social media, app or website analytics tools, plugins, and other third parties)?
  • What types of processing identified as likely high risk are involved? For now, it's sufficient to simply identify whether or not anything is likely to cause a problem.

Scope of Processing

Describing the scope of processing means describing the following:

  • What is the nature of the data, and does it include special category or criminal offense data?
  • How much data will you be collecting and using?
  • How often will you use the data?
  • How long will you keep the data?
  • How many individuals are affected by the data processing?
  • What geographical area does it cover?

Context of Processing

Determine the context of processing by answering the following questions:

  • What is the nature of your relationship with the individuals? Are they users who sign up for a user account? How do you acquire this information—from them or a third party? 
  • How much control will they have? Can they determine what data to share with you? Can they easily see how you process their data? 
  • Would they expect you to use their data in this way? A fitness app is expected to process some health data and geolocation, but it may not be required to process biometric data.  Would your users anticipate you to process the data you're processing, or is this something that will catch them off guard? 
  • Do they include children or other vulnerable groups?
  • Are there prior concerns over this type of processing or security flaws? 
  • Is the processing novel in any way or is it usual for these kinds of websites or apps?
  • What is the current state of technology in this area?
  • Are there any current issues of public concern that you should factor in, such as bias by AI, processing of biometric data, etc.?
  • Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

Purposes of Processing

Finally, you need to explain why you need to process personal data. ICO recommends answering to the following questions:

  • What do you want to achieve?
  • What is the intended effect on individuals?
  • What are the benefits of the processing for you, and more broadly?

In the case of the fitness app, it's not enough to simply promise the user useful insights about their activities and health. You need to explain that:

  • After being processed, data will reveal information about users' health and fitness. 
  • Consequently, people will be more motivated to exercise and enjoy better health. 
  • It's only through processing that you can actually deliver the service to users, etc. 

Step 3: Consultation process

If you're going to be handling sensitive data, as indicated by triggering the DPIA criteria, you may want to get input from a wide range of interested stakeholders. 

These stakeholders may include:

  • Your data processors. Discuss with them about the data processing methods they use. You should verify that they are acting lawfully when handling your data.
  • Security experts. The best way to secure the safety of your data is to engage data security specialists or data protection experts if you find any serious risks. 
  • The Data Protection Agency. DPAs are there to provide a hand if you require any guidance or assistance with the necessary actions. 

Step 4: Assess necessity and proportionality

The fourth step of a DPIA is to determine whether or not the goals can be achieved with no data processing at all, or with significantly less data processing. 

You'll get the answer by delving into the following questions: 

  • What is your lawful basis for processing?
  • Does the processing actually achieve your purpose?
  • Is there another way to achieve the same outcome?
  • How will you prevent function creep?
  • How will you ensure that you process only the minimum necessary data and that it is the right data to be processed for your purposes?
  • What information will you give individuals?
  • How will you help to support users’ rights?
  • What measures do you take to ensure your data processors comply?
  • How do you safeguard any international transfers to third countries?

If you ask yourself these questions, you'll have a better understanding of whether or not the data you're collecting is truly important to achieve your goals. If the answer is positive, you should proceed to the next step.

Step 5: Identify and assess risks

By now, you should have a firm grasp on why, what, and how data is collected, processed, and deleted. This kind of overview will paint a clear picture of the risks inherent in data processing. This is the step when you identify them and determine how serious they are. First you identify them, and then proceed to assess each and every one of them.

The ICO proposes to assess risks by determining:

  • The likelihood of harm, which can be remote, possible, or probable. Here, you'll want to assess the likelihood of the damage. Remote refers to something that is extremely improbable to happen, whereas probable is the other end of the spectrum and refers to something that is very likely to happen. 
  • The severity of harm, which if happens at all, can be minimal, significant, or severe.
  • The overall risk, which you can determine as low, medium, or high. Taking into account both the frequency and degree of harm allows you to assess the risk. So, if it is probable that the risk will lead to severe consequences, the overall risk is high. If it is a remote risk with small implications, the risk is low. If you have a combination of possible risk with small repercussions, the risk may still be modest, depending on the conditions. 

Step 6: Identify measures to reduce risk

Here, you spell out exactly what steps you'll take to mitigate such dangers. The table you'll need to accomplish has five columns, and you should fill them in as follows: 

  • Risk. List all the identified potential risks.
  • Options to reduce risks. Provide at least one suggestion for mitigating the problem. 
  • Effect on risk. For each option, determine if it will eliminate the risk altogether, will lessen it, or you will just accept the risk because it is impossible to minimize or eliminate it. 
  • Residual risk. Check if any risks remain after the risk-reducing measures have been taken. In cases where preventative actions fall short in removing all risks, this is where you must decide which risks are acceptable to remain. 
  • Measure approved. You should indicate in this column whether or not the proposed risk-mitigation strategy has been approved.

Step 7: Sign off and record outcomes

The DPIA is finalized with the signatures of all parties involved. This includes the DPO, the approver for the risk-reducing measures, and anyone else who had a hand in creating the DPIA. 

Free DPIA Template from France CNIL

The French data protection agency (CNIL) offers a free PIA template and guidance on how to fill it out. This section summarizes the procedure in a way that is easy to understand so that you may carry it out on your own. 

The free template provided by the CNIL is a more comprehensive privacy impact assessment than that provided by the ICO. It asks a lot of questions, the answers to which will help you fill out the template. The following sections will give you a general idea of the questions and how they guide the process. 

Context

The first step is to provide some basic information about your company and your data processing activities. 

Overview of the processing

The template starts with a form where you fill in your details. You also need to give details about any industry standards that apply to your processing, if any. The financial and medical sectors, for example, have to meet stricter security regulations. Don't forget to include them here. 

Data, processes and supporting assets

In this section, you will make a map of your data flow. Making a flowchart would be a huge help. Here's where you need to get as specific as you can, as a high-level overview won't get you very far in terms of identifying possible risks. 

Fundamental Principles

Next, you should verify that your processing activities conform to the most fundamental principles for data protection.

Assessment of the controls guaranteeing the proportionality and necessity of the processing

The forms in this section require you to determine:

  • Your processing purposes
  • Your legal basis for each processing activity
  • Whether you process only the minimum amount of data necessary for the purpose
  • Your data quality
  • Storage duration and justification of the duration
  • Assessment of the overall alignment with the basic principles

You might need to leave some fields blank (or write N/A) sometimes. There are a lot of fields and questions in the template that might not apply to your processing. 

Assessment of controls protecting data subjects' rights

The CNIL has a list of what you can do to protect the rights of the people whose information you have. The free PIA template has a list of activities and asks you to decide whether to perform some of them or not. By answering these questions, you'll get an idea of what you already do to protect their rights and what you could do to do a better job. 

The list is comprehensive. It has ways to tell people about their rights, ways to control data privacy, information about international data transfers, and other topics. 

Data Security Risks

In the third section, the security risks of data processing are looked at. This section is split into two parts: an assessment of security controls and a list of possible privacy breaches. 

Assessment of security controls

This subsection asks you to assess your alignment regarding a list of security controls, such as encryption, anonymization, logical access control, logging, archiving, etc.

Again, the free CNIL PIA template makes it easy for you to make the assessment by yourself because the questions give you an idea of what you could implement to protect your users’ data.

For each measure, you must evaluate: 

  • Whether it has been implemented,
  • Why not (if it hasn’t been implemented),
  • Whether the existing situation is acceptable or can be improved upon, and,
  • Any corrective controls.

There are instructions on how to fill out the form fields in the template itself. For example, when you evaluate how you use backups, you have to explain how they are managed and where they are kept. You won't have to second-guess yourself on whether or not you've completed this part correctly. 

Both technical controls and organizational controls are covered by the template. 

Risk assessment: potential privacy breaches

The template shows three main risks: 

  • Illegitimate access to data
  • Unwanted change of data
  • Disappearance of data

For each of these, you need to figure out where the risks come from, how likely it is that they will happen, how bad they will be and what they will do, and how to protect yourself from them. 

You also need to determine if your current controls are appropriate for the risks, how they could be made better, and what risks remain. 

Validation of the PIA

In the last section, you'll go over the whole PIA again to make a list of all the controls you have in place to meet the GDPR. Read about GDPR DPIAs and learn if your organization needs one.

Then you'll use the Mapping Risks Matrix to look at the risks. You'll now know exactly what your risks are and how to reduce them. 

The PIA will then be signed by the concerned parties.

Free DPIA Template from Canada’s OIPC BC

The third and final free PIA template we want to present to you has been created by the Office of the Information and Privacy Commissioner of British Columbia, Canada. The OIPC BC is the primary agency in charge of implementing and monitoring compliance with the British Columbian Personal information Protection Act (PIPA).

It looks like the first two templates, which shouldn't be a surprise since this province wants to make sure its laws are in line with the GDPR

The document can be downloaded in MS Word format. The OIPC BC has also given instructions on how to fill it out, which we'll sum up here.

This template is made up of seven parts. Before getting into the sections, it starts with an overview called the Executive Summary. The PIA should be completed before the Executive Summary is written so that all relevant data is available. 

General Administrative Details

Establishing who you are as a company is the first step. The PIA's author must also be disclosed. They will be a great resource for the Office of the Information and Privacy Commissioner if they have any questions about the document. 

This part should also contain the following:

  • Description of the plan to conduct a PIA, including what the goal is and what the benefits will be. 
  • Scope of the PIA, including what parts of the organization's processing activities it covers and what it doesn't cover. 
  • List of documents that are related to the PIA initiative. 

Operations and Risk Analysis

Now comes the real work of processing. Here, you have to give a clear description of how your processing works before assessing the risks involved. 

Specify what kinds of personal data you collect and on what basis you do so. You must make it clear whether or not you are relying on consent in order to comply with the BC PIPA. 

If you rely on consent, you should also make it clear what will happen if the user decides to withdraw it, including whether or not they will continue to receive the products and services. 

In cases where explicit consent is needed, you should also specify the type of consent notice that will be used. 

After you have figured out how to collect data and send out notifications, you should make a data inventory and a data flow diagram. These should contain the following:

  • Category of personal information
  • Sensitivity of the processed personal data
  • Why you process it
  • Third parties with whom you share the data
  • Why you share the data to third parties
  • For how long you store the data

Information and instructions on how to make the flowchart are included in the template. If you are familiar with your procedures, figuring it out shouldn't be that difficult. 

Once you have the data inventory, you can proceed to assessing the security of data.

Security of Personal Information

In this part of the template, you have to make a list of all the physical, technical, and organizational steps you're taking to reduce the risks of data processing. 

You need to make a list of all your risks and the security measures you already have. If there are any gaps, you need to figure out how to fix them. 

Appendix A of the template has a table with a long list of possible risks and ways to deal with them. Start there, and feel free to add any risks and steps that you think are right for your situation. Don't forget to explain how you'll check compliance in the future. 

The security section of this template is much shorter than those of other templates. 

Access, Accuracy, Correction, and Retention

In the fourth section, you'll look at how PIPA rights can be exercised by your users. You must answer the questions below: 

  • How individuals can request their own personal information and have it updated, corrected, or annotated. You must have chosen a method of communication by now, so it shouldn't be hard to answer these questions. If you don't have anything like that, inform your users that they can email you. 
  • What your legal or business requirements are for the information and how long must you retain information to meet this requirement. Some laws require you to keep personal information for a certain amount of time. For example, you have to keep information about your employees for a certain amount of time. If you store information that needs to be kept and/or deleted after a certain amount of time, describe it here. 
  • How your organization will dispose of the personal information after the retention period is completed. Finally, take stock of how and when you delete old information. Remember to erase any backups from your servers and shred any paper records you have.

Privacy Officer(s) Comments

You will only fill out this part if the Privacy Officer has anything to say about the PIA. If there are no such comments, it will stay blank. 

More Information

This section is in the template, but it's not clear what it should have. The guidelines point to this link, so you may want to look at any of the documents there and decide if they are important for your PIA. 

Signatures

The PIA will be signed by responsible parties here.

Final Thoughts

Not everyone knows how to do a Data Privacy Impact Assessment. Although you may be feeling overwhelmed at the moment, you should know that this feeling will pass. You can start from scratch, or use one of the templates as a guide. 

Possible risks will become apparent after you have the data inventory, and you can move forward with confidence. Because data processing is so different from one business to the next, there is no single DPIA template that applies to everyone. 

You obviously care about your users' privacy if you've made it this far, and you know that conducting a PIA is a good practice. Excellent; keep heading in that direction.