DATA PROTECTION IMPACT ASSESSMENT (DPIA)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Special/sensitive data: [yes/no; describe basis for processing].
• Volume and retention: [records/year], [retention schedule and deletion triggers].
• Processing activities: [collection, storage, analysis, sharing, sale/sharing status].

3. Legal Basis and Notices

• Lawful basis (by category): [consent/contract/legal obligation/legitimate interests]; balancing test summary if legitimate interests.
• Privacy notices/just-in-time notices: [links/placement]; consent capture and withdrawal process.
• Age gating/parental consent (if minors): [process].

4. Data Flow and Access Map

• Source systems: [list].
• Storage/hosting locations: [cloud region/data centers].
• Transfers: [cross-border transfers, SCCs/TIAs/UK IDTA status].
• Recipients/vendors: [processors/subprocessors/controllers]; DPAs/SCCs in place [yes/no].
• Access roles: [RBAC groups]; least-privilege controls; joiner/mover/leaver process.

5. Security and Controls

• Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, data loss prevention, backups, vulnerability management.
• Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
• Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

• Threats/risks: [e.g., unauthorized access, data minimization failure, purpose creep, cross-border transfer risk, DPIA trigger criteria].
• Likelihood: [low/medium/high]; Impact: [low/medium/high].
• Risk rating matrix: [insert table].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [penetration test/data quality checks/privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Approvals and Accountability

• Data Protection Officer/Privacy Lead review: [name/date].
• Security review: [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

9. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment (if applicable).
• Testing summaries and penetration test reports (if applicable).

Revision history: [Version, Date, Summary, Author]