# Data Protection Impact Assessment (DPIA) — Template

_Aligned to GDPR Art. 35, ICO DPIA guidance and POPIA Code of Conduct expectations._

> Cyntech publishes this template as a courtesy. It is not legal advice.
> Adapt to your organisation, your supervisory authority's expectations, and the
> specifics of the processing under review.

**Project / processing activity:** ________________________
**Business owner:** ________________________
**Privacy reviewer (DPO / Information Officer):** ________________________
**Assessment date:** ________________________
**Decision:** Proceed / Proceed with conditions / Do not proceed

---

## Step 1 — Identify the need for a DPIA

A DPIA is mandatory under GDPR Art. 35(3) for, among others:
- Systematic and extensive evaluation of individuals (including profiling)
- Large-scale processing of special-category or criminal-conviction data
- Systematic monitoring of publicly accessible areas

Briefly explain what triggered this DPIA:

________________________________________________________________________

## Step 2 — Describe the processing

- **Nature**: how data is collected, used, stored, deleted; the source and recipients.
- **Scope**: data categories, volume, frequency, geographic reach, retention.
- **Context**: data subjects' relationship to you, public expectations, current advances in tech.
- **Purposes**: the intended effect on individuals and the benefit to the organisation.

## Step 3 — Consultation

- Internal stakeholders consulted: _________________________________
- Processors consulted: _________________________________________
- Data subjects consulted (or reason not): __________________________
- Where a DPO disagrees with the outcome, the decision and rationale must be documented.

## Step 4 — Assess necessity and proportionality

- Lawful basis identified: ______________________________________
- Less intrusive alternatives considered and rejected because: _______
- How will purpose limitation, data minimisation and accuracy be ensured?
- How will data subjects exercise their rights?
- What are the international transfer safeguards?

## Step 5 — Identify and assess risks

| Risk to individuals | Likelihood (L/M/H) | Severity (L/M/H) | Overall risk |
| --- | --- | --- | --- |
| | | | |

Examples to consider: re-identification, unauthorised access, discrimination,
loss of control, reputational damage, financial loss, denial of service.

## Step 6 — Identify mitigations

| Risk | Mitigation | Effect on risk | Residual risk | Owner |
| --- | --- | --- | --- | --- |
| | | | | |

## Step 7 — Sign-off and outcome

| Item | Name | Date | Signature |
| --- | --- | --- | --- |
| Measures approved by | | | |
| Residual risks approved by | | | |
| DPO advice | | | |
| Outcome (proceed / conditions / stop) | | | |
| Consultation with supervisory authority required? | | | |

## Step 8 — Review schedule

- Next review date: ________________________
- Trigger events that would require an earlier review: ________________