Title Page
-
Prepared by
-
Conducted on
-
Company Name
Steps 1-4 of DPIA
Submitting controller details
-
Name of controller
-
Subject/title of DPO
Step 1: Identify the need for a DPIA
-
Explain broadly what project aims to achieve and what type of processing it involves.
-
Summarise why you identified the need for a DPIA.
Step 2: Describe the processing
Describe the nature of the processing:
-
How will you collect, use, store and delete data?
-
What is the source of the data?
-
Will you be sharing data with anyone?
-
What types of processing (identified as likely high risk) are involved?
Describe the scope of processing:
-
What is the nature of the data, and does it include special category data?
-
How much data will you be collecting and using?
-
How often?
-
How long will you keep it?
-
How many individuals are affected?
-
What geographical area does it cover?
Describe the context of the processing:
-
What is the nature of your relationship with the individuals?
-
How much control will they have?
-
Would they expect you to use their data in this way?
-
Are there prior concerns over this type of processing or security flaws?
-
What is the current state of technology in this area?
-
Are there any current issues of public concern that you should factor in?
-
Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
Describe the purposes of the processing:
-
What do you want to achieve? What is the intended effect on individuals?
-
What are the benefits of the processing – for you, and more broadly?
Step 3: Consultation process
-
Describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so.
-
Who else do you need to involve within your organisation?
-
Do you need to ask your processors to assist?
-
Do you plan to consult information security experts, or any other experts?
Step 4: Assess necessity and proportionality
-
What is your lawful basis for processing?
-
Does the processing actually achieve your purpose?
-
Is there another way to achieve the same outcome?
-
How will you prevent function creep?
-
How will you ensure data quality and data minimisation?
-
What information will you give individuals?
-
How will you help to support their rights?
-
What measures do you take to ensure processors comply?
Steps 5-6 of DPIA
Step 5: Identify and assess risks
-
Risk
-
Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.
-
Likelihood of harm
-
Severity of harm
-
Overall risk
Step 6: Identify measures to reduce risk
-
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5
Measure to Reduce Risk
-
Risk
-
Options to reduce or eliminate risk
-
Effect on risk
-
Residual risk
-
Measure approved
Step 7 of DPIA
Step 7: Sign off and record outcomes
Measures approved by:
-
Name and Signature
-
Position
-
Integrate actions back into project plan, with date and responsibility for completion.
Residual risks approved by:
-
Name and Signature
-
Position
-
If accepting any residual high risk, consult the ICO before going ahead.
DPO advice provided:
-
Name and Signature
-
Position
-
DPO should advise on compliance, step 6 measures and whether processing can proceed.
-
Summary of DPO advice
DPO advice accepted or overruled by:
-
Name and Signature
-
Position
-
If overruled, you must explain your reasons.
Consultation responses reviewed by:
-
Name and Signature
-
Position
-
If your decision departs from individuals’ views, you must explain your reasons.
This DPIA will be kept under review by:
-
Name and Signature
-
Position
-
The DPO should also review ongoing compliance with DPIA.
