In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide.
By now, you should have a firm grasp on what a DPIA is and whether or not you might benefit from conducting one. Now you're looking for a free DPIA template so you can make your own, and this is where we can help.
In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide.
You must fill out these templates, but you're not sure how to do it, so that presents a problem. So, let's go over each one and see what you'll need to do to fulfill them and how to do it. Knowing what to do with data and what to include in your assessment makes the process much simpler.
Explore more privacy compliance insights and best practices
The ICO, or The Information Commissioner's Office, is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO shared a sample DPIA template that you could fill out to meet your business's DPIA requirements. The assessment is completed in seven steps.
Here you need to determine:
Begin by explaining your project, website, or app and what it hopes to provide to users. For example, if you offer users a fitness tracking app that can be connected to a smartwatch and track various health parameters, you must provide detailed instructions.
Then, describe the data processing involved. Is it just a heart rate monitor, or does it also track your location to keep track of how many steps you take during the day? How does a user create an account? What information does the user need to give?
Lastly, explain why you think that the way the data is being processed might make it necessary to do a DPIA. As we explained in another article, the DPIA triggers include:
In the case of the fitness app, the trigger would be the processing of health and geolocation data. There is no way around the DPIA rules if you handle sensitive information.
The second step requires you to describe the processing data. Here you have to describe the nature, the scope, the context, and the purposes of processing data.
This is a very important step. As a result, you'll have a better understanding of the big picture of your data processing and the potential risks. It is recommended to use a flowchart to illustrate the data flow and make the process easier to understand.
In this section, describe the following:
Describing the scope of processing means describing the following:
Determine the context of processing by answering the following questions:
Finally, you need to explain why you need to process personal data. ICO recommends answering to the following questions:
In the case of the fitness app, it's not enough to simply promise the user useful insights about their activities and health. You need to explain that:
If you're going to be handling sensitive data, as indicated by triggering the DPIA criteria, you may want to get input from a wide range of interested stakeholders.
These stakeholders may include:
The fourth step of a DPIA is to determine whether or not the goals can be achieved with no data processing at all, or with significantly less data processing.
You'll get the answer by delving into the following questions:
If you ask yourself these questions, you'll have a better understanding of whether or not the data you're collecting is truly important to achieve your goals. If the answer is positive, you should proceed to the next step.
By now, you should have a firm grasp on why, what, and how data is collected, processed, and deleted. This kind of overview will paint a clear picture of the risks inherent in data processing. This is the step when you identify them and determine how serious they are. First you identify them, and then proceed to assess each and every one of them.
The ICO proposes to assess risks by determining:
Here, you spell out exactly what steps you'll take to mitigate such dangers. The table you'll need to accomplish has five columns, and you should fill them in as follows:
The DPIA is finalized with the signatures of all parties involved. This includes the DPO, the approver for the risk-reducing measures, and anyone else who had a hand in creating the DPIA.
Or you could, you know... Automate ~80% of this!
The French data protection agency (CNIL) offers a free PIA template and guidance on how to fill it out. This section summarizes the procedure in a way that is easy to understand so that you may carry it out on your own.
The free template provided by the CNIL is a more comprehensive privacy impact assessment than that provided by the ICO. It asks a lot of questions, the answers to which will help you fill out the template. The following sections will give you a general idea of the questions and how they guide the process.
The first step is to provide some basic information about your company and your data processing activities.
The template starts with a form where you fill in your details. You also need to give details about any industry standards that apply to your processing, if any. The financial and medical sectors, for example, have to meet stricter security regulations. Don't forget to include them here.
In this section, you will make a map of your data flow. Making a flowchart would be a huge help. Here's where you need to get as specific as you can, as a high-level overview won't get you very far in terms of identifying possible risks.
Next, you should verify that your processing activities conform to the most fundamental principles for data protection.
The forms in this section require you to determine:
You might need to leave some fields blank (or write N/A) sometimes. There are a lot of fields and questions in the template that might not apply to your processing.
The CNIL has a list of what you can do to protect the rights of the people whose information you have. The free PIA template has a list of activities and asks you to decide whether to perform some of them or not. By answering these questions, you'll get an idea of what you already do to protect their rights and what you could do to do a better job.
The list is comprehensive. It has ways to tell people about their rights, ways to control data privacy, information about international data transfers, and other topics.
In the third section, the security risks of data processing are looked at. This section is split into two parts: an assessment of security controls and a list of possible privacy breaches.
This subsection asks you to assess your alignment regarding a list of security controls, such as encryption, anonymization, logical access control, logging, archiving, etc.
Again, the free CNIL PIA template makes it easy for you to make the assessment by yourself because the questions give you an idea of what you could implement to protect your users’ data.
For each measure, you must evaluate:
There are instructions on how to fill out the form fields in the template itself. For example, when you evaluate how you use backups, you have to explain how they are managed and where they are kept. You won't have to second-guess yourself on whether or not you've completed this part correctly.
Both technical controls and organizational controls are covered by the template.
The template shows three main risks:
For each of these, you need to figure out where the risks come from, how likely it is that they will happen, how bad they will be and what they will do, and how to protect yourself from them.
You also need to determine if your current controls are appropriate for the risks, how they could be made better, and what risks remain.
In the last section, you'll go over the whole PIA again to make a list of all the controls you have in place to meet the GDPR. Read about GDPR DPIAs and learn if your organization needs one.
Then you'll use the Mapping Risks Matrix to look at the risks. You'll now know exactly what your risks are and how to reduce them.
The PIA will then be signed by the concerned parties.
The third and final free PIA template we want to present to you has been created by the Office of the Information and Privacy Commissioner of British Columbia, Canada. The OIPC BC is the primary agency in charge of implementing and monitoring compliance with the British Columbian Personal information Protection Act (PIPA).
It looks like the first two templates, which shouldn't be a surprise since this province wants to make sure its laws are in line with the GDPR.
The document can be downloaded in MS Word format. The OIPC BC has also given instructions on how to fill it out, which we'll sum up here.
This template is made up of seven parts. Before getting into the sections, it starts with an overview called the Executive Summary. The PIA should be completed before the Executive Summary is written so that all relevant data is available.
Establishing who you are as a company is the first step. The PIA's author must also be disclosed. They will be a great resource for the Office of the Information and Privacy Commissioner if they have any questions about the document.
This part should also contain the following:
Now comes the real work of processing. Here, you have to give a clear description of how your processing works before assessing the risks involved.
Specify what kinds of personal data you collect and on what basis you do so. You must make it clear whether or not you are relying on consent in order to comply with the BC PIPA.
If you rely on consent, you should also make it clear what will happen if the user decides to withdraw it, including whether or not they will continue to receive the products and services.
In cases where explicit consent is needed, you should also specify the type of consent notice that will be used.
After you have figured out how to collect data and send out notifications, you should make a data inventory and a data flow diagram. These should contain the following:
Information and instructions on how to make the flowchart are included in the template. If you are familiar with your procedures, figuring it out shouldn't be that difficult.
Once you have the data inventory, you can proceed to assessing the security of data.
In this part of the template, you have to make a list of all the physical, technical, and organizational steps you're taking to reduce the risks of data processing.
You need to make a list of all your risks and the security measures you already have. If there are any gaps, you need to figure out how to fix them.
Appendix A of the template has a table with a long list of possible risks and ways to deal with them. Start there, and feel free to add any risks and steps that you think are right for your situation. Don't forget to explain how you'll check compliance in the future.
The security section of this template is much shorter than those of other templates.
In the fourth section, you'll look at how PIPA rights can be exercised by your users. You must answer the questions below:
You will only fill out this part if the Privacy Officer has anything to say about the PIA. If there are no such comments, it will stay blank.
This section is in the template, but it's not clear what it should have. The guidelines point to this link, so you may want to look at any of the documents there and decide if they are important for your PIA.
The PIA will be signed by responsible parties here.
Not everyone knows how to do a Data Privacy Impact Assessment. Although you may be feeling overwhelmed at the moment, you should know that this feeling will pass. You can start from scratch, or use one of the templates as a guide.
Possible risks will become apparent after you have the data inventory, and you can move forward with confidence. Because data processing is so different from one business to the next, there is no single DPIA template that applies to everyone.
You obviously care about your users' privacy if you've made it this far, and you know that conducting a PIA is a good practice. Excellent; keep heading in that direction.
Schedule a call to learn more
