Coding Cloud

DPIA Template - Data Protection Impact Assessment

Published on September 28, 2025by Claudio Teixeira

A bare minimum DPIA template that meets GDPR Article 35 compliance requirements for data protection impact assessments.

Based on the legal requirements from GDPR Article 35 and supervisory authority guidance, here's the bare minimum DPIA template that meets compliance standards:

Data Protection Impact Assessment (DPIA)

Project Name: [Enter name]
Date: [Date]
Conducted by: [Name, role]
DPO Consulted: [Yes/No - Name if required]

DPIA Roles and Responsibilities

1. Processing Description

Purpose of processing:

  • Primary objective: [Describe main purpose]
  • Legal basis (GDPR Art. 6): [Specify basis]
  • Special category data basis (Art. 9): [Specify basis]

Processing operations:

  • Data collected: [List personal data categories]
  • Data sources: [Where data comes from]
  • Recipients: [Who receives the data]
  • Retention period: [How long data is kept]
  • Automated decision-making: [Yes/No - describe if yes]

Data subjects:

  • Who: [Categories of individuals]
  • Number: [Approximate volume]
  • Vulnerable groups: [Children, etc. if applicable]

2. Necessity & Proportionality

Is processing necessary?

  • Yes - Justification: [Explain why necessary]
  • No - Alternative: [Describe alternatives]

Is processing proportionate?

  • Benefits: [List benefits]
  • Impact: [Describe impact]
  • Data minimization: [How data is minimized]
  • Conclusion: [Proportionate/disproportionate]

3. Risk Assessment

RiskDescriptionLikelihoodSeverityOverall
1[Risk description]Low/Med/HighLow/Med/HighLow/Med/High
2[Risk description]Low/Med/HighLow/Med/HighLow/Med/High
3[Risk description]Low/Med/HighLow/Med/HighLow/Med/High

Add additional risks as needed

4. Risk Mitigation Measures

RiskMitigation MeasureStatusResponsibleDate
1[Specific measure]Planned/Done[Name][Date]
2[Specific measure]Planned/Done[Name][Date]
3[Specific measure]Planned/Done[Name][Date]

Additional Safeguards:

  • Technical: [List key technical safeguards]
  • Organizational: [List key organizational safeguards]

5. Consultation & Review

Stakeholder Consultation:

  • DPO: [Name, date, outcome]
  • Others: [Names, roles, outcome]

Ongoing Monitoring:

  • Review schedule: [When DPIA will be reviewed]
  • Monitoring measures: [How risks will be monitored]

6. Conclusion

Residual Risk Assessment:

  • Final risk level: [Low/Medium/High]
  • Justification: [Explain final assessment]

Decision:

  • Proceed as assessed
  • Proceed with additional safeguards
  • Consult supervisory authority
  • Do not proceed

Approved by: [Name, signature, date]

Next review: [Date]

Document version: 1.0
Last updated: [Date]

This template covers the four mandatory elements required by GDPR Article 35:

  1. ✅ Systematic description of processing operations and purposes
  2. ✅ Assessment of necessity and proportionality
  3. ✅ Assessment of risks to data subject rights and freedoms
  4. ✅ Measures to address risks including safeguards and security measures

This bare minimum version removes optional sections while maintaining full legal compliance with GDPR requirements.

Who Should Conduct a DPIA? A Collaborative Approach

The Short Answer: It's a Team Sport, Led by the Customer

The ultimate legal responsibility for conducting and signing off on a DPIA lies with the Data Controller. In a typical agency-client relationship:

Your Customer is the Data Controller: They determine the purposes and means of the processing. They are the ones who want the product and define its goals. They own the legal risk and the final accountability for the DPIA.

Your Software Agency is the Data Processor: You process the data on behalf of and under the instruction of the controller. Your legal duty under GDPR (Article 28) is to assist the controller in fulfilling their obligations, which includes providing all necessary information for the DPIA.

Therefore, the correct answer is: The customer leads the process, and key people from your agency (like the CTO) are mandatory contributors. It cannot be done by an external lawyer in isolation, nor can it be done by the CTO alone.

Who Writes Which Part? A Collaborative Breakdown

Let's map the roles to the sections of this DPIA template. This shows why it must be a team effort.

RolePrimary ResponsibilityContribution to the DPIA Template
The Customer (CEO, Product Owner)The "Why" - Business JustificationSection 1.1: Defines the Purpose of processing. Section 2: Justifies Necessity and Proportionality from a business perspective. Section 6: Makes the final Decision to proceed.
The Technical Lead (Your CTO / VP Eng)The "How" - Technical ImplementationSection 1.1: Details Processing operations, Data collected, Data sources, Recipients, Retention period, and Automated decision-making. Section 4: Lists the specific Technical and Organizational Measures to mitigate risks.
The Legal Expert (External Lawyer / DPO)The "If" - Legal Compliance & RiskSection 1.1: Confirms the Legal basis (Art. 6 & 9). Section 3: Leads the Risk Assessment, identifying risks to individuals' rights and freedoms. Section 5 & 6: Advises on Consultation and the Residual Risk.

As you can see, if any one of these three people tries to do it alone, the DPIA will have critical gaps:

  • Lawyer alone: Won't know the technical safeguards or data flows. The document will be legally sound but factually inaccurate.
  • CTO alone: Can describe the system perfectly but cannot make the legal assessment of necessity, proportionality, or risk to human rights.
  • CEO alone: Knows the business goal but understands neither the technical details nor the legal risks.

Answering Your Specific Questions

1. Does the person need to be technical?

Yes, absolutely. The team conducting the DPIA must include someone with deep technical knowledge of the system. Your CTO or a lead engineer is non-negotiable. They are the only ones who can accurately describe the data flows, security measures, databases, APIs, and retention logic required for Sections 1 and 4 of the template. A non-technical person attempting to fill this out will produce a fictional and non-compliant document.

2. Should it be 2 persons?

At a minimum, yes, but ideally three.

  • The Essential Duo: The most effective pairing is a Technical Lead (your CTO) and a Legal/Compliance Lead (the customer's DPO or external lawyer). The CTO explains what the system does, and the lawyer assesses if it should.
  • The Ideal Trio: Adding the Business Owner (the customer's CEO or Product Manager) completes the picture. They provide the "why," which is essential for assessing necessity and proportionality.

A Practical Workflow for Your Agency

  1. Project Kickoff: When a new project starts, your first question should be, "Does this processing require a DPIA?" (e.g., involves AI, large-scale data, sensitive data, etc.).

  2. Clarify Roles Immediately: In your statement of work or initial meetings, state clearly: "As the Data Processor, we will provide all necessary technical information to assist you, the Data Controller, in completing your Data Protection Impact Assessment."

  3. Schedule a DPIA Workshop: Get the three key roles (Customer's Business Lead, Customer's Legal/DPO, Your Technical Lead) in a room (or video call).

  4. Collaborate on the Document: Use this template on a shared screen.

    • Your CTO explains the architecture and data flows.
    • The lawyer asks probing questions about risks and legal basis.
    • The business owner justifies why the processing is essential for their goals.

  5. Sign-off: The customer (Data Controller) formally signs and accepts the final DPIA. Your agency should keep a copy as proof of your assistance.

Conclusion: Don't ask "who writes it?" Instead, form a cross-functional team led by your customer. Your role as the agency is to be the indispensable technical expert in that team.

Sources