DPIA Template

This template is an example of how you can record the DPIA process and results. You can start to fill in details from the beginning of the project, after the screening questions have identified the need for a DPIA. You can adapt the process and this template to produce something that allows your organisation to conduct effective DPIAs integrated with your project management processes.

Step one: Identify the need for a DPIA

Explain what the project aims to achieve, what the benefits will be to the organisation, to the individuals and to other parties.
You may find it helpful to link to other relevant documents related to the project, for example a project proposal.
Also summarise why the need for a DPIA was identified (this can draw on your answers to the screening questions below).

1. Will the project involve the collection of new information about individuals?

2. Will the project compel individuals to provide information about themselves?

3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?

4. Are you, or will you be, using information about individuals for a purpose for which it is not currently used, or in a way it is not currently used?

5. Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics, facial recognition or profiling.

6. Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them?

7. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records other special category data or other information that people would consider to be private.

8. Will the project require you to contact individuals in ways that they may find intrusive?

Step two: Describe the information flows

You should describe the collection, use and deletion of personal data here.
It may also be useful to refer to a flow diagram or another way of explaining data flows.
You should also say how many individuals are likely to be affected by the project.

Step three: Consultation requirements

Explain what practical steps you will take to ensure that you identify and address data protection risks.
Who should be consulted internally and externally?
How will you carry out the consultation?
You should link this to the relevant stage of your project management process.
You may use consultation at any stage of the DPIA process.

Step four: Identify the data protection and related risks

Identify the key data protection risks and the associated compliance and corporate risks.
Larger scale DPIAs might record this information on a more formal register.
Answer the questions below to ensure compliance with the seven data protection principles.

PRINCIPLE 1: Lawfulness, Fairness and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject

1. Have you identified the purpose of the project?

2. How will you tell individuals about the use of their personal data?

3. Do you need to amend your data protection notices?

4. Have you established which conditions for processing apply?

5. If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?

PRINCIPLE 2: Purpose Limitation

Personal data must not be collected except for a specific, explicit and legitimate purpose, and once collected must not be further processed in a manner incompatible with the purpose for which it was collected.

1. Does your project plan cover all of the purposes for processing personal data?

2. Have you identified potential new purposes as the scope of the project expands?

3. Have you ensured that appropriate review is undertaken where future changes may be planned to the processing?

PRINCIPLE 3: Minimisation

Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purpose for which it was processed.

1. Is the quality of the information good enough for the purposes it is used?

2. Which personal data could you not use, without compromising the needs of the project?

PRINCIPLE 4: Accuracy

Personal data processed must be accurate and where applicable, kept up to date, and reasonable steps must be taken to ensure that personal data that is inaccurate (having regard to the purpose for which it is processed) is erased or corrected without delay.

1. If you are procuring new software does it allow you to amend personal data when necessary?

2. How are you ensuring that personal data obtained from individuals or other organisations is accurate?

3. Who do you direct data subjects to for queries around accuracy?

4. How well is that person supported to deliver on the obligations promptly and effectively?

PRINCIPLE 5: Storage Limitation

Personal data must not be kept in a form that permits identification of the data subject any longer than is necessary for the purpose for which it is processed.

1. What retention periods are required for the personal data you will be processing?

2. Are you procuring software that will allow you to delete information in line with your retention periods?

3. Does this delete all personal data or remove identifying features, retaining the information for other purposes such as statistics?

4. If identifying features are removed, does that prevent identification in all cases?

PRINCIPLE 6: Integrity and Confidentiality

Personal data must be processed in a manner that ensures its security appropriately, including protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

1. Have you reviewed and documented the security of all personal data intended to be processed?

2. Do any new systems provide protection against the security risks you have identified?

3. What training and instructions are necessary to ensure that staff know how to operate a new system securely?

PRINCIPLE 7: Accountability

The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles

1. Have you documented all your personal data processing and associated compliance?

2. Do you ensure that this documentation is regularly reviewed?

3. Are these records available to all relevant staff including senior management/board members?

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

DPIA Template

Step one: Identify the need for a DPIA

Step two: Describe the information flows

Step three: Consultation requirements

Step four: Identify the data protection and related risks