Essential Fields Every DPIA Template Should Include

GDPR Article 35(7): Mandatory Content

Article 35(7) specifies the minimum content a DPIA must include. Your template must have dedicated fields for each of these mandatory elements:

1. Systematic description of the processing operations and purposes, including legitimate interest where applicable.
2. Assessment of necessity and proportionality of the processing in relation to the purposes.
3. Assessment of risks to the rights and freedoms of data subjects.
4. Measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure protection of personal data.

Processing Description Fields

• Processing name/title: A clear, descriptive name for the processing activity.
• Controller/processor details: Who is the data controller? Are processors involved?
• Purpose of processing: Specific, explicit, and legitimate purposes.
• Categories of data subjects: Customers, employees, website visitors, children, etc.
• Categories of personal data: Name, email, IP address, health data, financial data, etc.
• Data sources: Where is data collected from (directly from subjects, third parties, public sources)?
• Recipients/sharing: Who receives the data (internal teams, third parties, international transfers)?
• Retention periods: How long is data kept and the justification for each period.
• Data flow diagram: Visual representation of data movements (attachment or embedded).

Legal Basis and Necessity Fields

• Legal basis: Which Article 6 basis applies (consent, legitimate interest, contract, etc.)?
• Legitimate interest assessment: If applicable, document the balancing test.
• Necessity test: Is this processing necessary for the stated purpose?
• Proportionality: Is the data collection proportionate? Could less data achieve the same result?
• Data subject rights: How are access, rectification, erasure, portability, and objection rights facilitated?

Risk Assessment Fields

• Risk register: A table listing each identified risk with description, affected data subjects, and processing step.
• Likelihood rating: Scale (e.g., 1-5 or Low/Medium/High) with justification.
• Impact rating: Scale with justification.
• Overall risk score: Calculated from likelihood and impact.
• Risk owner: Person responsible for managing each risk.

Mitigation and Safeguards Fields

• Mitigation measure: Description of each control or safeguard.
• Measure type: Technical, organizational, or contractual.
• Implementation status: Planned, in progress, or implemented.
• Residual risk: Risk level after applying the mitigation.
• Implementation deadline: When must the measure be in place?

Review and Sign-Off Fields

• DPO opinion: Formal advisory input from the DPO.
• Decision-maker sign-off: Name, role, date, and decision (proceed, proceed with conditions, do not proceed).
• Review schedule: Next review date and trigger conditions for ad-hoc reviews.
• Version history: Record of DPIA versions, changes, and dates.

Jerisaliant provides customizable DPIA templates with all mandatory and recommended fields pre-configured, ensuring compliance with Article 35(7) while allowing organizations to add custom fields for their specific needs.