[Updated! Originally published 2017 September 9]
There is a ton of free material in the Internet describing the Data Privacy Impact Assessments (DPIA) process. Some fine examples include:
- UK ICO's "Conducting Privacy Impact Assessment- Code of Practice
- Article 29 Data Protection Working Party's "Guidelines on Data Protection Impact Assessment (DPIA)
- France's CNIL's PIA Manual 1 - Methodology (how to carry out a PIA); PIA Manual 2 - Tools (templates and knowledge bases), and PIA Manual 3 - Good Practices
When I actually tried to perform my first DPIA (also called "Data Protection Impact Assessments"), I struggled because the templates were not particularly intuitive. I searched for real-world examples of DPIAs...and found nothing. I looked for templates that were comprehensive and straightforward...and found none.
Even the three different versions of a DPIA template I received from IT Governance as part of a GDPR class and a document template kit left me wanting.
There was a total lack of practical examples.
The fix? I decided to roll my own:
- Begged, borrowed and stole ideas from various DPIA forms and spreadsheets.
- I built a more detailed revised template that forces to privacy practitioner to not forget anything
- I tested the template as both a data controller and as a data processor, making many revisions
- I consulted with colleagues and GDPR experts to resolve issues.
- Pretty colors were added.
- I was formatted to print.
- And I learned more about the GDPR than I ever expected.
DPIA TemplateI'll continue revising this template. Feel free to comment on where it needs to be improved! When I release a new version, I'll update the article date and link:
- Current version: Data Protection Impact Assessment Template (version 2018 Oct 30)
- Original version: Data Protection Impact Assessment Template (version 2017 Sep 9)
Examples of Completed DPIAsI've created a couple examples of completed DPIAs. They are both based on several real DPIAs that I've combined and edited to ensure there were examples of risks to be mitigated.
Example of a DPIA by a Data ControllerI choose a very common scope that's familiar to every organization: Maintaining Human Resources employee data.
- Example DPIA for maintaining human resources employee data (PDF)
- Data mapping for maintaining human resources employee data (PDF)
Example of a DPIA by a Data ProcessorInterestingly, many of the questions that need to be answered in a DPIA are Data Controller-specific and don't apply to a Data Processor. But the Data Processor is still responsible for helping the Data Controller comply with the GDPR. For Controller-only questions, I suggest you comment on how you, as Data Processor, are going to help the Data Controller.
- Example DPIA for a SaaS-based labor scheduling product (PDF)
- Example data mapping for SaaS-based labor scheduling product (PDF)
Have at it!
If you have recommended modifications or translate into another language, let me know - I'm happy to post variations or update my version with your suggestions.