[Updated! Originally published 2017 September 9]
There is a ton of free material in the Internet describing the Data Privacy Impact Assessments (DPIA) process. Some fine examples include:
- UK ICO's "Conducting Privacy Impact Assessment- Code of Practice
- Article 29 Data Protection Working Party's "Guidelines on Data Protection Impact Assessment (DPIA)
- France's CNIL's PIA Manual 1 - Methodology (how to carry out a PIA); PIA Manual 2 - Tools (templates and knowledge bases), and PIA Manual 3 - Good Practices
When I actually tried to perform my first DPIA (also called "Data Protection Impact Assessments"), I struggled because the templates were not particularly intuitive. I searched for real-world examples of DPIAs...and found nothing. I looked for templates that were comprehensive and straightforward...and found none.
Even the three different versions of a DPIA template I received from IT Governance as part of a GDPR class and a document template kit left me wanting.
There was a total lack of practical examples.
The fix? I decided to roll my own:
- Begged, borrowed and stole ideas from various DPIA forms and spreadsheets.
- I built a more detailed revised template that forces to privacy practitioner to not forget anything
- I tested the template as both a data controller and as a data processor, making many revisions
- I consulted with colleagues and GDPR experts to resolve issues.
- Pretty colors were added.
- I was formatted to print.
- And I learned more about the GDPR than I ever expected.
DPIA TemplateI'll continue revising this template. Feel free to comment on where it needs to be improved! When I release a new version, I'll update the article date and link:
- Current version: Data Protection Impact Assessment Template (version 2018 Oct 30)
- Original version: Data Protection Impact Assessment Template (version 2017 Sep 9)
Examples of Completed DPIAsI've created a couple examples of completed DPIAs. They are both based on several real DPIAs that I've combined and edited to ensure there were examples of risks to be mitigated.
Example of a DPIA by a Data ControllerI choose a very common scope that's familiar to every organization: Maintaining Human Resources employee data.
- Example DPIA for maintaining human resources employee data (PDF)
- Data mapping for maintaining human resources employee data (PDF)
Example of a DPIA by a Data ProcessorInterestingly, many of the questions that need to be answered in a DPIA are Data Controller-specific and don't apply to a Data Processor. But the Data Processor is still responsible for helping the Data Controller comply with the GDPR. For Controller-only questions, I suggest you comment on how you, as Data Processor, are going to help the Data Controller.
- Example DPIA for a SaaS-based labor scheduling product (PDF)
- Example data mapping for SaaS-based labor scheduling product (PDF)
Have at it!
If you have recommended modifications or translate into another language, let me know - I'm happy to post variations or update my version with your suggestions.
Thanks! Great work!ReplyDelete
Thanks! Great templateReplyDelete
Thanks for making this available. I was on the same quest.ReplyDelete
Hi Mike, Can you please explain how you developed your Risk to rights and freedoms of data subjects calculation on the Risks tab? Did you develop the 1-3 score, or is that an industry standard. Thanks!ReplyDelete
Hi John - my apologies: I somehow missed (for months!) your question. Answer: The 0-3 score is simply what I choose rather than 1-3 or 1-5 or any other scoring. There is no industry standard: I just choose what felt easiest for me. You can change the formulas to anything you want - feel free!Delete
Congrats, Mike, and thank you for sharing.ReplyDelete
Thank you - very helpful and well constructedReplyDelete