Free template

Free DPIA template — GDPR Article 35.

A ready-to-use Data Protection Impact Assessment template aligned to GDPR Article 35 and ICO guidance. Drop in your project details, fill in the data-categories and risk tables, and you have a board-ready DPIA. No sign-up, no email gate.

Download .docx Open in Google Docs

~38 KB · Microsoft Word (.docx) · Google Docs compatible · Free for any use

What's inside

  1. Project / processing activity overview (cover sheet + version)
  2. Description of processing — data categories, subjects, recipients, transfers, retention
  3. Necessity & proportionality — lawful basis, minimisation, alternatives
  4. Risks to data subjects — likelihood × severity scoring tables
  5. Mitigations — technical & organisational measures with residual scores
  6. Consultation — DPO advice, data subjects (Art. 35(9)), and supervisory authority (Art. 36) if needed
  7. Sign-off — project owner, DPO, executive sponsor

Why this template?

Most free DPIA templates online are either too thin to satisfy a real regulator review, or so dense they take a half-day just to read. This one threads the needle:

  • Tables where reviewers expect tables (data categories, recipients, risk scoring)
  • Inline examples in italics so first-time DPIA authors aren't guessing
  • Sign-off block at the end with the three roles every supervisory authority looks for
  • Aligned to GDPR Article 35 + the ICO's published criteria, not bespoke

Tired of filling in DPIA templates by hand?

PrivacyAutomated.ai drafts the entire DPIA from a one-paragraph project description — grounded in your team's policies, approved-vendor inventory, and the relevant regulation. Review, edit, sign off in the same UI. Free 14-day trial.

Start free trial  →

DPIA FAQ

When is a DPIA required under GDPR?

A DPIA is mandatory under GDPR Article 35(1) whenever processing is "likely to result in a high risk to the rights and freedoms of natural persons." Article 35(3) lists three specific triggers: systematic and extensive automated decision-making with legal effects, large-scale processing of special-category data, and systematic monitoring of public areas. The EDPB and most supervisory authorities also publish lists of additional high-risk operations — check your jurisdiction's published list before assuming a DPIA isn't required.

Who should fill in a DPIA?

The controller is responsible. In practice, the project owner drafts the DPIA with input from the DPO, legal, security, and the business owner of the processing activity. The DPO advises but does not own the DPIA — Article 35(2) is explicit on this distinction.

Can I edit this DPIA template freely?

Yes. The template is free to use and modify for any purpose — internal, client-facing, or commercial. Attribution is appreciated but not required. The structure aligns to GDPR Article 35 and ICO guidance so customising it for sector-specific risks (healthcare, financial services, public sector) is straightforward.

What's the difference between a DPIA and a PIA?

PIA (Privacy Impact Assessment) is the broader term used historically and in non-EU jurisdictions (Canada, Australia, US sectoral law). DPIA is the GDPR-specific instantiation under Article 35, with prescribed minimum content and consultation requirements. The template here is structured as a GDPR DPIA but is easily adapted as a PIA — the substantive sections are the same.