DPIA / PIA Template & Records of Processing Activities (RoPA) – Document Builder 👷♂️ Please enable JavaScript in your browser to complete this form.Please enable JavaScript in your browser to complete this form.🌍 Jurisdiction & Basics — Step 1 of 10 – Step 1 of 11🌍 Jurisdiction & BasicsCountry, language, template type, organisation, and assessment dates.Country *United StatesAustraliaBrazilCanadaChinaFranceGermanyIndiaItalyJapanMexicoNetherlandsNew ZealandNigeriaRussiaSingaporeSouth AfricaSouth KoreaSpainUnited Arab EmiratesUnited KingdomLanguage of the completed document *EnglishAfrikaansArabicDutchFrenchGermanHindiItalianJapaneseKoreanMandarin ChineseRussianSpanishZuluTemplate Type *DPIA (GDPR-style)PIA (General)RoPA (Records of Processing Activities)Combined Pack (DPIA + RoPA)NextOrganisation / Controller Legal Name *Assessment Title / Project Name *Assessment Start Date *DateTimeAssessment Target Completion Date *DateTimePreviousNext🧾 Processing OverviewDescribe the purpose, scope, and systems/vendors involved.Processing Purpose (why is the data processed?) *Processing Description (what happens to the data end-to-end?) *Systems/Apps Involved (comma-separated) *Is this processing new or a change to existing processing? *NewChange/UpdateIf Change/Update: what changed and why?PreviousNext👥 Roles & StakeholdersIdentify controller(s), processor(s), DPO, and key contacts.Data Protection Officer (DPO) / Privacy Contact NameDPO / Privacy Contact EmailBusiness Owner / Process Owner (name, role, email) *Key Processor(s) / Vendor(s) (name, role, location) *Are there joint controllers involved? *NoYesIf Yes: list joint controller(s) and responsibilities split (Art.26 summary)PreviousNext🗂️ Data MapData subjects, personal data categories, special categories, and volume.Data Subjects *Customers/End usersEmployeesContractorsProspects/LeadsChildren (under applicable age)OtherIf Other data subjects: specifyPersonal Data Categories (e.g., contact, identifiers, usage logs) *Special Category Data (GDPR Art.9) or Sensitive Data involved? *NoYesIf Yes: specify special/sensitive categories and safeguardsApproximate Volume *Low (<1,000 records)Medium (1,000–100,000)High (>100,000)PreviousNext⚖️ Legal Basis, Retention & TransfersLawful bases, retention, storage locations, and cross-border transfers.Lawful Basis (select all that apply) *ConsentContract necessityLegal obligationVital interestsPublic taskLegitimate interestsIf Legitimate Interests: describe LI and balancing test summaryRetention Period / Deletion Rule (e.g., 2 years after last activity) *Primary Storage Location(s) (country/region, cloud provider, data centers if known) *Cross-border transfers outside the data subject's region? *NoYesIf Yes: transfer destinations + mechanism (SCCs/IDTA/BCR/adequacy)PreviousNext📏 Necessity & ProportionalityWhy the processing is necessary; minimisation, access control, transparency.Why is this processing necessary to achieve the purpose? *Data minimisation measures (only collect what is needed) *Transparency/Notices (what do users get told, when, and how?) *Access controls (who can access; role-based; logging) *PreviousNext🧨 Risk AssessmentIdentify key risks to individuals and rate likelihood/impact.Key Risks to Data Subjects (list and describe) *Overall Likelihood *LowMediumHighOverall Impact/Severity *LowMediumHighIs there a high risk requiring consultation (e.g., GDPR Art.36)? *NoYesIf Yes: explain why; proposed consultation stepsPreviousNext🛡️ Measures & ControlsSecurity and privacy measures to reduce risks (technical & organisational).Controls Implemented (select all that apply) *Encryption in transitEncryption at restMFA / strong authenticationLeast privilege / RBACAudit logging & monitoringBackups & disaster recoveryData retention & deletion automationVendor due diligence / DPA in placeIncident response planRegular security testingOtherIf Other controls: specifyResidual Risk After Controls (summary) *PreviousNext📚 RoPA (Record of Processing Activities)Populate the RoPA entries for this processing activity.Processing Activity Name *Categories of Recipients (internal, external) *International Transfers (details)Technical & Organisational Security Measures (RoPA summary) *PreviousNext✍️ Approvals, Sign‑Off & AttachmentsApprovals, signatures, dates, and uploads.Final Acknowledgements (must check all) *Assessment completed in good faith based on available informationControls listed are implemented or planned as statedWe will update this assessment if processing changes materiallyApprover Name / Role *Approval Date *DateTimePrepared By (name) *Prepared Date *DateTimeAttachments (data maps, policies, vendor docs, etc.) Drag & Drop Files, Choose Files to Upload You can upload up to 10 files. NameGenerate Draft Document
