GDPR · Article 35

The DPIA template that survives EDPB scrutiny.

Free, aligned to Article 35(7) and the EDPB guidelines. Plus the live alternative, for when risk decisions need an audit trail not a Word document.

Download free template (CSV) Build it live in ROPAi →

Article 35(7)(a–d) EDPB WP248 aligned Two worked DPIA examples

app.ropai.io/dpia

DPIA-2026-001

Customer support AI summarisation

Residual

Low

3 risks identified

Bias in AI summaries

Mitigated

Special category leakage

Mitigated

Vendor lock-in

Accepted

Pulse

When it's mandatory

Two of these triggers, and a DPIA is required.

The EDPB's nine criteria for "high risk" processing. Hit two and Article 35 kicks in. The ICO also publishes a UK list of processing types where a DPIA is mandatory regardless.

Download template

Article 35(1) EDPB Guidelines WP248

EDPB · 9 CRITERIA

High-risk processing triggers

✓Evaluation or scoring
✓Automated decisions with significant effect
✓Systematic monitoring
✓Sensitive or highly personal data
✓Large-scale processing
✓Matching or combining datasets
✓Vulnerable data subjects
✓Innovative use of technology
✓Preventing exercise of a right

Hit 2 or more → DPIA required

Required content

Four questions every DPIA must answer.

Article 35(7) sets the minimum. The template includes every field, structured the way the EDPB and the ICO expect.

Get the template (CSV) Build it live in ROPAi →

Art. 35(7)(a–d)

Article 35(7) elements

Controller obligations

35(7)(a)

Systematic description of processing

35(7)(b)

Necessity and proportionality

35(7)(c)

Risks to data subjects

35(7)(d)

Mitigations and safeguards

90-second screening

Do you actually need a DPIA?

Nine yes/no questions, one per EDPB criterion. Two triggers and it's mandatory.

1 of 9

EDPB criterion 1

Loading…

Nothing leaves your browser. Tally on the last screen.

Method

How to run a DPIA in five steps

From screening through residual risk. Each step maps to a specific Article 35 clause.

Screen first

Run the trigger check above. Document the decision either way. Even "no DPIA needed" is an artefact the ICO can ask for.

Describe the processing

Art. 35(7)(a). What data, what flows, what purposes. Use the linked ROPA entry as the starting point.

Test necessity and proportionality

Art. 35(7)(b). Could the purpose be achieved with less data, less granularity, or shorter retention? If yes, you must.

Score the risks

Art. 35(7)(c). Likelihood by severity, per risk. Score risk to data subjects, not risk to the business.

Mitigate and re-score

Art. 35(7)(d). Every mitigation gets an owner and a date. If residual risk stays high, consult the ICO before processing.

Format choice

Word doc vs. ROPAi

Both meet Article 35. They diverge at the second DPIA, and again at every change.

Capability

Word template

ROPAi

Meets Article 35(7) minimum

✓Yes

Risk scoring matrix

~Manual table

✓Built-in with residual auto-recalc

Links to ROPA entry

✗Manual cross-reference

✓One source of truth

Mitigation tracking

~Bullet list, no owners

✓Owners, due dates, reminders

Re-review when processing changes

✗You have to remember

✓Pulse flags vendor or scope changes

Stakeholder review

~Email threads + tracked changes

✓Comments and sign-off log

ICO consultation export

✓The doc itself

✓PDF + full audit trail

FAQ

Questions DPOs ask before running one

Is a DPIA legally required?

It depends on risk. Article 35 requires a DPIA when processing is likely to result in high risk to data subjects. The EDPB lists 9 criteria; hitting 2 or more usually means yes. The ICO also publishes a UK list of processing types where DPIAs are mandatory regardless.

Who signs off on a DPIA?

The controller. The DPO (where appointed) must be consulted under Article 35(2) and their advice recorded. Final accountability sits with the controller, not the DPO.

What if our DPO disagrees with the business?

Document the disagreement. The DPO's view goes into the DPIA. If the controller proceeds against the DPO's advice, that decision (and the reasoning) becomes part of the audit trail and is itself disclosable.

Does the ICO ask to see DPIAs?

Yes, when relevant. Under Article 36, you must consult the ICO before processing if a DPIA identifies a high residual risk you cannot mitigate. ICO investigations can also request DPIAs at any time as part of an accountability review.