30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Template · GDPR & Privacy

AI Data Protection Impact Assessment (DPIA) TemplateAssess AI Processing Before It Goes Live

AI projects trigger GDPR Article 35 more often than almost any other kind of processing: model training on personal data, automated decisions, systematic monitoring, RAG over personal data stores. This template gives you a complete AI-specific DPIA: a screening checklist built on the EDPB criteria, a processing description shaped around training and inference, a pre-seeded risk register, and the consultation and sign-off records a supervisory authority expects to see.

When an AI Project Needs a DPIA

A DPIA is mandatory when processing is likely to result in a high risk to individuals. Three GDPR Article 35(3) cases always require one, and under the EDPB guidelines a DPIA is required when two or more of nine risk criteria are met. These AI patterns are where projects most often cross the line.

Always required under Article 35(3)
A
Systematic and extensive evaluation with significant effects
Automated processing, including profiling, that feeds decisions with legal or similarly significant effects: AI candidate screening, credit scoring, benefit eligibility.
B
Large-scale processing of special category data
Training or running AI on health, biometric, or other Article 9 data at scale, such as clinical triage chatbots or biometric identification.
C
Systematic monitoring of publicly accessible areas
Large-scale AI video analytics, smart CCTV, and behavioral analysis of public spaces.
AI patterns that usually trigger a DPIA
Model training on personal data
Building or fine-tuning models on data about identifiable people. The CNIL treats constituting a training database as capable of creating high risk on its own.
Automated decision-making
Model outputs that determine or heavily influence hiring, lending, pricing, or access decisions.
Systematic monitoring
AI review of employee messages, screens, calls, or productivity signals.
Inference of sensitive attributes
Models that can derive health status, political views, or sexual orientation from apparently harmless inputs.
RAG over personal data stores
Retrieval-augmented generation indexed over mailboxes, CRM records, HR files, or support tickets.
Third-party and shadow AI tools
Staff submitting personal data to external AI services where retention, reuse, and hosting sit outside your control.

Rule of thumb from the EDPB guidelines: two or more of the nine criteria means a DPIA is required, and one can be enough. The ICO treats AI as innovative technology, so AI plus any other criterion requires a DPIA under its UK list. If in doubt, do the DPIA.

What the Template Covers

Seven parts take you from screening to sign-off, with every table pre-structured for AI processing.

1
Screening checklist

Article 35(3) triggers, the EDPB nine criteria with AI-specific interpretations, and a documented screening outcome.

2
Processing description

Purpose, lawful basis, data categories and sources, training vs inference data flows, model provider and hosting locations, retention, and subprocessors.

3
Necessity and proportionality

Ten evidence-based questions covering minimization, alternatives to AI, transparency, data subject rights, and Article 22 safeguards.

4
Risk assessment

A pre-seeded register of ten AI-specific risks to data subjects, scored by likelihood and severity: memorization, bias, sensitive inference, RAG overexposure, and more.

5
Mitigations and residual risk

A mitigation table mapped to each risk, with owners, status, and residual risk scoring, plus the Article 36 consultation trigger.

6
Sign-off and review

DPO consultation record, sign-off table, outcome integration checklist, and a review schedule with AI-specific triggers like model changes.

DPIA vs AI Impact Assessment

The two assessments overlap but answer different questions. Most AI governance programs need both: run the AI impact assessment to decide whether and how to deploy responsibly, and the DPIA to satisfy GDPR obligations wherever personal data is involved.

Data Protection Impact Assessment (DPIA)

This template

  • Legally required by GDPR Article 35 when processing is likely to be high risk
  • Scope: risks to data subjects from the processing of personal data
  • Owned by privacy: the DPO is consulted, and the supervisory authority if residual risk stays high
  • Output: a documented compliance decision that regulators can inspect

AI Impact Assessment (AIA)

Broader, voluntary or policy-driven

  • Best practice under frameworks like NIST AI RMF and ISO/IEC 42001, mandated by some procurement policies
  • Scope: all impacts of an AI system, including fairness, safety, security, and societal effects, with or without personal data
  • Owned by AI governance: a cross-functional review board
  • Output: a deployment decision with conditions, monitoring, and accountability
Get started

Know Every AI System That Needs a DPIA

You cannot assess what you cannot see. Aona discovers every AI tool in use across your organization, shows what personal data flows into them, and gives you the audit-ready inventory your DPIAs depend on.