Skip to content

Template · DPIA SKELETON

DPIA skeleton · Analytics tool deployment

Risk-assessment scaffold. Every placeholder must be substituted before sign-off; a partially-completed DPIA is generally treated as a documentation failure.

Scope law GDPR Variables 29 to substitute Last reviewed
Editorial research — not legal advice

Template body

29 placeholders · 15 sections

Data Protection Impact Assessment (DPIA)

{{tool_name}} deployment on {{site_domain}}

Author: {{author_name}} ({{author_role}}) Reviewed by DPO: {{dpo_name}} Date: {{dpia_date}} Version: 1.0

Drafted to satisfy GDPR Art 35 (data protection impact assessment) and, where residual risk remains high, the prior-consultation duty in GDPR Art 36.

1. Description of processing

  • Tool: {{tool_name}} ({{tool_vendor}})
  • Purpose: Web analytics — measure traffic, content engagement, and basic conversion events
  • Categories of data:

- Auto-collected: IP address (full/truncated/hashed), user agent, page URLs, referrer, screen size, language - User-provided (after consent): user ID hash, custom event parameters

  • Data subjects: all visitors to {{site_domain}}, with consent
  • Volume: ~{{monthly_visitors}} unique visitors/month
  • Frequency: continuous, real-time

2. Necessity and proportionality

Lawful basis

GDPR Art 6(1)(a) — consent. Captured via Cookie banner.

Data minimization

  • IP address: {{ip_handling}} (truncated / hashed / not stored)
  • User-agent string: stored {{ua_handling}}
  • No name, email, address, or other direct identifiers collected via this tool
  • Cross-site tracking: {{cross_site_yes_no}}

Retention

  • {{tool_name}} data: {{retention_period}}
  • Aggregated reports: {{aggregated_retention}}

3. Risks identified

Risk Likelihood Severity Score
Re-identification from IP+UA combination {{r1_lik}} {{r1_sev}} {{r1_score}}
Vendor data breach {{r2_lik}} {{r2_sev}} {{r2_score}}
Third-country surveillance access (Schrems II) {{r3_lik}} {{r3_sev}} {{r3_score}}
Consent withdrawal not honoured downstream {{r4_lik}} {{r4_sev}} {{r4_score}}

4. Mitigation measures

Technical

  • IP truncation enabled at vendor level: {{tech_ip_anon}}
  • Encryption in transit (TLS 1.2+): yes
  • Data residency: {{data_residency}}
  • Pseudonymization at source: {{pseudonymization}}

Organisational

  • DPA with vendor signed: {{dpa_signed_date}}
  • Sub-processor list reviewed: {{subprocessor_review_date}}
  • Annual review scheduled: {{annual_review_date}}
  • Consent management integrated with {{cmp_name}}

Transfer

  • Mechanism: {{transfer_mechanism}} (DPF / SCC / adequacy decision per Schrems II)
  • Transfer Impact Assessment date: {{tia_date}}
  • Supplementary measures: {{supplementary_measures}}

5. Consultation

  • DPO consulted: yes (signed below)
  • Stakeholders consulted: {{stakeholders}}
  • Data subjects consulted: not applicable (consent-based, can withdraw)
  • Supervisory authority consulted: {{dpa_consultation_yes_no}}

6. Conclusion

Residual risk after mitigation: {{residual_risk_level}} — substitute one of: low / medium / high.

  • If LOW or MEDIUM: proceed with deployment
  • If HIGH: prior consultation with the supervisory authority is required (GDPR Art 36)

7. Sign-off

  • DPO: {{dpo_name}} — Date: {{dpo_signoff_date}}
  • Controller representative: {{controller_rep_name}} — Date: {{controller_signoff_date}}

Review schedule: This DPIA is reviewed annually or upon material change in tool, vendor, retention, or scope.

Variables to substitute

Replace each {{token}} in the body before deploying.

VariableType
{{cmp_name}} string
{{dpo_name}} string
{{tia_date}} date
{{dpia_date}} date
{{tool_name}} string
{{author_name}} string
{{author_role}} string
{{ip_handling}} string
{{site_domain}} string
{{tool_vendor}} string
{{ua_handling}} string
{{stakeholders}} string
{{tech_ip_anon}} string
{{data_residency}} string
{{dpa_signed_date}} date
{{dpo_signoff_date}} date
{{monthly_visitors}} string
{{pseudonymization}} string
{{retention_period}} string
{{cross_site_yes_no}} string
{{annual_review_date}} date
{{transfer_mechanism}} string
{{controller_rep_name}} string
{{residual_risk_level}} string
{{aggregated_retention}} string
{{supplementary_measures}} string
{{controller_signoff_date}} date
{{dpa_consultation_yes_no}} string
{{subprocessor_review_date}} date
How to use this template · Methodology

Adapt, then deploy. Editorial reading as of 2026-05-05; not legal advice. This template is a starting point — drafted against the named statute and the relevant regulator's published guidance, not your specific facts.

Substitute every placeholder. Tokens like {{controller_name}} must be replaced with your concrete values. Leaving placeholders unsubstituted is a recurring failure mode in published compliance documents; reviewers and regulators tend to read partially-completed disclosures as a documentation problem in itself.

Verify the assumptions. The "Assumes" block above lists the prerequisites we drafted against. If your facts differ — different processor list, different audience, different sub-processors — adapt the template, don't deploy it as-is.

Counsel review before going live. Templates are scaffolding, not finished artefacts. Route the final pass through counsel admitted in the jurisdiction where you operate.

Full methodology → · All templates → · Scope law: GDPR →

Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. This template does not establish a lawyer-client relationship and is not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment. Report an inaccuracy →