What the European Data Protection Board’s new Data Protection Impact Assessment Template means for GDPR compliance

/in /by

On 14 April 2026, the European Data Protection Board (“EDPB”) published guidance and a template Data Protection Impact Assessment (“DPIA”)¹ which is to be used across the EU. This was published in line with the EDPB’s “Helsinki Statement on enhanced clarity, support and engagement”2, which aims to make compliance with the General Data Protection Regulations (“GDPR”) more accessible and consistent across the EU. 

What is a DPIA?

DPIA’s are required under Article 35 of the GDPR where there is a type of processing, taking into account the nature, scope, context and purposes of the processing, which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operation on the protection of personal data. 

The GDPR is prescriptive in what a DPIA should contain which, as per Article 35(7) GDPR, should be at least the following:

  1. A description of the processing operations, the purpose of processing and, where applicable, the legitimate interest pursued by the controller;
  2. An assessment of the necessity and proportionality of the processing operations;
  3. An assessment of the risks to the rights and freedoms of data subjects; and
  4. The measures envisaged to address these risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR. 

The aim of a DPIA is to allow organisations to make informed decisions on whether proposed processing of personal data is acceptable under the GDPR. A DPIA can assist in identifying and mitigating risk and DPIAs can be used by organisations to demonstrate compliance with the GDPR. They should be carried out at an early stage in any project and updated as the project develops. 

The DPC’s DPIA template versus the EDPB’s template

The Irish Data Protection Commission (the “DPC”) had previously published a sample DPIA template which it had explicitly stated was to be used as a guide only. The publishing of a template DPIA by the EDPB marks a significant step towards the harmonisation of GDPR application across the EU and marks the first time the EDPB has endorsed a common structure for DPIAs. The EDPB’s template is far more granular than the DPC’s and requires significantly more detail to be inserted by the data processor. It asks for more technical information on the processing of data, analysis of the processing, necessity and proportionality considerations and risk assessment.

The template is subject to a period of public consultation, which will end on 9 June 2026. Following this consultation, it is the intent of the EDPB that the national supervisory authorities (in Ireland the DPC) will adopt the template either as their sole standard, or as a ‘meta-template’ to which national-specific templates will align. 

Conclusion

Whilst we will wait to see whether the template changes as a result of the public consultation, this marks a further step towards the aim for consistency of the application of GDPR across the EU. While it is not mandatory for controllers to use (or align) with this template, it would be prudent to review DPIA processes in line with the full DPIA, once adopted, and assess how they align with the proposed structure. While the template is presently undergoing public consultation, organisations are advised to remain attentive to ongoing developments, including the possibility that the final adopted version may differ from the current draft.

 1. EDPB article, Enhancing compliance and consistency: EDPB adopts DPIA template accessible here.

2.  Helsinki Statement accessible here.

 

Judith Curtin

Partner

jc@ofx.ie

 

Kathryn Buckley

Associate

kathryn.buckley@ofx.ie