On April 14, 2026, the EDPB adopted a common template for Data Protection Impact Assessment – what the GDPR calls a DPIA. The template is free, structured with predefined fields, and is accompanied by an explanatory document that breaks down key terms in clear language.
A DPIA is required when processing is likely to result in a high risk to the rights of data subjects. This applies, for example, when using new technology, systematic monitoring, or processing sensitive information on a large scale. Reddit was recently fined £14 million precisely because they never conducted such an assessment.
The draft is not mandatory — but it provides a structure that makes it easier to capture what is important, and harder to forget something. It is open for consultation until June 9, 2026.
Practical point: Check if you are processing personal data that could result in high risk – new technology, video surveillance, health data, or systematic profiling. If so, download the EDPB's DPIA template and use it as a starting point.
Inspired by: European Data Protection Board