On 14 April 2026, the European Data Protection Board (“EDPB”) released a draft template data protection impact assessment (“DPIA”) (the “Template”) which aims to harmonise DPIA standards across Europe and simplify compliance with the GDPR. The Template follows the Helsinki Statement on enhanced clarity, support and engagement which aims to streamline GDPR compliance and which we previously discussed here.

The Template was subject to public consultation until 9 June 2026 during which time stakeholders were invited to submit feedback. The is now reviewing these submissions and will adopt a final version. The Template is available here.

Controllers are not required to adhere to a specific DPIA format or methodology so long as it meets the requirements contained in article 35(7) of the GDPR (including a description of the data processing, assessment of necessity, proportionality and risks to the rights and freedoms of data subjects). This discretion has resulted in a varied approach and ultimately resulted in supervising authorities stepping in and publishing their own guidance in lieu of a harmonised European approach. The Data Protection Commission’s (“DPC”) guidance is available here. Inconsistent approaches to DPIAs particularly impacted controllers that operate across Europe in which DPIA requirements varied across jurisdictions.

DPIAs

Article 35 of the GDPR requires data controllers to complete a DPIA when processing is “likely to result in a high risk to the rights and freedoms of natural persons”, including when using new technologies that are based on automated processing of personal data such as profiling,  when engaging in large-scale processing of special category data, and when carrying out the systematic monitoring of people on a large scale. Rolling out new technology, including AI systems, technology that will profile customers or screen potential candidates in HR processes, technology that will process a significant amount of health data, or if considering the use of CCTV in the workplace, you will be required to complete a DPIA to show compliance with the GDPR.

A DPIA demonstrates that a controller considered the purpose of processing and what the organisation aims to achieve, determines whether the processing is necessary and proportionate, assesses any risks to data subjects, considers possible mitigating factors, and in effect is a vital tool to demonstrate compliance with the GDPR.

Risk Analysis

The Template is separated into seven clear standardised sections that represent the DPIA lifecycle, including overview, systematic description of processing, analysis of processing considering lawfulness, necessity and proportionality, risk assessment and management, involvement of interested parties, conclusion and decision. 

The Template does not prescribe the risk methodology to be used by the controller, who can instead apply their preferred approach. Use of the Template, when finalised, is not mandatory but it does allow controllers to benefit from predefined fields that prompt complete and structured responses. This will help ensure that all necessary information is captured accurately while minimising the risk of errors and ultimately save time.

Practical impact

Data controllers are well versed in DPIAs and have been using them since the introduction of the GDPR. This Template does encourage a consistent approach for those international data controllers that may work across many jurisdictions. It is recommended that Irish data controllers continue to rely on the DPC’s guidance alongside use of the Template. Concerns however have been raised that the Template is not suitable for use in all circumstances, so consideration will need to be given regarding whether a more bespoke approach is required on a case-by-case basis.

If you would like to discuss the content of this article or require assistance with any of your organisation’s data protection requirements, please contact Cian Clinch or Denise O’Shaughnessy.