Trust Pack · Tool 9

DPIA Lite.

One processing activity, six sections, residual-risk verdict. GDPR Art 35 mandates a Data Protection Impact Assessment for any processing that is "likely to result in a high risk to the rights and freedoms of natural persons." This is a starter scaffold to answer that — vocabulary-aligned, not a substitute for legal review. Fill it in, score the residual risks, export. The output is markdown + JSON; the workflow is yours.

1. Processing description

What the activity is

Activity name

Controller / business owner

Purpose (why we're doing it)

Lawful basis (GDPR Art 6)

Special-category basis (GDPR Art 9, if any)

2. Data inventory

What data, how much, how sensitive

Data subject categories

Personal-data categories

Special-category data present? (GDPR Art 9)

Approximate volume (records / month)

Retention period

Minimization rationale

3. Necessity & proportionality

Could we achieve this with less data?

Why is this processing necessary?

Less-intrusive alternatives considered + why rejected

Proportionality statement

4. Cross-border transfers + subprocessors

Where data goes, who can touch it

Cross-border transfer?

Transfer mechanism detail

Subprocessors with access (name + region + role)

Should reconcile with your Subprocessor Disclosure.

Access controls (who internally can see this data)

5. Risk identification + mitigations

Per identified risk: likelihood × impact pre + post mitigation

Risk to data subject	Likelihood pre (1-5)	Impact pre (1-5)	Score pre	Mitigation	Likelihood post	Impact post	Residual

Verdict (auto-derived)

Add at least one risk to see verdict

Verdict bands: max residual 1-4 → low risk; 5-9 → additional safeguards required; 10-25 → consultation with supervisory authority likely required (GDPR Art 36).

This is a starter scaffold, not a substitute for legal review. The output reflects your inputs at this moment. GDPR Art 35(2) requires consultation with your DPO where one is designated. Art 35(9) says you should seek the views of data subjects "where appropriate." Art 36 requires prior consultation with the supervisory authority when the residual risk would be high without mitigation. This tool helps you answer the structural questions; it does not give legal advice. No data leaves your browser. See the Trust Pack hub for the full set.