Free DPIA template UK. Step-by-step GDPR checklist covering risk identification, necessity, proportionality and ICO requirements. Complete your impact assessment in minutes.
A Data Protection Impact Assessment is a documented process to identify and minimise the data protection risks of a project before you start. Under UK GDPR Article 35 it is a legal requirement where processing is likely to result in a high risk to the rights and freedoms of individuals, and it is good practice for any major new use of personal data.
When processing is likely to result in a high risk. The UK GDPR gives three examples (large-scale special category data, systematic extensive profiling on which significant decisions are based, and large-scale systematic monitoring of public areas), and the ICO publishes a further list of high-risk processing types. The European regulators' guidance suggests that meeting two of their nine high-risk criteria should normally trigger a DPIA, and one can be enough. Our screening step checks your inputs against these.
No. This is a free starting template and self-check. It gives you a structured draft and flags likely gaps, but it is not legal advice and does not replace your Data Protection Officer, your lawyer, or a proper review. Treat the output as a first draft to take into that review.
No. Completing the scaffold and checklist helps you organise your thinking and evidence your accountability, but compliance depends on what you actually do with the data and how you implement the measures. The checklist flags gaps; it does not close them.
The DPIA scaffold is a project-specific risk assessment for one piece of processing. The GDPR checklist is a broader self-check of the core accountability duties that apply to that processing. The toolkit generates both from the same answers so you can see the specific risk picture and the general housekeeping in one place.
You should still document that decision and the reasons for it, because the ICO expects you to be able to show you considered the question. The scaffold is useful even then as a record. If anything about the processing changes, screen again.
If a residual risk is still high after your mitigations, UK GDPR Article 36 requires you to consult the ICO before you start the processing. The scaffold flags this so it is not missed.
The questions capture whether children, vulnerable people, or special category data are involved, and the output flags the extra steps these trigger, such as an Article 9 condition and heightened risk treatment. It is a prompt to handle them properly, not a complete treatment of those rules.
The generator runs in your browser and the result is shown on screen for you to copy. We ask for your work email so we can follow up if useful; we do not email the scaffold and we do not publish your answers. See our privacy notice for how we handle the contact details you provide.
UK mid-market organisations and non-profits that are starting a project involving personal data and want a credible, board-readable first draft of a DPIA and a plain-English compliance check, without needing deep legal or technical knowledge to begin.
Starkhorn is an independent advisory consultancy led by Daniel Jacobs, fractional CIO and CISO with 20+ years in technology and security, including VetPartners (BC Partners-backed, GBP1.2bn, 14,000 staff) and Jardine Motors Group (GBP2bn). We build free self-assessment tools like this to be useful in their own right. We sell advisory work, not certification, insurance, or software, so there is no upsell baked into the result, just an honest starting artefact and the option to talk if you want help.