AI Data Protection Impact Assessment

📋

Processing Description

Describe the AI system and its data processing activities

Project/System Name *

Assessment Date

Data Controller

DPO Contact

Description of Processing *

Describe what data is processed, how, and for what purpose

Categories of Personal Data

List all types of personal data processed by the AI system

Data Subjects

Who are the individuals whose data is being processed?

Legal Basis for Processing

Scope of Processing

⚖️

Necessity & Proportionality

Assess whether the processing is necessary and proportionate

Purpose Specification *

What specific purposes does the AI system serve?

Necessity Assessment

Why is AI processing necessary to achieve these purposes?

Proportionality Assessment

Is the data collected proportionate to the purpose?

Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes

Data Minimization

Only data necessary for the purpose is collected

Accuracy

Measures are in place to ensure data accuracy and updates

Storage Limitation

Data retention periods are defined and enforced

Data Subject Rights

How are data subject rights ensured?

⚠️

Risk Identification

Identify risks to data subject rights and freedoms

Assess risks to individuals from the AI system's processing of their personal data.

Discrimination or Bias

Risk of discriminatory outcomes based on protected characteristics

Loss of Autonomy

Risk of automated decisions affecting individuals without meaningful human oversight

Privacy & Surveillance

Risk of excessive monitoring or intrusion into private life

Data Security

Risk of unauthorized access, breach, or data loss

Inaccurate Decisions

Risk of errors in AI outputs leading to harmful decisions

Lack of Transparency

Risk of opaque decision-making that cannot be explained to data subjects

🛡️

Risk Mitigation Measures

Define measures to address identified risks

Technical Measures

Security, encryption, access controls, anonymization techniques

Organizational Measures

Policies, training, governance structures

Bias Mitigation Measures

Fairness testing, diverse training data, regular audits

Human Oversight Measures

Human-in-the-loop, review processes, escalation procedures

Transparency Measures

Explainability, notice to data subjects, documentation

Residual Risk Assessment

What risks remain after mitigation measures are applied?

👥

Supervisory Authority Consultation

Determine if prior consultation is required

Risk Assessment Summary

Complete the risk identification step to see summary.

High Risk Processing

The processing is likely to result in high risk to rights and freedoms

Large Scale Processing

Processing involves large volumes of data or many data subjects

Special Category Data

Processing involves sensitive personal data (health, biometric, racial, etc.)

Automated Decision-Making

Decisions with legal or significant effects are made without human intervention

Systematic Monitoring

The AI system involves systematic monitoring of individuals

Consultation Decision

Consultation Notes

Review Schedule

When will this DPIA be reviewed?

Assessor Name

Approval Authority

Processing Description

Necessity & Proportionality

Risk Identification

Risk Mitigation Measures

Supervisory Authority Consultation

Risk Assessment Summary

⚠️ Prior Consultation May Be Required