The template on this page is are made by the people of ICT Institute. We use such templates in our training sessions and our advisory work, such as preparing organizations to pass the ISO 27001 audit. We decided to make our templates available to anyone with hardly any restrictions.

We also offer other 27001 and GDPR templates, as well as in Dutch. Check out our free and complete courses on YouTube:

SieuwertExplains

Table of Contents

<aside> 💡

This template follows the example scenario of a fictitious company selling paper - FictiSecure B.V.

The company wants to install a video surveillance system for their offices and warehouse. The system is a ready-to-go solution with smart IoT devices and cloud storage. The idea is to install the system as quickly and effectively as possible to go live with monitoring in all areas at reduced cost. However, the DPO raised the case that this approach could carry disproportionate risk to the employees of the company and, therefore, initiated a DPIA.

The overall steps to assess the need and execute the DPIA are:

  1. Complete the screening pre-DPIA checklist (Pre-DPIA)
    1. If likely high-risk, then a full DPIA is needed (Should you proceed with the DPIA?)
  2. Execute the DPIA
    1. Detail the processing activity(ies)
    2. Identify and assess risks (Risks)
    3. Define (possible) mitigations (Measures )
    4. Assess proportionality (Necessity and proportionality )
  3. DPO review (Advice by DPO/Privacy Officer )
  4. Sign-off & record outcomes

Follow the instructions and answer the questions in each section.

The text in gray is example text inspired by the example scenario which you should modify or replace with your own answers.

Pre-DPIA

Organization details

| Name and address of the organization: | FictiSecure B.V. Example Street 10, 1234 AB, Amsterdam | | --- | --- | | Author DPIA: | Mark de Vries | | Name and contact details DPO (if appointed): | Anna Janssen | | Other involved and consulted experts: | Sophie van den Berg, Tom Bakker, Lisa Smits |

Plan of action for the DPIA execution

<aside> 💡

Write down here on what day with whom has been spoken, which workshops have been done when, and what parties/which people were present.

</aside>

Kick-off meeting

Description of processing activity

<aside> 💡

Describe the proposal in general terms, for example, what is the motivation for this assessment? Is the proposal for an existing situation, or for a new proposed situation?

Ref: Art. 30 - Records of processing activities, Art. 35(7)(a) - Required DPIA content: description of processing, purposes, and legitimate interest.

</aside>

FictiSecure B.V. plans to implement an all-inclusive video surveillance system at its main office and warehouse. The system will consist of multiple indoor and outdoor cameras connected by default to an on-premise recorder as well as a cloud service operated by the vendor.

This DPIA concerns the new proposed situation. Currently, the company only has a basic doorbell camera at the main entrance with no systematic recording of employees or visitors. The new system would introduce continuous recording of employees, visitors, contractors and (for some outdoor views) passers-by.

Scope of the proposal