EDPB Publishes Draft DPIA Template For Public Consultation

On April 14, 2026, the European Data Protection Board (EDPB) published a draft template for conducting data protection impact assessments (DPIAs) under the EU General Data Protection Regulation (GDPR), forming part of the EDPB's broader efforts under its Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe. The draft template is subject to public consultation until June 9, 2026. 

The template is designed to provide controllers with a standardised format for documenting and reporting DPIAs, featuring pre-defined fields covering key elements of Article 35 GDPR and intended to prompt complete and structured responses across each stage of the assessment process. While the EDPB acknowledges that most organisations will already have their own internal DPIA templates, the draft offers a regulator-endorsed baseline that should be readily accepted by all EU supervisory authorities.

In practical terms, the template functions as a step‑by‑step operational checklist for DPIAs that controllers can use both when designing new processing activities and when reviewing existing ones. It requires organisations to systematically document: 

1. the categories of personal data involved and the full processing lifecycle;
2. the purpose of the processing and applicable legal bases; and
3. a structured assessment of necessity and proportionality, including whether the same objective could reasonably be achieved through less intrusive means.

The template then guides organisations through a granular risk assessment, requiring a clear distinction between risks inherent to the processing as designed and risks arising from accidental or abnormal events, and obliges controllers to link each identified risk to specific technical and organisational mitigation measures, indicating whether those measures are planned, partially implemented or fully implemented. Controllers must then reassess residual risk after mitigation and record a clear decision outcome (approval, conditional approval, rejection or referral for prior consultation with the supervisory authority under Article 36 GDPR). 

The EDPB also released an accompanying explainer document which provides practical guidance on completing the template, clarifies key concepts, and includes a useful annex listing DPIA-related guidance published by supervisory authorities across the EU and EEA.

Controllers are not required to use the EDPB template and remain free to conduct their risk analysis using the methodology of their choice. However, the EDPB positions the template as a convenient way to record the minimum information that should always be documented, in a format designed to be universally accepted by supervisory authorities. 

Importantly, following the public consultation, all EU supervisory authorities are expected to take steps to align national DPIA templates with the EDPB template, either by adopting it directly or using it as a “meta-template”. As the template is published in draft form, its use is voluntary and does not alter existing DPIA obligations under the GDPR. Nevertheless, it may serve as a useful reference point for organisations seeking to test or benchmark their DPIA processes against emerging EDPB expectations, and organisations are encouraged to provide feedback during the consultation phase.

The press release is available here, and the draft DPIA template and the explainer document can be found here. 

The public consultation is open until June 9, 2026, and responses may be submitted through an online form using the link provided at the bottom of this page.