On 14 April 2026, the European Data Protection Board (EDPB) published the first harmonised template for Data Protection Impact Assessments (DPIA) and opened it for public consultation. The deadline for comments is 9 June 2026. The deadline for comments is 9 June 2026. This is one of the most significant steps towards consistent GDPR compliance across the EU since the regulation entered into force in 2018.
What Is a DPIA and When Is It Required
A Data Protection Impact Assessment is a documented process required by Article 35 GDPR in situations where planned processing is likely to result in a high risk to the rights and freedoms of natural persons.
A DPIA is mandatory in particular where:
- processing involves systematic and comprehensive evaluation of personal aspects (profiling, credit scoring)
- special categories of data (health, biometric, genetic) are processed on a large scale
- systematic monitoring of publicly accessible areas is carried out on a large scale
- processing appears on the list published by a national supervisory authority as a type requiring a DPIA
Every supervisory authority in the EU is required to publish a list of types of processing that require a DPIA. Until now, each authority did so according to its own approach and on the basis of its own document template. The EDPB’s new template is designed to end this fragmentation.
The Problem the Template Addresses — Eight Years of Inconsistency
Since the GDPR entered into force in 2018, each EU member state and each supervisory authority has applied its own approach to DPIA. The dominant practical standard became the open-source PIA software developed by the French supervisory authority CNIL — not because it was an official European standard, but because it was the best-developed option available. Organisations and DPOs across Europe adopted it in the absence of usable alternatives from their own national authorities.
The EDPB’s explanatory document acknowledges this openly: the annex listing national DPIA guidance from each supervisory authority country by country contains several entries with no guidance at all. Organisations operating across borders had to adapt their documentation to different expectations from different authorities — with no certainty that a DPIA structured according to one national approach would be accepted by another.
What the EDPB Template Contains
Template v1.0 was adopted on 10 March 2026 by written procedure. It is accompanied by an explanatory document that breaks down each section in plain language and addresses common questions. The template is structured into the following main sections:
Section 0 — DPIA Technical Sheet Basic information: title, version, date, the team responsible for conducting the DPIA (including roles in a RACI model: Responsible, Accountable, Consulted, Informed), the DPO’s role, approval.
Section 1 — Systematic Description of the Processing High-level description: categories of data processed, purposes, secondary or compatible uses. Functional description: means of processing, supporting assets (IT systems, outsourcing, archives), transfers to third countries with the applicable mechanism (adequacy decision, SCCs), deletion and destruction procedures.
Section 2 — Assessment of Necessity and Proportionality Is the processing necessary to achieve the purpose? Could the purpose be achieved in a less intrusive way? Compliance with GDPR principles — minimisation, purpose limitation, accuracy. Data subject rights and how they are facilitated.
Section 3 — Risk Assessment Here the EDPB introduces an important methodological distinction between two types of risk:
- Design risk — risk inherent in the structure of the processing itself: long retention periods, use of unique identifiers, excessive data collection, absence of pseudonymisation. This is the risk embedded in how the processing has been designed.
- Incident risk — risk arising from external and internal threats: cyberattacks, configuration errors, unauthorised access by employees, phishing, system failures.
For each identified risk, the template requires an assessment of likelihood and severity of impact, and identification of threat sources.
Section 4 — Mitigating Measures and Action Plan Technical and organisational measures to reduce identified risks, with assigned responsibility and deadlines.
Section 5 — Conclusions Final assessment: have risks been sufficiently mitigated? Can processing proceed? Is prior consultation with the supervisory authority required under Article 36 GDPR?
What Happens After the Consultation
After the public consultation closes on 9 June 2026, the EDPB will make any appropriate modifications and finalise the template. All national supervisory authorities will then be required to adopt it — either as their sole standard or as a meta-template with which their national templates must be compatible.
This means that after finalisation, a DPIA conducted in Poland, Germany, or the Netherlands — if based on the EDPB template — will be recognised by supervisory authorities across the entire EEA. For organisations operating across borders, this is a significant simplification.
Do You Need to Use the Template Now
Use of the EDPB template is not mandatory — the GDPR leaves controllers free to choose their DPIA methodology. The template is a supporting tool, not a legal requirement.
However, the EDPB encourages organisations to use the template now and to submit feedback during the consultation. This is particularly valuable for DPOs and data protection professionals — the template will soon become the de facto European standard, and it is worth becoming familiar with it before finalisation.
Connection to the AI Act
The template explicitly addresses the intersection with the EU AI Act. Article 26(9) of the AI Act requires deployers of AI systems to use the information provided by the AI system provider under Article 13 to fulfil their DPIA obligation under Article 35 GDPR. The EDPB template includes a section accommodating this context — which is relevant for any organisation deploying AI tools in personal data processing activities.
Summary
The EDPB published the first harmonised EU-wide DPIA template on 14 April 2026. The template is not mandatory — but after the public consultation closes (9 June 2026), all national supervisory authorities will be required to adopt it as their standard or align their national templates with it. For organisations operating across borders, this ends the era of divergent national expectations. For DPOs and compliance professionals, it is a new tool worth learning now — before it becomes the binding reference across the EEA.
FAQ
No — the template is not retroactively mandatory and existing assessments conducted under other methodologies remain valid. The template is most useful for new DPIAs and updates to existing ones.
Not directly — the template is a structured document rather than software. The CNIL may adapt its tools to align with the new template following the consultation.
Comments must be submitted through the EDPB website by 9 June 2026. The template and consultation form are available directly on the EDPB public consultations page.
Design risk arises from the structure of the processing itself — long retention periods, use of unique identifiers, excessive data collection. Incident risk arises from external threats — attacks, human errors, system failures. The EDPB template requires both to be assessed separately.
After the consultation closes on 9 June 2026, the EDPB will finalise the template. Each national supervisory authority will then take the necessary steps to adopt it as their standard or meta-template. No specific timeline for this process has been announced.
Conduct and document your DPIA directly in iGDPR
iGDPR lets you run your DPIA in the risk module — linked to the record of processing activities, with version history and PDF export. See how it works in practice.
START FREE TRIAL
