GRCWatch
Sign inStart free trial

GDPR A35-02: Required DPIA Content & Documentation

A Data Protection Impact Assessment (DPIA) isn't just a checkbox—it's your documented proof that you've thought through the privacy risks of your processing. GDPR Article 35 mandates specific content that must appear in every DPIA, and getting this right protects both your data subjects and your compliance posture.

What this means

Your DPIA must systematically describe the processing operations you plan to run and why you need them. You'll assess whether the processing is truly necessary and proportionate to your stated purpose. You must identify and evaluate the actual risks your processing poses to individuals' rights and freedoms—not generic risks, but specific ones tied to your context. Finally, you document the concrete measures you'll implement to reduce those risks. This isn't aspirational; it's a mandatory record of your risk management process.

How to comply

  1. 1.Document a systematic description of all envisaged processing operations, including data types, categories of recipients, retention periods, and technical details
  2. 2.Clearly state the purposes of the processing and explain why each processing activity is necessary to achieve those purposes
  3. 3.Conduct a proportionality assessment: evaluate whether the scope, scale, and methods of processing are justified by your stated purposes
  4. 4.Identify and assess risks to data subject rights and freedoms, including risks of unauthorized access, loss, discrimination, and other harms specific to your context
  5. 5.Map out the safeguards and measures you'll implement to mitigate identified risks, including technical, organizational, and policy controls
  6. 6.Document the DPIA as a formal record and maintain it for regulatory inspection and evidence of compliance

Evidence auditors look for

  • A completed DPIA template showing all four mandatory sections with organization-specific content
  • Processing operations inventory listing data types, purposes, recipients, and retention schedules
  • Risk register documenting identified risks, likelihood, impact, and mitigation measures tied to the processing
  • Control mapping document showing how technical and organizational measures address each identified risk
  • Consultation records if the DPIA revealed high risks requiring consultation with supervisory authority
  • DPIA review and approval records showing accountability for the assessment

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's DPIA module generates compliant documentation templates pre-populated with your processing inventory and walks your team through systematic risk identification, eliminating manual assessment gaps and reducing the time to a complete, audit-ready DPIA.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A35-01 — DPIA Requirement TriggersGDPR A35-03 — DPIA Consultation with Supervisory AuthorityGDPR A32 — Security of ProcessingGDPR A5 — Data Protection Principles