EDPB DPIA Template UK Practitioners Guide
In short: The European Data Protection Board published a standardised DPIA template on 14 April 2026, open for consultation until 9 June 2026. UK controllers processing EU residents’ data should review the template now. Its design-risk versus incident-risk framework offers a more rigorous structure than the ICO’s current screening checklist.
EDPB adopts a standardised DPIA template
The EDPB adopted a standardised DPIA template on 14 April 2026, backed by a companion explainer document. The template is open for public consultation until 9 June 2026. After that date, all EU data protection authorities will adopt it as their standard template or as a meta-template with which national templates must align. For UK practitioners advising clients who process personal data of EU residents, this is the most practical DPIA development since the Article 29 Working Party’s 2017 guidelines.
DPIA obligations under UK GDPR and EU GDPR
Article 35 of the UK GDPR requires controllers to carry out a data protection impact assessment before any processing that is “likely to result in a high risk” to individuals’ rights and freedoms. The obligation applies where the controller plans to use systematic and extensive profiling with significant effects, process special category data on a large scale, or systematically monitor publicly accessible places on a large scale. Article 35 of the EU GDPR contains the same obligation in materially identical terms.
Neither the UK GDPR nor the EU GDPR prescribes a particular template or methodology. Controllers must describe the processing, assess its necessity and proportionality, identify risks to data subjects, and document measures to address those risks. Beyond that, the format is open. The ICO provides DPIA guidance and a downloadable screening checklist, but its approach is high-level: it recommends a seven-step process (screening, description, consultation, necessity assessment, risk identification, mitigation, sign-off) without mandating a particular document structure.
The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, amends several UK GDPR provisions but does not change the core Article 35 DPIA obligation. The ICO’s DPIA guidance is under review in light of the DUAA, though any updates are expected to refine process rather than alter the substantive threshold for when a DPIA is required.
What the EDPB template covers
The template is structured as seven sections, numbered 0 to 6. Section 0 identifies the controller, processors, sub-processors, the DPIA team, the methodology used, and the reasons triggering the assessment. Section 1 requires a systematic description of the processing: categories of personal data, purposes, scope, context, data lifecycle, data flows, and the technical architecture supporting the processing. Section 2 covers the legal analysis: lawful basis for each purpose, special category justifications, data minimisation, retention periods, and compliance measures mapped against five categories (Article 5 principles, data subject rights, other GDPR requirements, data protection by design and by default, and security).
Sections 3 and 4 contain the template’s most distinctive contribution. Section 3 assesses necessity and proportionality by examining impacts to data subjects’ rights as the processing is designed and projected. Section 4 addresses risk assessment for non-default, accidental, or abnormal events: malfunctions, deviations, misconfigurations, insider abuse, and external attacks. Section 5 documents DPO advice and stakeholder consultation. Section 6 records the final decision: abandon processing, consult the supervisory authority, proceed as planned, or proceed with modifications.
Design risk versus incident risk: the critical distinction
The EDPB template separates two categories that most existing DPIA methodologies conflate. Design risk (Section 3) addresses threats inherent to the processing itself: unique identifiers, long retention periods, and architectural features that expose data subjects to harm even when the system operates correctly and all actors follow the rules. Incident risk (Section 4) addresses threats from operational deviations: software bugs, misconfigurations, unauthorised access, breaches, and attacks.
This distinction forces controllers to ask a question that many DPIAs currently skip: is this processing compatible with data subjects’ rights even when everything works as intended? A telecoms operator deploying a new customer analytics platform, for example, must assess whether the platform’s core design (the data it collects, how long it retains it, what decisions it informs) poses risks to subscribers, before turning to operational risks such as data breach or system compromise. For AI-enabled products, this design-risk lens is particularly valuable. It requires the controller to evaluate whether the model’s architecture, training data selection, and output use cases are proportionate to the stated purpose, separate from the question of what happens if the model malfunctions.
How the EDPB template compares with the ICO approach
The ICO’s current DPIA framework and the EDPB template address the same underlying Article 35 obligation but differ in structure and depth. The comparison below sets out the principal differences.
| Feature | EDPB Template (2026) | ICO Approach |
|---|---|---|
| Structure | 7 prescribed sections (0-6) with predefined fields | 7-step process guidance; flexible format |
| Design risk assessment | Dedicated section (Section 3) for risks inherent to processing design | Not separately addressed; combined with general risk assessment |
| Incident risk assessment | Dedicated section (Section 4) for operational/breach risks | Addressed within general risk identification step |
| Legal basis mapping | Per-purpose legal basis analysis with five compliance categories | General requirement to document lawful basis |
| Data flow documentation | Required: data lifecycle, flows, and technical architecture | Recommended but not structured within template |
| Final decision options | Four prescribed outcomes including “consult supervisory authority” | Sign-off and record outcomes |
| Mandatory use | Not mandatory, but will become DPA standard/meta-template | Not mandatory; ICO provides sample template |
Implications for UK controllers and regulated businesses
The EDPB template is not binding on UK controllers supervised by the ICO. Article 35 UK GDPR does not require controllers to use any particular template, and the ICO has not adopted the EDPB document. However, UK controllers who process personal data of EU residents under Article 3(2) EU GDPR (offering goods or services to, or monitoring the behaviour of, individuals in the EU) will find the template directly relevant. A DPIA conducted using the EDPB template is likely to satisfy the supervisory authority in the relevant EU member state.
For telecoms operators, payments firms, and technology companies with cross-border operations, the practical question is whether to maintain separate UK and EU DPIA processes or adopt the EDPB template as a single standard. Adopting the EDPB template for all DPIAs has the advantage of consistency and avoids duplication. The ICO has not indicated that a DPIA structured using the EDPB template would be insufficient for UK GDPR purposes, provided it covers the Article 35 requirements. If you are assessing the impact of a new product launch or AI deployment on your data protection obligations, see our guidance on AI and data governance advice.
The consultation deadline of 9 June 2026 is relevant for UK industry bodies and operators with EU-facing operations. Responses can be submitted via the EDPB consultation page. The EDPB has confirmed that all submissions will be published on its website.
Viewpoint
The EDPB template’s separation of design risk from incident risk is its strongest feature. In practice, most DPIAs we review for telecoms and fintech clients collapse these two categories into a single risk matrix. The result is that design choices (what data to collect, how long to retain it, what automated decisions to make) get assessed alongside operational risks (breach, system failure) without any framework for asking whether the design itself is proportionate. The EDPB template corrects this. It forces controllers to justify the processing architecture before they move to operational safeguards.
For UK practitioners, the pragmatic answer is to adopt the EDPB template for dual-regime DPIAs (processing that engages both UK GDPR and EU GDPR) and to use it as a best-practice benchmark for UK-only assessments. The ICO’s DPIA guidance is under review following the DUAA 2025 and may evolve, but Article 35 UK GDPR is not changing. A DPIA that satisfies the EDPB structure will satisfy the ICO. The risk runs the other way: a DPIA built only to the ICO’s screening checklist may not meet the expectations of an EU supervisory authority conducting a cross-border enforcement investigation.
Key sources
- EDPB announcement: DPIA template adopted (14 April 2026)
- EDPB public consultation page (deadline 9 June 2026)
- UK GDPR, Article 35 (data protection impact assessment)
- ICO DPIA guidance
- Data (Use and Access) Act 2025
- Bratby Law: DPIA advice
Next steps
For advice on conducting DPIAs for new products, AI deployments, or cross-border data flows, contact Rob Bratby at Bratby Law. We advise telecoms operators, payments firms, and technology companies on data protection compliance under both UK and EU regimes.
