[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsmN7BEeJgiGbMVOIrkIaQBJFPs2xuDkaPScnAr5rxMQ":3},{"sections":4,"resultAnalysis":326,"id":389,"version":390,"newVersion":22,"label":8,"isPinned":22,"isShared":46,"sharingToken":391,"isRevision":22,"isBlockAnalysisShared":46,"nbReferences":11,"referenceId":9,"nbResponses":11,"parentId":9,"revisionDescription":9,"logoUrl":392,"description":393,"scheduleIntervalDays":9,"versionNumber":29,"dateCreation":394,"dateUpdate":395,"dateArchived":9,"archived":22,"type":396,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":396,"creator":397,"objectType":405,"objectTypeIndex":36,"objectTypeColor":406,"objectTypeIcon":407,"objectTypeText":408,"defaultOwners":409,"tags":411,"privacyHubs":9,"nbQuestions":425,"nbQuestionsRequired":11,"nbDatas":11,"deadLineDays":9},[5],{"id":6,"slug":7,"label":8,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":13,"questions":14,"sections":325},"66952800-8632-4b09-9b0d-ee51d0037a00","initial","ICO “Have we written a good DPIA?” checklist",null,"Default",0,"SectionType_Default","\u003Cp>This checklist \u003Cstrong>helps evaluate the quality and completeness of a Data Protection Impact Assessment (DPIA)\u003C/strong>, ensuring it is clear, thorough, and demonstrates compliance with UK GDPR requirements. More information on: \u003Ca href=\"https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/\">https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/\u003C/a>\u003C/p>\u003Cp>\u003Cem>This checklist is provided for general guidance only and does not constitute legal advice. Completing it does not replace a full risk assessment or professional legal consultation. Organisations remain responsible for ensuring compliance with the UK GDPR and for seeking expert advice where necessary.\u003C/em>\u003Cbr>\u003Cbr>A good DPIA helps you to evidence that:\u003C/p>\u003Cul>\u003Cli>\u003Cp>you have considered the risks related to your intended processing; and\u003C/p>\u003C/li>\u003Cli>\u003Cp>you have met your broader data protection obligations.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>This checklist will help ensure you have written a good DPIA.\u003C/p>\u003Cp>We have:\u003C/p>",[15,47,66,85,103,121,140,158,177,195,213,231,250,269,288,307],{"id":16,"slug":17,"label":18,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":23,"displayConditions":9,"answers":24,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"002fc5fd-a2db-4c49-b658-fd51fb20f334","9285b254-7336-41a5-b154-d89ec127b079","confirmed whether the DPIA is a review of pre-GDPR processing or covers intended processing, including timelines in either case;","Radio",7,"Unique choice list",false,[],[25,38],{"id":26,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":30},"1e0abe17-9872-470a-bc47-adaa195cbb52","#1ab586","Yes",1,[31],{"id":32,"label":33,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"694ef14f-1f09-4752-a8c2-de39662acf5d","Add a clear statement in the introduction with timeline details","","Medium",2,"#ffc107",{"id":39,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":42},"cac467af-e2ca-4a28-8c24-bcfca06d8d69","#dc3545","No",[43],{"id":44,"label":45,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"c3bc9688-2764-4eec-8e83-2381ceab96ee","Add an intro section clearly stating the DPIA type, scope, and dates of processi",true,{"id":48,"slug":49,"label":50,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":51,"displayConditions":9,"answers":52,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"f7fbcadc-5b05-4f77-8e07-226c12a5729c","260abb3d-e1c8-4e8d-b1d0-0d9c94989d6b","explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;",[],[53,59],{"id":54,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":55},"15dd2096-d7f2-42da-af04-df49040dafb9",[56],{"id":57,"label":58,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"bc4545c7-9791-45d3-bc5c-34dadc14a88f","Include explicit reference to ICO screening checklist criteria met.",{"id":60,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":61},"ce13dd49-2ab7-4a3e-b243-0f762ae953d5",[62],{"id":63,"label":64,"userId":9,"color":9,"description":65,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"5667731f-c375-4244-a418-c9ddb1c36a47","Reference the specific triggers from the ICO’s DPIA screening checklist","\u003Cp>Reference the specific triggers from the ICO’s DPIA screening checklist and link them to your processing.\u003C/p>",{"id":67,"slug":68,"label":69,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":70,"displayConditions":9,"answers":71,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"f704a16b-65c1-40ed-88e1-258ad23b121e","8a19d4a3-c5b3-4c00-aa9d-7ff51bd21fe9","structured the document clearly, systematically and logically;",[],[72,78],{"id":73,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":74},"2f1f5f2e-9013-4dda-9546-3910e85d2788",[75],{"id":76,"label":77,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"259885dc-71bf-4124-b164-639e847dcc78","Use numbered sections, headings, and a logical flow from scope to conclusion.",{"id":79,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":80},"c0b106e9-ecdd-4af2-b8bc-e0ba0ad28c8f",[81],{"id":82,"label":83,"userId":9,"color":9,"description":84,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"d38eaeb0-ca6f-4904-adb5-ea9744c1a0a0","Reorganise into sections","\u003Cp>Reorganise into sections: Introduction → Scope → Lawful Basis → Risks → Mitigation → Consultation  → Conclusion.\u003C/p>",{"id":86,"slug":87,"label":88,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":89,"displayConditions":9,"answers":90,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"64114ad5-f1b4-4f6e-af05-eb697c7d8e69","1b44702a-2952-42dd-936d-cba07eed47a0","written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;",[],[91,97],{"id":92,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":93},"9642f439-0ac5-47f7-828c-dd7f6d99147c",[94],{"id":95,"label":96,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"b8a44e2d-7329-4352-bfd8-94877b3eb348","Review for jargon; add a glossary if needed.",{"id":98,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":99},"9442ad8b-ec39-485e-8f0b-4e8ffbff7873",[100],{"id":101,"label":102,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"3e0800d3-1635-4d0f-8e01-9690cd8f0e29","Rewrite for a general audience, explain all acronyms, and include a glossary.",{"id":104,"slug":105,"label":106,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":107,"displayConditions":9,"answers":108,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"77bfada8-c858-43f5-9e16-3f10a6867457","ea685ff9-96a3-4b39-9164-79be3e528a06","set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;",[],[109,115],{"id":110,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":111},"9b96f7be-a051-400d-8424-4661048bb6b7",[112],{"id":113,"label":114,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"d40bcf8d-3e16-4184-bb84-e40a6a9d4568","Add a simple visual data flow chart.",{"id":116,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":117},"35f042ef-8719-497e-8959-eb42386c0a85",[118],{"id":119,"label":120,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"46c31d74-c697-4a79-a3af-841ac9a60031","Create a diagram and add a narrative description of roles and responsibilities.",{"id":122,"slug":123,"label":124,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":125,"displayConditions":9,"answers":126,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"f3f8dfb4-b6a8-43ae-b195-f5a232f37f05","561225dc-0805-4fbc-8153-d27cbcd2dc3f","ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;",[],[127,133],{"id":128,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":129},"54e49fbc-54f0-400d-97ae-fec169731dc8",[130],{"id":131,"label":132,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"b6696475-99c1-41d5-a7ec-da9a58e3e501"," Include direction, frequency, and transfer safeguards.",{"id":134,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":135},"64999dbf-245a-452e-96d2-a325e8e52515",[136],{"id":137,"label":138,"userId":9,"color":9,"description":139,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"5738671f-387a-410d-ad8d-f4ac363892b8","Map flows step-by-step","\u003Cp>Map flows step-by-step, noting direction, frequency, and safeguards for cross-border transfers.\u003C/p>",{"id":141,"slug":142,"label":143,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":144,"displayConditions":9,"answers":145,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"83a45f11-96e2-4869-b6c9-db05ce5789c8","93e40fda-b76c-4aa7-b4ff-c64730374625","explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);",[],[146,152],{"id":147,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":148},"be4cdcf9-3fa8-4313-9e73-a75106c5b730",[149],{"id":150,"label":151,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"5cbfaa03-c5ad-421b-8429-866c60f0a050","Map each principle to specific DPIA measures.",{"id":153,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":154},"d15b23da-1e78-4a52-a6f7-3e0dc61c3a0f",[155],{"id":156,"label":157,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"743ab6cd-c642-4d33-a4e1-6d73f2c8b3ab"," Add a table linking each principle to measures taken, and state the legal basis",{"id":159,"slug":160,"label":161,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":162,"displayConditions":9,"answers":163,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"c0322d5f-faf4-49a3-80ca-76fcd2b88447","ba0ec278-d817-493c-8fc2-7dc9646ffe3c","explained how we plan to support the relevant information rights of our data subjects;",[],[164,170],{"id":165,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":166},"09d3b5c9-8831-4170-9352-945684e809eb",[167],{"id":168,"label":169,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"110d265f-2995-4009-a0d5-0e4367652023","Reference relevant procedures (e.g. DSAR handling, objection processes).",{"id":171,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":172},"0e0ca4de-7c67-4f5c-bb69-71170f3d8c4a",[173],{"id":174,"label":175,"userId":9,"color":9,"description":176,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"4d5e1bdf-4376-42e3-9ae9-53ec48d3dccc","Document Data Subject Rights handling","\u003Cp>Document DSAR handling, right to erasure process, objection handling, and communication timelines.\u003C/p>",{"id":178,"slug":179,"label":180,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":181,"displayConditions":9,"answers":182,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"ae9c8c75-97b2-4191-8256-9098e0c60176","1a46da61-4a46-4d62-a3f9-3ac322722d54","identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;",[],[183,189],{"id":184,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":185},"5e7adc33-e61c-4299-8bbd-2a2727db5ccc",[186],{"id":187,"label":188,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"6f22c44c-65cd-4608-b457-4dc1caf8b478","Use a risk register or matrix.",{"id":190,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":191},"ae8fe58b-d3ad-42d5-8e2b-86858a12844e",[192],{"id":193,"label":194,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"49fe271c-2317-437d-82e0-d0c9964f010d","Create a risk register, assess likelihood and severity, and categorise each risk",{"id":196,"slug":197,"label":198,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":199,"displayConditions":9,"answers":200,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"7ed2b6d9-f968-4704-912f-2b315fc929ac","bd5fda61-01d5-483e-8f9c-4ad42e144e1c","explained sufficiently how any proposed mitigation reduces the identified risk in question;",[],[201,207],{"id":202,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":203},"8a72f72b-1ba7-4ff7-bff5-535eb2bb89d3",[204],{"id":205,"label":206,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"42b874c9-d16a-44d6-8643-1e54fb7f04a2","Provide before/after risk scores.",{"id":208,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":209},"28257eed-acb3-4611-9580-3ca2a7aeadb9",[210],{"id":211,"label":212,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"fb155c5d-640f-48b0-ac67-3fbd5db188b5","For each risk, show before/after scores and explain the effect of each control.",{"id":214,"slug":215,"label":216,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":217,"displayConditions":9,"answers":218,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"91acf92c-ef44-4754-8e1c-6015ef7ad058","bcea92e6-50a8-4ab6-8f11-d18fb1df6a4b","evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them; ",[],[219,225],{"id":220,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":221},"af4b205b-fb15-4b0d-bc00-444146952141",[222],{"id":223,"label":224,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"37785a6c-fc70-46ec-a021-4aab90c18a44","Document alternative options analysis.",{"id":226,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":227},"f6ef855d-6a92-44b3-b800-05d465ce9c87",[228],{"id":229,"label":230,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"cb2a9894-88da-4660-ba81-b8db0b62a8c6","Document at least one alternative approach and justify why it was not chosen.",{"id":232,"slug":233,"label":234,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":235,"displayConditions":9,"answers":236,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"4ab65285-1c26-4036-8563-4cee639fd2da","01f23b1d-37be-44f8-86f3-2ba14e6010f7","given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;",[],[237,243],{"id":238,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":239},"6287bd64-5d5b-40eb-bca8-d31788afd97f",[240],{"id":241,"label":242,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"36438111-60b6-4552-9c53-97959e47bb84","Include date, participants, and key feedback points.",{"id":244,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":245},"3df1f8d5-3d1d-4dfc-8df9-b9f49ad5a9ac",[246],{"id":247,"label":248,"userId":9,"color":9,"description":249,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"43bdb599-8e7b-461a-9ed4-0821517d4bfa","Engage data subjects, DPO, or representative bodies","\u003Cp>Engage data subjects, DPO, or representative bodies; summarise key feedback and dates.\u003C/p>",{"id":251,"slug":252,"label":253,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":254,"displayConditions":9,"answers":255,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"45b0d5a1-5b81-45d8-820a-e68d296bc9b3","cf554dee-b790-4d48-8ad1-cb6936c80713","attached any relevant additional documents we reference in our DPIA, e.g. Privacy Notices, consent documents;",[],[256,262],{"id":257,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":258},"deb4b1cd-00cd-4c28-b895-39ef7a266704",[259],{"id":260,"label":261,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"13753e32-fd58-4ee1-aa09-a50551225ca9","Add these as appendices or links.",{"id":263,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":264},"fb4c8b76-3e6e-42a8-8509-0eb884e1149e",[265],{"id":266,"label":267,"userId":9,"color":9,"description":268,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"8ba7275e-7dc3-455c-924d-bdc5f91806ef","Append privacy notices, consent forms, data processing agreements and policies","\u003Cp>Append privacy notices, consent forms, data processing agreements, and relevant policies.\u003C/p>",{"id":270,"slug":271,"label":272,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":273,"displayConditions":9,"answers":274,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"3b732e95-66ab-4e23-90bf-99161fa717a9","a61620e3-9fe3-46cd-b7c1-099c76d785f0","recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;",[],[275,281],{"id":276,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":277},"f0aa69df-cd85-428c-9d30-1c9a0c1ac4a4",[278],{"id":279,"label":280,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"de396a9c-0350-44a8-b686-0f6eee812b75","Include DPO’s written comments and sign-off sheet.",{"id":282,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":283},"33afbe20-1c4d-42f5-a69d-6d042b2f1da6",[284],{"id":285,"label":286,"userId":9,"color":9,"description":287,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"637a99d7-01f0-4f9c-b9f7-708e6c7fb8b2","Seek formal review from DPO and managerial sign-off.","\u003Cp>Seek formal review from DPO; include their written advice and obtain managerial sign-off.\u003C/p>",{"id":289,"slug":290,"label":291,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":292,"displayConditions":9,"answers":293,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"da51d465-2923-46d0-8aa9-cb51cc92bb3c","06b62221-6860-4d3f-a168-5c07e095ca5a","agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;",[],[294,300],{"id":295,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":296},"4ace1591-a1c0-40b3-b888-ab94e46e2aeb",[297],{"id":298,"label":299,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"0b7d8396-bc53-4326-9452-7ea582956b71","Set specific review intervals or triggers.",{"id":301,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":302},"1db6014c-c1b6-427e-b887-110967b04d60",[303],{"id":304,"label":305,"userId":9,"color":9,"description":306,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"cb12d847-e257-4af0-81c6-95cd326678ff","Set a review date (e.g., annually or after significant change) ","\u003Cp>Set a review date (e.g., annually or after significant change) and note triggers for re-assessment.\u003C/p>",{"id":308,"slug":309,"label":310,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":19,"typeIndex":20,"typeColor":9,"typeIcon":9,"typeText":21,"dynamicSelectType":9,"editableOptions":22,"complianceRules":311,"displayConditions":9,"answers":312,"listQuestions":9,"required":22,"requiredJustification":22,"suggestTask":22,"riskEnabled":46,"native":22},"12b2bffc-db0a-4423-96a3-4753c6f68dbd","5f0ad2b2-c7dc-43bf-9561-c1209661b651","consulted the ICO if there are residual high risks we cannot mitigate.",[],[313,319],{"id":314,"color":27,"rangeValue":9,"label":28,"slug":9,"description":9,"score":29,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":315},"3a2a65cb-1428-4a65-b82f-d504a2d08d80",[316],{"id":317,"label":318,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"a68eb4d4-708b-4bb3-bbfb-5d912fe0b387","Keep ICO correspondence and advice on record.",{"id":320,"color":40,"rangeValue":9,"label":41,"slug":9,"description":9,"score":11,"nonApplicable":22,"tooltip":9,"goodAnswer":22,"redFlag":22,"impact":9,"probability":9,"taskSuggestions":321},"051646b6-791b-46fd-99d4-42ecbca5bef6",[322],{"id":323,"label":324,"userId":9,"color":9,"description":34,"priority":35,"priorityIndex":36,"priorityColor":37,"priorityIcon":9,"priorityText":35},"5596f002-458a-4ea5-ae0d-e8bbbd7a47aa","Prepare a risk summary, send to ICO, and document their response before processi",[],[327,345,363,376],{"id":328,"label":329,"variant":330,"variantIndex":331,"variantColor":332,"variantIcon":333,"variantText":330,"contentHtml":334,"displayConditions":335},"7acdf44f-316f-47d3-9427-5cf85dd1bae8","Poor-quality DPIA","Danger",3,"#DC3545","icon-alert-triangle","\u003Cul>\u003Cli>\u003Cp>Does not demonstrate adequate consideration of risks or compliance obligations.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Must revise before submission or reliance.\u003C/p>\u003C/li>\u003C/ul>",{"id":336,"separator":337,"field":9,"operator":338,"value":9,"rules":339},"b38328a2-e12a-485f-916a-c641e8ef30e1","And","equal",[340],{"id":341,"separator":9,"field":342,"operator":343,"value":20,"rules":344},"d3837710-3d91-476c-95ad-5c140a2658b2","score","lessThanInclusive",[],{"id":346,"label":347,"variant":348,"variantIndex":36,"variantColor":37,"variantIcon":349,"variantText":348,"contentHtml":350,"displayConditions":351},"478474b8-6bdc-4bc9-b443-0d75bb92e078","Moderate-quality DPIA","Warning","icon-alert-circle","\u003Cul>\u003Cli>\u003Cp>Covers core elements but lacks clarity or detail in some areas.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Revise targeted sections to strengthen compliance evidence.\u003C/p>\u003C/li>\u003C/ul>",{"id":352,"separator":337,"field":9,"operator":338,"value":9,"rules":353},"1214a5ad-55f6-4de5-9501-8f99fa40c6cb",[354,359],{"id":355,"separator":9,"field":342,"operator":356,"value":357,"rules":358},"e882d65f-a25f-4de7-bb02-18df37217177","greaterThanInclusive",8,[],{"id":360,"separator":9,"field":342,"operator":343,"value":361,"rules":362},"d1c9f00c-d209-4082-acde-0ae784a5d618",12,[],{"id":364,"label":365,"variant":366,"variantIndex":29,"variantColor":27,"variantIcon":367,"variantText":366,"contentHtml":368,"displayConditions":369},"70c76125-8260-4694-9b75-c54ab71e8cf0","High-quality DPIA","Success","icon-checkmark","\u003Cul>\u003Cli>\u003Cp>Clear, complete, and ICO-ready.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Continue with planned processing but maintain review schedule.\u003C/p>\u003C/li>\u003C/ul>",{"id":370,"separator":337,"field":9,"operator":338,"value":9,"rules":371},"6041d4f7-066c-4628-85fa-a3ee9d20498c",[372],{"id":373,"separator":9,"field":342,"operator":356,"value":374,"rules":375},"e5f507fa-c189-4c80-934a-3f68fc389511",13,[],{"id":377,"label":378,"variant":379,"variantIndex":11,"variantColor":380,"variantIcon":349,"variantText":381,"contentHtml":382,"displayConditions":383},"88a30fe2-5a32-453d-a99b-be266b413174","High-Risk Override: ICO Consultation Required Before Processing","Info","#1E8EE1","Information","\u003Cp>Regardless of score, if the last item \u003Cem>“consulted the ICO if there are residual high risks we cannot mitigate”\u003C/em> is not ticked when such risks exist, the DPIA is \u003Cstrong>incomplete\u003C/strong> and processing should not proceed.\u003C/p>",{"id":384,"separator":337,"field":9,"operator":338,"value":9,"rules":385},"ebfa27cd-d9f7-4c9d-81ed-cafe16ff7bb1",[386],{"id":387,"separator":9,"field":308,"operator":338,"value":320,"rules":388},"09c96776-8351-4b37-88a4-79555f9330d2",[],"bf3e063b-0773-4c89-fa41-08ddd8172e55","1.0","dogcRg2HfoZqZlefWPwOUfR8SLl6KQocISRocVTurqMu8gF89pDbok0Xv8No","https://static.dastra.eu/tenant-3/audit/iLJtqG15svgMpC/icon-audit500x-150-150.png","This checklist helps evaluate the quality and completeness of a Data Protection Impact Assessment (DPIA), ensuring it is clear, thorough, and demonstrates compliance with UK GDPR requirements. More information on: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/\n\nThis checklist is provided for general guidance only and does not constitute legal advice. Completing it does not replace a full risk assessment or professional legal consultation. Organisations remain responsible for ensuring compliance with the UK GDPR and for seeking expert advice where necessary.","2025-08-10T14:37:10.2146793","2025-12-01T14:31:40.5870419","Standard",{"id":398,"displayName":399,"familyName":400,"givenName":401,"email":402,"active":46,"color":403,"avatarUrl":404,"tenantId":11},38,"Paul-Emmanuel Bidault","Bidault","Paul-Emmanuel","paulemmanuel.bidault@dastra.eu","#FA4115","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","DataProcessing","#E7630A","ds-icon-data-processing","Processing activity",[410],{"id":398,"displayName":399,"familyName":400,"givenName":401,"email":402,"active":46,"color":403,"avatarUrl":404,"tenantId":11},[412,421],{"id":413,"label":414,"type":415,"typeIndex":416,"typeColor":417,"typeIcon":418,"typeText":419,"color":420},"ec674609-8b1a-4145-a815-7e0c2a6573ff","ICO","AuditTemplate",9,"#83d162","ds-icon-audit","Questionnaire template","#0CB8AE",{"id":422,"label":423,"type":415,"typeIndex":416,"typeColor":417,"typeIcon":418,"typeText":419,"color":424},"ff1dbf03-7561-4b63-996b-e899af94bb9a","PIA","#C75FFC",16]