☐ explained why we needed a DPIA, detailing the types of intended processing that made it a requirement;

☐ structured the document clearly, systematically and logically;

☐ written the DPIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;

☐ set out clearly the relationships between controllers, processors, data subjects and systems, using both text and data-flow diagrams where appropriate;

☐ ensured that the specifics of any flows of personal data between people, systems, organisations and countries have been clearly explained and presented;

☐ explicitly stated how we are complying with each of the Data Protection Principles under GDPR and clearly explained our lawful basis for processing (and special category conditions if relevant);

☐ explained how we plan to support the relevant information rights of our data subjects;

☐ identified all relevant risks to individuals’ rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;

☐ explained sufficiently how any proposed mitigation reduces the identified risk in question;

☐ evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them; 

☐ given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;

☐ attached are any relevant additional documents we reference in our DPIA, e.g. Privacy Notices, consent documents;

☐ recorded the advice and recommendations of our DPO (where relevant) and ensured the DPIA is signed off by the appropriate people;

☐ agreed and documented a schedule for reviewing the DPIA regularly or when we change the nature, scope, context or purposes of the processing;

☐ consulted the ICO if there are residual high risks we cannot mitigate