Skip to content
Learni
View all tutorials
Protection des données

How to Conduct a GDPR-Compliant DPIA in 2026

18 minBEGINNER
RGPDAIPDConformité
Lire en français

Introduction

A DPIA is a legal obligation for high-risk data processing under GDPR. It helps identify and minimize risks to individuals' rights and freedoms. This tutorial provides a progressive guide to conducting a complete and compliant DPIA using simple tools and reusable templates.

Prerequisites

  • Basic knowledge of GDPR
  • Access to a spreadsheet (Excel or Google Sheets)
  • Basic understanding of JSON and YAML
  • CNIL account or equivalent for official references

Data Processing Description Template

aipd-description.json
{
  "nomTraitement": "Gestion des clients CRM",
  "finalite": "Suivi des ventes et fidélisation",
  "categoriesDonnees": ["Nom", "Email", "Historique achats"],
  "baseJuridique": "Consentement",
  "dureeConservation": "3 ans",
  "destinataires": ["Service commercial", "Sous-traitant CRM"]
}

This JSON file structures the essential information about the processing activity. It serves as the foundation for any DPIA and facilitates sharing with teams.

Step 1: Data Mapping

Start by precisely describing the data flow. Use the previous JSON template to document each element in a structured and comprehensive manner.

YAML Risk Template

risques-aipd.yaml
risques:
  - id: R001
    description: Accès non autorisé aux données
    probabilite: 3
    impact: 4
    mesureMitigation: "Chiffrement AES-256 et authentification MFA"
  - id: R002
    description: Perte de données
    probabilite: 2
    impact: 5
    mesureMitigation: "Sauvegardes quotidiennes chiffrées"

This YAML file allows you to list risks in a readable and versionable way. It is easy to integrate into project management tools.

Risk Evaluation Script

eval_risques.py
risques = [
    {"id": "R001", "prob": 3, "impact": 4},
    {"id": "R002", "prob": 2, "impact": 5}
]
for r in risques:
    score = r["prob"] * r["impact"]
    print(f"{r['id']}: Score = {score} - {'Élevé' if score > 12 else 'Modéré'}")

This Python script automatically calculates the risk score. It helps prioritize mitigation measures in an objective manner.

Step 2: Evaluation and Mitigation

Calculate risk scores and define corrective measures. Document each decision to demonstrate compliance.

Stakeholder Consultation Template

consultation.json
{
  "dateConsultation": "2026-03-15",
  "participants": ["DPO", "Responsable SI", "Représentants utilisateurs"],
  "questions": ["Les données sont-elles minimisées ?", "Les consentements sont-ils traçables ?"],
  "conclusions": "Ajout d'une case à cocher explicite"
}

This JSON template records exchanges with stakeholders, which is mandatory for complex DPIAs.

Final Summary File

synthese-aipd.md
# Synthèse AIPD

**Traitement** : Gestion CRM
**Risque résiduel** : Modéré
**Date validation** : 2026-04-01

## Mesures retenues
- Chiffrement systématique
- Formation annuelle des équipes
- Audit tous les 18 mois

This Markdown document serves as the executive summary to keep and submit to the CNIL if required.

Best Practices

  • Document every step in a traceable and timestamped manner
  • Involve the DPO from the start of the project
  • Update the DPIA with every significant change to the processing
  • Keep successive versions for at least 5 years
  • Prioritize automated technical measures when possible

Common Mistakes to Avoid

  • Omitting residual risk evaluation after mitigation
  • Using overly generic descriptions without concrete data
  • Ignoring consultation with data subjects
  • Failing to update the DPIA after an incident or change

Further Reading

Consult the official CNIL guide on DPIAs and explore our Learni training courses to deepen your GDPR compliance knowledge.