# Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) helps organisations identify, assess, and reduce privacy risks associated with processing personal data. DPIAs are commonly used to evaluate high-risk processing activities, document mitigation measures, and maintain compliance with privacy regulations.

In Sprinto, the DPIA module helps you:

* Create and manage DPIA assessments
* Assign owners and approvers
* Run structured workflows
* Collect assessment information through forms
* Map privacy risks and mitigation actions
* Track approvals and task progress
* Generate DPIA reports for audit and compliance purposes

The DPIA module is available under the Data Library section.

***

## How DPIA Works

Sprinto uses workflow-driven assessments to manage the complete DPIA lifecycle.

A typical DPIA workflow includes:

1. Creating a DPIA assessment
2. Assigning owners and approvers
3. Running a workflow
4. Completing assessment forms
5. Mapping privacy risks
6. Reviewing mitigation actions
7. Completing approvals
8. Generating reports

As workflow tasks are completed, Sprinto automatically generates the next set of tasks based on the workflow configuration.

***

## Create a DPIA Assessment

To create a DPIA assessment:

1. Log in to your Sprinto dashboard.
2. Go to **Data Library**.
3. Select **DPIA**.
4. Click **Create DPIA**.

<figure><img src="/files/GOzqr6Snjq1jsA4FdX9d" alt="" width="563"><figcaption></figcaption></figure>

5. Enter the following details:
   * Assessment name
   * Description (optional)
   * Department (optional)
   * Owner
   * Approver
6. Click **Create**.

<figure><img src="/files/y2Mk0TEBjdQQB2JRlI3X" alt="" width="375"><figcaption></figcaption></figure>

The new DPIA assessment appears in the assessment list with a status of **Not Started**.

***

## Configure and Run a Workflow

After creating a DPIA, you must run a workflow to begin the assessment process.

To run a workflow:

1. Open the DPIA assessment.
2. Review the assessment overview.
3. Select a workflow appropriate for your organisation’s process.
4. Click **Run Workflow**.

<figure><img src="/files/oUkA72NSIg4tXPgWZYOX" alt="" width="563"><figcaption></figcaption></figure>

Once the workflow starts, Sprinto automatically creates the first task as per the workflow in the **Tasks** tab. These tasks may include:

* Form submissions
* User approvals
* Risk mapping activities
* Mitigation tasks
* Manual review steps
* Evidence collection tasks

Workflow progression depends on the completion of earlier tasks and configured workflow conditions.

<figure><img src="/files/HLEMM2uKCvWLxlebam2A" alt="" width="563"><figcaption></figcaption></figure>

***

## Complete DPIA Tasks

Sprinto supports multiple task types within a DPIA workflow. Depending on the configured workflow block, users may need to complete forms, map risks, create mitigation tasks, or review approvals.

#### Complete a Form-Based Task

Form tasks are used to collect assessment information during the DPIA process.

To complete a form task:

1. Open the task from the **Tasks** tab.
2. Click **Fill Form**.

<figure><img src="/files/4sCAUFSvYBawOwlH6ROM" alt="" width="375"><figcaption></figcaption></figure>

3. Enter the required information.
4. Use **Next** to move through multipart forms if applicable.
5. Click **Submit**.
6. Return to the task details panel.
7. Click **Mark task as complete**.

<figure><img src="/files/3Ed0aJG9H9yKXwnjEpAa" alt="" width="375"><figcaption></figcaption></figure>

Sprinto updates the task status after submission and automatically progresses the workflow.

***

#### Complete a Risk Mapping Task

Risk mapping tasks allow you to associate relevant risks with the DPIA assessment.

To map risks:

1. Open the task for mapping risks.
2. Click **Add risks**.

<figure><img src="/files/pjGTHa8cVa7YuMrf7Jua" alt="" width="375"><figcaption></figcaption></figure>

3. Browse or search for risks from the risk register.
4. Select the risks you want to associate with the DPIA.
5. Click **Save mapping**.

<figure><img src="/files/FYzQupUKARNCYQlDh9Em" alt="" width="563"><figcaption></figcaption></figure>

6. Return to the task details panel.
7. Click **Mark task as complete**.

<figure><img src="/files/hCjAYTomVmWFhlPZunuj" alt="" width="375"><figcaption></figcaption></figure>

Mapped risks are displayed within the task for future review and reporting.

You can also modify mapped risks later by clicking **Edit risks**, updating the selected risks, and then clicking **Save mapping** again.

***

#### Complete a Mitigation Task

Mitigation tasks help teams track remediation or follow-up activities related to identified risks.

To create a mitigation task:

1. Open the task.
2. Click **Create task**.

<figure><img src="/files/8VOWwk6MWn0BLCOkOMnx" alt="" width="375"><figcaption></figcaption></figure>

3. Enter the following details:
   * Task name
   * Assignee
   * Due date
   * Description
4. Upload supporting attachments if required.
5. Click **Add task**.

<figure><img src="/files/7SDASWkjA865LMXvXnpV" alt="" width="375"><figcaption></figcaption></figure>

You can repeat this process to create multiple mitigation tasks for the DPIA assessment.

After all required mitigation tasks are added:

1. Return to the task details panel.
2. Click **Mark task as complete**.

<figure><img src="/files/bE3rJNNO2UTysdT8N0Mo" alt="" width="375"><figcaption></figcaption></figure>

Sprinto tracks all created mitigation tasks within the DPIA workflow.

***

#### Complete an Approval Task

Approval tasks are used to review and approve DPIA assessments before closure or report generation.

To complete an approval task:

1. Open the approval task from the **Tasks** tab.
2. Review the assessment details and previously completed workflow information.
3. Add comments or attachments if required.
4. Click **Mark task as complete**.

<figure><img src="/files/LKrZx1npDDqk54e12Kzf" alt="" width="375"><figcaption></figcaption></figure>

Approval tasks are typically assigned to designated approvers or reviewers configured in the workflow.

***

## Add Notes and Attachments

You can add additional context to workflow tasks by attaching files or including completion notes.

To add supporting information:

1. Open the relevant task.
2. Use the attachment option to upload files.
3. Add comments or completion notes if required.
4. Save or submit the task.

Attachments help maintain evidence and supporting documentation for audits and internal reviews.

***

## Review Mapped Risks

The **Risks** tab displays all risks mapped during the DPIA workflow.

This section helps teams:

* Review mapped privacy and security risks.
* Validate associated risk descriptions.
* Track risks linked to the DPIA assessment.
* Maintain visibility into identified exposure areas.

<figure><img src="/files/G19hInL8rvkF7wVbKFwd" alt="" width="563"><figcaption></figcaption></figure>

All risks added through the **Map risks to DPIA** task automatically appear in this section.

***

## Manage DPIA Documents

The **Documents** tab stores all files associated with the DPIA assessment.

This includes:

* Files uploaded during workflow tasks
* Supporting evidence
* External assessments
* Signed documents
* Additional compliance records

To manually upload a document:

1. Open the **Documents** tab.
2. Click **Add document**.

<figure><img src="/files/n6dpECANgESmhsg0VJuZ" alt="" width="563"><figcaption></figcaption></figure>

3. Upload the required file.
4. Click **Add document** again to confirm the upload.

<figure><img src="/files/HZojT06cNGGq7N4lLzTU" alt="" width="375"><figcaption></figcaption></figure>

Uploaded documents appear in the document list with their source information.

From this section, you can:

* Download uploaded files
* Delete documents
* Review uploaded evidence associated with the DPIA

***

## Generate and Download DPIA Reports

The **Reports** tab displays all reports generated for the DPIA assessment.

Generated reports include workflow information such as:

* Assessment details
* Form responses
* Risk mappings
* Mitigation activities
* Approval history
* Decision records
* Supporting evidence

The Reports tab also displays:

* Report name
* Generation date
* User who generated the report

To download a generated report:

1. Open the **Reports** tab.
2. Locate the required report.
3. Click **Download Report**.

<figure><img src="/files/yCDjEFecCpSHIL1kXVjL" alt="" width="563"><figcaption></figcaption></figure>

Reports can be used for audits, compliance reviews, and internal governance documentation.

***

## Monitor Workflow Progress

Sprinto continuously tracks workflow execution and task progression.

The DPIA dashboard helps you monitor:

* Assessment status
* Task completion progress
* Pending approvals
* Assigned users
* Workflow stages
* Completed activities

Task assignees also receive email notifications for pending workflow actions and approvals.

***

## Features

<table><thead><tr><th width="253.15234375">Feature</th><th>Description</th></tr></thead><tbody><tr><td>Workflow-driven assessments</td><td>Automate the DPIA lifecycle using configurable workflows</td></tr><tr><td>Dynamic task generation</td><td>Automatically create tasks based on workflow progression</td></tr><tr><td>Multipart forms</td><td>Collect structured assessment information across multiple stages</td></tr><tr><td>Risk mapping</td><td>Identify and document privacy risks and mitigation actions</td></tr><tr><td>Approval workflows</td><td>Configure sequential approvals and review processes</td></tr><tr><td>Role-based assignments</td><td>Assign workflow tasks to users or roles</td></tr><tr><td>Evidence management</td><td>Upload attachments and supporting documents</td></tr><tr><td>Email notifications</td><td>Notify assignees about pending tasks and approvals</td></tr><tr><td>DPIA reporting</td><td>Generate structured reports for audits and compliance</td></tr></tbody></table>

***

## FAQs

#### 1. What is a DPIA?

A DPIA (Data Protection Impact Assessment) is a process used to identify and reduce privacy risks associated with processing personal data.

#### 2. Who can create a DPIA in Sprinto?

Users with access to the DPIA module in the Data Library section can create and manage assessments.

#### 3. Can I customise DPIA workflows?

Yes. Workflow configuration can vary based on your organisation’s internal assessment and approval processes.

#### 4. Are approvals supported in DPIA workflows?

Yes. Sprinto supports workflow approvals assigned to users or roles.

#### 5. Can I upload evidence or supporting documents?

Yes. You can upload attachments and add completion notes to workflow tasks.

#### 6. Does Sprinto support multipart forms?

Yes. DPIA workflows can include multipart forms with multiple sections and steps.

#### 7. Are email notifications sent for pending tasks?

Yes. Sprinto sends email notifications to workflow task assignees.

#### 8. Can I generate DPIA reports?

Yes. Sprinto can generate DPIA reports containing assessment details, risks, approvals, and supporting information.

***

## Glossary

<table><thead><tr><th width="172.69921875">Term</th><th>Description</th></tr></thead><tbody><tr><td>DPIA</td><td>Data Protection Impact Assessment used to evaluate privacy risks in data processing activities</td></tr><tr><td>Workflow</td><td>A configured sequence of tasks, approvals, and assessment steps</td></tr><tr><td>Task</td><td>An individual action assigned as part of a workflow</td></tr><tr><td>Risk Mapping</td><td>The process of identifying and associating risks with processing activities</td></tr><tr><td>Mitigation Action</td><td>A control or remediation step used to reduce identified risks</td></tr><tr><td>Approver</td><td>A user responsible for reviewing and approving workflow stages</td></tr><tr><td>Assessment Owner</td><td>The primary user responsible for managing the DPIA</td></tr><tr><td>Multipart Form</td><td>A form divided into multiple sections or steps</td></tr><tr><td>Evidence</td><td>Supporting files or documentation attached to workflow tasks</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/data-library/data-protection-impact-assessment-dpia.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.