Data Protection Impact Assessment with Excel: A Practical Guide + Alternative

Creating a data protection impact assessment (DPIA) in Excel is a proven method for systematically documenting all the necessary information. This blog article provides detailed instructions that show you step-by-step how to implement a DPIA using commonly available tools such as Excel. We also present an efficient technological alternative that allows you to conduct a DPIA even more efficiently.

Guide to data protection impact assessment with Excel + alternative

What is a data protection impact assessment and why is it carried out?

The data protection impact assessment (DPIA) is more than just a formal requirement of the GDPR. It is a useful risk management tool for companies to assess the effectiveness of technical and organizational measures (TOM) for risky processing activities. When systematically integrated into the development of new, data-based products and services, a DPIA can not only identify potential privacy risks, but also promote the optimization of business processes and compliance with data protection regulations.

When a data protection impact assessment must be carried out

According to Art. 35 (1) of the General Data Protection Regulation (GDPR), a data protection impact assessment is required if data processing is "likely to result in a high risk to the rights and freedoms of natural persons." The initial assessment begins with a threshold analysis, a procedure that is carried out in two main steps:

  1. Review of the DPIA black list: First, it must be clarified whether the planned processing activity is on a supervisory authority list of processing operations requiring a DPIA. If this is the case, a data protection impact assessment is required immediately.
  2. Conducting a threshold analysis: If the processing activity is not on the black list, a threshold analysis is performed. This analysis answers nine specific questions that help identify potential risks to the rights and freedoms of the data subjects. If at least two of these questions are answered with "yes," a DPIA is generally required.

Reasons for DPIA documentation in Excel

The GDPR does not prescribe the manner, i.e., the format in which a DPIA must be carried out. It therefore makes sense to start by using applications and tools that are already in use at the company. 

A spreadsheet program such as Excel provides a good basis for documenting all the steps required for a data protection impact assessment in a logical sequence. However, when using spreadsheets, data protection experts quickly reach their limits - more on that later. 

First, we would like to show you what information about the data protection impact assessment can be documented in Excel and in what order.

Creating a DPIA in Excel: Step-by-step guide

Step 1: Check proportionality

For the DPIA, you must first check the necessity and proportionality of your processing activities with regard to their purposes, as required by Art. 35(7)(b) GDPR. It is not necessary to make a strict distinction between necessity and proportionality, as necessity is often already taken into account in the proportionality test. 

It is best to log the following points in your Excel spreadsheet in consecutive rows. Use the following labels in column 1 and enter the content in the adjacent column:

  • Legitimate purpose: Does the processing activity serve legitimate purposes?
  • Suitability: Check whether these purposes are achieved or at least supported by the processing.
  • Necessity: Are there perhaps less intrusive but equally effective ways of achieving these purposes?
  • Proportionality: Ensure that the processing activity is proportionate when weighing up the interests of all parties involved - i.e., both the data subjects and the processing entity - and does not unduly interfere with the rights of the data subjects.

Step 2: Identify and assess risks

The GDPR does not provide any direct indication of what exactly it means by "risk." This is therefore a term that is relatively open to interpretation and one that should be kept in mind within the European legal framework. According to recitals 75 and 94 of the GDPR, a risk can be seen as the possibility that something will happen that is either directly harmful or could result in harm to one or more individuals.

According to Recital 75 of the GDPR, "damage" refers to all types of harm: whether physical (i.e., bodily), material (economic), or immaterial (social, personal, or legal).

You should document the risks in your Excel spreadsheet in such a way that they are structured according to the protection objectives (see also our blog article "The 7 protection goals of the standard data protection model and their effective use in companies"). 

Your list should contain the following information:

  • Description of the risk, including the event, the source, and the possible damage (if necessary, also as separate columns in your table);
  • Protection goal under consideration;
  • Probability of occurrence (degree and justification);
  • Amount of damage (degree and justification);
  • Risk class (low/medium/high risk)

Good to know: In practice, a classification from 1 to 4 has become established for the severity of probability of occurrence. 

  • Level 1 (minor): Cannot occur based on current knowledge.
  • Level 2 (manageable): Can occur based on experience, but is unlikely.
  • Level 3 (substantial): Possible damage, but not very likely to occur.
  • Level 4 (high): Damage is possible based on experience and is very likely to occur.

Once the risks have been listed and described, the next step is to assess them. This involves analyzing the probability of something happening and the possible extent of the damage from the perspective of the people affected.

When assessing the probability of occurrence, it is best to consult an expert from the relevant department. 

Focus particularly on the following aspects:

  • How many different sources of risk could cause damage;
  • Whether similar incidents have occurred previously;
  • How likely consequential damage is;
  • Whether statistical data on incident likelihood exists; and
  • Whether there are known security gaps in the IT systems.

Once potential risks to the rights and freedoms of natural persons have been identified, it is crucial to take effective countermeasures. According to Art. 35 (7) (d) GDPR, the options for mitigating these risks must be carefully examined and documented. The key to this lies in modeling well-thought-out technical and organizational measures (TOM) that are specifically designed to reduce the probability of occurrence and the amount of damage. This risk minimization is intended to ensure that no high risks remain for the individuals concerned. As a result, the processing activity as a whole becomes more secure and privacy-compliant with data protection regulations by reducing it to an acceptable level of risk.

Step 3: Describe measures to protect the rights of data subjects

Once the risks to the rights and freedoms of individuals have been identified, document how these risks can be mitigated (according to Art. 35(7)(d) GDPR). These are technical or organizational measures from the RoPA that help to reduce either the probability of occurrence or the extent of possible damage.

Keep in mind that compliance with the information obligations under Articles 13 and 14 of the GDPR and the protection of the rights of data subjects (Articles 15 to 21 of the GDPR) within a data protection impact assessment influence how you assess the risks associated with a processing activity.

It must be ensured that all those affected by the processing activity know exactly what happens to their personal data. For employees, this can be done internally through data protection notices; for customers, through the privacy policy they see when they enter into a contract. Don't forget to refer to these documents in your DPIA.

Whether a particular right of the data subjects is relevant to a processing activity is determined by the circumstances of the data processing. Therefore, for each data processing activity, it must be clarified individually which rights of the data subjects are relevant and how compliance with them can be ensured.

Please indicate in your table which of the following data subject rights are applicable: 

  • Duty to inform data subjects
  • Right of access
  • Right to rectification
  • Right to deletion ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent

Then, for all data subject rights marked as “relevant” in the following column, add technical and organizational measures that support the protection of data subject rights.

Step 4: Conclusion and assessment by the DPO

Finally, the data protection officer(s) review and evaluate the DPIA results. This step ensures that all relevant data protection aspects have been taken into account within the DPIA. To facilitate a comprehensive assessment, data protection experts should use the following aspects as a guide:

  • It should be checked whether the documentation of the processing activity contains a complete overview of the personal data processed, the purposes of processing, and the groups of data subjects affected. Furthermore, the lawfulness of the processing must be ensured with regard to the applicable data protection laws and regulations.
  • The necessity and appropriateness of the processing in relation to the purpose is assessed, as is a consideration of the possible effects of the processing on the rights and freedoms of the data subjects. It must then be clarified whether appropriate safeguards are necessary and whether these have already been implemented.
  • It is determined whether the processing is state-of-the-art, ensures data security, and is compatible with any external requirements, such as industry standards or regulations.

By carefully considering these points, an informed assessment can be made to ensure compliance with data protection requirements for the processing activity in question.

Creating a DPIA in Excel: An overview of the advantages and disadvantages

Advantages of a DPIA with Excel

Performing a DPIA with Excel is definitely feasible, but it can be cumbersome in places. Nevertheless, this approach offers three specific advantages:

  1. Popularity of the spreadsheet program
    No training period is necessary, as many people already have experience with Excel. It is possible to start using it immediately.

  2. Cost efficiency
    Excel is often pre-installed on office PCs, so there are no extra software costs.

  3. Customizability
    Excel allows flexible customization to suit company needs, including automation and specific drop-down fields.

Disadvantages of a DPIA with Excel

However, the three advantages that Excel offers as a DPIA tool are offset by six significant disadvantages.

  1. Limited ability to maintain structured relationships between records
    It is difficult to create links between different files, which results in duplicate work.
  2. High manual effort and disorder
    Documentation in Excel is prone to errors and difficult to keep track of, especially when entering big amounts of data.
  3. Lack of automation functions
    Lack of helpful automation functions, such as automatic notifications when changes are made.
  4. Limited reporting and aggregation capabilities
    Difficulties in merging and evaluating multiple DPIA, comprehensive overviews are tedious to create.
  5. Lack of quality monitoring and version control:
    No integrated quality assurance or easy-to-use change tracking.
  6. Limited collaboration capabilities:
    Increased complexity makes it difficult to involve other departments in contributing to a DPIA.

The alternative to DPIA with Excel: A reliable all-in-one data protection solution

Creating a data protection impact assessment in Excel is a reliable method, but it involves a considerable amount of manual effort. There is a better alternative that makes the process steps described above much easier thanks to automation workflows and structured data relationships. 

An integrated data protection management solution uses automated threshold analyses to determine whether a DPIA is necessary for a processing activity. 

Software support also makes it easier to comply with documentation requirements in a compliant manner. The data protection software is always linked to the record of processing activities (RoPA) and is ideally able to initiate a DPIA based on the results of the previously conducted threshold analysis. This saves data protection experts from having to deal with redundancies in documentation. 

Even though it is possible to maintain a data protection impact assessment over many years using Excel, more and more privacy professionals are opting to use a modern data protection management solution. Unlike a spreadsheet program, professional data protection software is specifically tailored to the needs of data protection experts and the evolving privacy requirements.

Data protection officers benefit from user-friendly workflows, automation functions, and useful collaboration features.

Try caralegal's data protection management software for free. The caralegal data protection professionals will be happy to guide you through all the features in a personal appointment and address your challenges and questions.

Newsletter sign up

  • Only relevant news
  • Monthly
  • Over 2,000 subscribers are already reading it

Article written by

Dennis Kurpierz Co-Founder & COO

Dennis Kurpierz is co-founder and Chief Operating Officer of caralegal. Thanks to his many years of experience as a senior consultant and lead project manager at ISiCO Datenschutz GmbH, he is familiar with customer needs, pain points, and challenges in data protection management. As product owner, he applies this expertise to product development at caralegal.

All i need is
more time
caralegal

Set up in just 2 days
64 % time reduction
20 years of privacy expertise