Privacy risk assessment template

Use this template to start a DPIA, CCPA/CPRA risk assessment, HIPAA risk analysis prep, vendor privacy review, or AI and ADMT review without inventing the structure from scratch.

Download CSV Download Markdown View fields Score questionnaire readiness

Worksheet previewNot legal advice

ActivityAI support triage

RiskSensitive data exposure to an AI workflow

ControlsHuman review, prompt controls, logging, vendor review

DecisionMitigate before production rollout

Start with data classification for AI reviews

When teams get stuck on AI governance or DPIA questions, the most practical first step is usually classifying what data enters the workflow and who approves that use.

Data classes in scopeRecord whether prompts or outputs can include customer data, employee data, PHI, sensitive personal data, or regulated records.

Systems and vendorsList the model provider, gateway, subprocessors, and internal systems that can receive prompts, outputs, logs, or attachments.

Human review pointState when a human must approve outputs, overrides, or external actions, and where that approval record is stored.

Reusable evidenceLink the same owner, retention note, audit log source, and customer-safe answer row you plan to reuse in security questionnaires or vendor reviews.

Why this page is a template, not a blog post

Searchers want a usable worksheet, fast scoping, and reusable evidence for real compliance work.

Downloadable artifactCSV and Markdown versions are available so the page is useful before any software purchase.

DPIA screening pathThe worksheet separates basic intake from deeper DPIA, CCPA/CPRA, HIPAA, AI, or vendor review triggers.

Evidence reuseOutputs can feed security questionnaires, vendor reviews, risk registers, and answer-library entries.

Legal boundaryThe template organizes facts and decisions while keeping jurisdiction-specific advice with privacy or legal reviewers.

Who this template helps

Most searchers want a usable artifact, not a privacy-law lecture.

Privacy Officer or DPOScreen whether a product, vendor, or data processing change needs a DPIA or deeper privacy review.

GRC or compliance managerPrepare audit-ready records for management review, customer due diligence, risk registers, and control evidence.

Security or risk teamConnect privacy risks to access controls, vendor risk, incident response, AI systems, and security questionnaires.

Healthcare compliance teamOrganize HIPAA risk analysis prep before using a dedicated HHS-style security risk assessment workflow.

Small business operatorStart with a plain spreadsheet instead of trying to design a privacy assessment process from scratch.

Consultant or law firmUse a structured intake format before tailoring jurisdiction-specific advice for a client.

Privacy worksheet output

The template is designed to produce reusable review evidence, not just a one-time privacy note.

Screening result

A quick decision on whether the workflow needs DPIA, HIPAA, CCPA/CPRA, AI or ADMT, legal, or vendor review.

Risk register rows

Concrete risk scenarios with likelihood, impact, current controls, residual risk, mitigation owner, and due date.

Evidence packet

Links to DPA, BAA, SOC 2, subprocessors, retention policy, access controls, audit logs, and approved questionnaire answers.

Questionnaire reuse

Privacy answers that can be reused in vendor assessments, customer security reviews, RFPs, and internal GRC workflows.

Download worksheet CSV Add to answer library

Recommended template fields

These fields keep the assessment useful for privacy review, GRC evidence, and customer questionnaires.

Assessment nameShort name for the product, vendor, system, feature, or data processing activity under review.

Assessment typeDPIA, privacy impact assessment, HIPAA risk analysis prep, CCPA/CPRA risk assessment, ADMT review, or vendor privacy assessment.

Processing activityWhat personal data is collected, used, disclosed, retained, automated, or shared.

Business purposeWhy the processing is needed and which team owns the outcome.

Data categoriesPersonal data, sensitive data, PHI, children data, employee data, location data, biometrics, or other regulated categories.

Data subjectsCustomers, patients, employees, prospects, website visitors, minors, contractors, or other affected people.

Systems and vendorsInternal systems, subprocessors, analytics tools, AI systems, data brokers, or third-party processors involved.

Risk scenarioA concrete privacy harm such as unauthorized access, unexpected use, over-retention, inaccurate automated decisioning, or vendor misuse.

Likelihood and impactSimple low, medium, or high scoring for how likely the scenario is and how severe the impact could be.

Existing controlsSecurity, privacy, contractual, retention, consent, access, monitoring, and human-review controls already in place.

Residual riskRisk that remains after controls and mitigations are considered.

Decision and ownerApprove, mitigate, block, escalate to DPO/legal, or revisit later, with an accountable owner and review date.

Minimum AI / ADMT section to add

If a customer, DPO, or security reviewer asks for AI governance details, do not answer from memory. Add these fields so the privacy worksheet can feed questionnaires, DPIAs, and vendor reviews directly.

AI use case and business decision

State what the AI workflow does, whether it affects support, eligibility, pricing, hiring, healthcare, or other meaningful outcomes, and who owns the workflow.

Model/provider and subprocessors

List the model provider, gateway, embedded AI vendors, and any subprocessors that can process prompts, outputs, or logs.

Customer-data handling

Record what data can enter the workflow, whether customer data is used for training, retention limits, deletion path, and regional storage notes.

Human review and approval

Capture when a human must review outputs or approve actions, who can override the system, and where approval evidence is stored.

Auditability and evidence

Link audit logs, prompt or tool access records, vendor terms, DPIA notes, and the answer-library row that sales or security reviewers can reuse.

Store reusable AI answers Open PIA template Add gateway and audit controls

Assessment workflow

Keep the first version lightweight enough that teams will actually complete it.

1. Define the activity

Name the system, vendor, feature, business purpose, owner, data subjects, and data categories before scoring any risk.

2. Screen for deeper review

Flag sensitive data, large-scale processing, profiling, ADMT, PHI, children data, cross-border transfer, or high-impact decisions.

3. Record concrete risks

Write each risk as a scenario: what could happen, who is affected, what harm could occur, and which control should reduce it.

4. Assign mitigation

Give every open risk an owner, target date, status, control evidence, and decision path.

5. Keep evidence reusable

Store the approved assessment output in an answer library or GRC workspace so future questionnaires are not answered from memory.

Template variants

Use one common structure, then add jurisdiction-specific review where needed.

DPIA / PIA screeningUse when a new project, system, vendor, or processing activity may create a high privacy risk for individuals.

HIPAA risk analysis prepUse for early inventory and risk notes around ePHI before completing a healthcare-specific HIPAA security risk assessment process.

CCPA / CPRA risk assessmentUse when California privacy obligations, sensitive personal information, profiling, ADMT, or high-risk processing are in scope.

AI / ADMT reviewUse when an automated or AI-supported system may affect access, eligibility, pricing, employment, healthcare, or other meaningful decisions.

Vendor privacy assessmentUse when reviewing a subprocesser, SaaS tool, data sharing arrangement, or third-party data processing workflow.

Customer due diligence evidenceUse selected fields to answer security questionnaires, privacy reviews, RFPs, and enterprise vendor assessments.

Privacy risk assessment template for Excel

Most teams should start with a spreadsheet structure before buying a privacy platform.

Intake tabCapture assessment name, owner, system, vendor, business purpose, data subjects, data categories, and review status.

Screening tabFlag DPIA triggers, HIPAA/ePHI scope, CCPA/CPRA high-risk processing, AI or ADMT use, sensitive data, and vendor sharing.

Risk register tabRecord each risk scenario with likelihood, impact, inherent risk, current controls, residual risk, mitigation owner, and due date.

Evidence tabLink DPAs, BAAs, SOC 2 reports, subprocessors, retention policies, access controls, audit logs, and approved questionnaire answers.

HIPAA privacy risk assessment prep

Healthcare teams can use the template for early scoping before a formal HIPAA security risk analysis.

PHI and ePHI scope

Identify whether the workflow processes protected health information, electronic PHI, patient identifiers, or patient portal content.

Vendor and BAA review

Record business associates, subcontractors, hosting providers, support access, and whether a BAA or equivalent review is complete.

Access and audit controls

Note user access, authentication, audit logging, incident response, retention, and breach notification evidence.

Minimum necessary review

Check whether the processing limits data collection, sharing, and retention to the intended healthcare purpose.

Data privacy risk assessment scenarios

Use these triggers to decide when a lightweight assessment should become a deeper privacy review.

Analytics or tracking change

Use when product analytics, website pixels, session replay, advertising, or enrichment tools change what personal data is collected.

New subprocesser

Use when a SaaS vendor, data processor, AI provider, cloud service, or support tool will process customer, employee, or patient data.

AI or automated decisioning

Use when AI triage, scoring, routing, profiling, recommendation, or ADMT may affect people or expose sensitive data.

Data retention or export

Use when data will be retained longer, exported, copied into another system, or shared across jurisdictions.

Example starter rows

These examples show the level of specificity a practical assessment should capture.

Assessment	Type	Processing activity	Data categories	Risk scenario	Controls to review
New analytics tool review	Vendor privacy assessment	Website visitor analytics and product usage tracking	Identifiers, device data, usage events	Unexpected tracking or vendor reuse of data	Data minimization, DPA review, retention limit, opt-out review
AI support triage	AI / ADMT review	AI-assisted routing of customer support tickets	Customer contact data, support content, account metadata	Incorrect classification or sensitive data exposure to an AI workflow	Human review, prompt controls, logging, data retention limit, vendor review
Patient portal vendor	HIPAA risk analysis prep	Third-party portal processing patient messages and account data	ePHI, identifiers, authentication logs	Unauthorized access, weak access control, incomplete audit trail	BAA review, access controls, audit logging, incident-response evidence
California profiling review	CCPA / CPRA risk assessment	Automated segmentation used for eligibility, pricing, or targeting decisions	Sensitive personal information, behavioral data, account data	Opaque automated decisioning or insufficient opt-out process	Purpose review, ADMT disclosure, opt-out path, human escalation

Download CSV template Download Markdown version

Connect it to security review

Privacy assessments become more valuable when they feed vendor review and answer-library evidence.

Security questionnaire answers

Use approved assessment outcomes as evidence when customers ask how privacy risks are reviewed.

Open

Vendor security review

Connect privacy risk, data processing, subprocessors, and audit evidence to customer due diligence.

Open

AI agent review

Use privacy-risk fields alongside AI tool access, MCP gateway controls, and audit logging evidence.

Open

Automation tool selection

Compare platforms by whether they preserve source evidence, owners, review dates, and exportable records.

Open

Evidence and source trail

Use official sources for legal interpretation and jurisdiction-specific requirements.

EDPB DPIA template (2026)

Official source

Open

The European Data Protection Board published a harmonised DPIA template (public consultation from 14 April 2026 to 09 June 2026) that organizations can use and map local templates to.

ICO DPIA guidance

Official source

Open

The UK ICO describes DPIAs as a way to identify and minimize data protection risks, and notes that organizations can use or adapt a sample DPIA template.

EDPS DPIA resources

Official source

Open

The European Data Protection Supervisor provides DPIA resources and templates for assessing whether a DPIA is needed and documenting review outcomes.

HHS HIPAA risk analysis guidance

Official source

Open

HHS explains HIPAA Security Rule risk analysis expectations and points smaller healthcare organizations to the official Security Risk Assessment Tool.

CPPA CCPA risk assessment updates

Official source

Open

The California Privacy Protection Agency tracks CCPA updates covering risk assessments, cybersecurity audits, and automated decisionmaking technology.

Privacy risk assessment FAQ

Short answers for teams deciding whether this template fits their review process.

What is a privacy risk assessment template?

A privacy risk assessment template is a structured spreadsheet or worksheet used to identify personal-data processing activities, privacy risks, existing controls, residual risk, owners, and review decisions.

Is this the same as a DPIA template?

It can support DPIA screening and evidence capture, but a DPIA may require jurisdiction-specific analysis, DPO input, consultation records, and legal review. For EU-facing DPIAs, consider aligning your output with the EDPB DPIA template (2026) and use this worksheet as a lightweight intake layer.

Can this be used for HIPAA?

It can help organize early HIPAA risk notes, assets, vendors, and controls, but healthcare teams should still use HIPAA-specific guidance and tools for formal Security Rule risk analysis.

Can AI or ADMT risk be included?

Yes. Add fields for automated decisioning purpose, affected people, data categories, human review, explanation, opt-out path, audit logs, and mitigation owner.

What is the minimum AI governance section to add to a privacy assessment?

At minimum, capture the AI use case, provider and subprocessors, customer-data handling and training posture, human review or approval points, audit-log evidence, and the accountable owner.

Is this legal advice?

No. This template is a practical starting point for organizing risk information. Privacy officers, legal counsel, or qualified advisors should review jurisdiction-specific obligations.

Need a shortlist for your workflow?

Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.

Request a shortlist