Decide whether you need a Data Protection Impact Assessment (GDPR Art 35) or a US state data protection assessment (CPRA, Colorado, Connecticut, Virginia, plus the 2026 Indiana, Kentucky and Rhode Island laws), then build one. A trigger checker tells you if an assessment is required; six guided sections — processing description & purpose, necessity & proportionality, data categories, risks to data subjects, mitigations, residual risk & sign-off — produce a structured DPIA document. Word export + a local register. EN/FR/AR.
Tick every factor that applies to this processing. One or more high-risk triggers means a DPIA (GDPR Art 35) or a data protection assessment (US state law) is required.
Complete each section. The completion bar reflects how many fields are filled — there is no “score”; a DPIA is a documented judgement, not a grade.
⚠️ Educational estimate only — NOT legal, tax, financial, or insurance advice. This tool helps you draft a Data Protection Impact Assessment / data protection assessment and screens common triggers under GDPR Art 35 and US state privacy laws (CPRA, Colorado CPA, Connecticut CTDPA, Virginia VCDPA, and the 2026 Indiana, Kentucky and Rhode Island acts). Trigger lists and thresholds are summaries — not the full statutes, applicability rules or any supervisory-authority list — and whether an assessment is required, and its content, depend on your specific processing and jurisdiction. Consult a qualified data-protection lawyer or your DPO before relying on the output. Nothing you enter leaves your browser.