DPIA Templates — including a Template for AI Solutions
Two Excel DPIA templates from the Danish supervisory authority, published 22 May 2024. One is generic. The other is built specifically for the development and operation of AI solutions, and carries what almost nothing else in this space does: a catalogue of concrete example risks with the mitigating measures that answer them. It is a working spreadsheet, not a think-piece. It is in Danish. And Datatilsynet built it, on the record, “with inspiration from” the ICO's own AI and Data Protection Risk Toolkit.
- Published by
- Datatilsynet — the Danish supervisory authority
- Named by the EDPB
- Denmark's entry in Annex 1 of the EDPB DPIA template Explainer points to Datatilsynet's konsekvensanalyse pages, where these templates live.
- Type
- Two DPIA templates in Excel — final, published 22 May 2024. One generic; one specific to the development and operation of AI solutions, with a catalogue of example risks and mitigating measures.
- Language
- Danish only. No English edition. The templates are spreadsheets, so cell contents translate cleanly — but the risk catalogue is the substance, and it needs reading, not skimming.
- Jurisdiction
- Denmark (Datatilsynet) — not binding in the UK. GDPR Art. 35, which the UK GDPR carries across; the AI risk content is not jurisdiction-specific.
- Primary audience
- DPOs and privacy teams assessing AI systems — particularly at the development stage, where Datatilsynet found the timing failures
- Topic tags
- DPIA · AI governance · risk management · templates · accountability
- Availability
- Free, datatilsynet.dk. Datatilsynet states — on the announcement page, not in the spreadsheet itself — that the risk and measures catalogue is not exhaustive and that controllers must assess whether further risks apply. Anyone who downloads only the template never sees the caveat. The responsibility for an adequate DPIA remains the controller's.
Why it matters
This is the closest thing we have found to a regulator-published DPIA template for an AI system, and it exists because the regulator went looking and did not like what it found. Datatilsynet's October 2023 mapping of AI use across the Danish public sector found authorities having difficulty with the more complex requirements when developing and deploying AI — and in particular failing to carry out the DPIA in time: for 88% of the solutions where the authority itself had judged a DPIA necessary, it was not done in time. Datatilsynet adds, in its own announcement, that several of its decisions concern missing or inadequate DPIAs. The templates are the response — a supervisory authority building the tool it wished the organisations it regulates had been using. The provenance is the part that should interest a UK practitioner. Datatilsynet says on its own news page that the AI template was prepared “med inspiration fra” the ICO's AI and Data Protection Risk Toolkit, and links to the ICO's AI work from its own site. So what you are getting is the ICO's risk thinking, rebuilt by another regulator into the DPIA template the ICO never shipped — the ICO is explicit, inside the toolkit workbook, that it “can complement” a DPIA and “is not designed to replace” one. The so-what is timing and cost. The expensive failure in AI work is not a bad DPIA; it is a late one, arriving after the architecture is set, the vendor is signed and the mitigations that mattered are no longer available. A risk-and-measures catalogue you can put in front of an engineering team at design stage is worth more than a better-written assessment six months later. Two honest limits. It is Danish-language Excel, so budget the translation. And it is a template, not a methodology — pair it with the AEPD guide for the method and the EDPB template for the record. Note also what does not exist. No supervisory authority has published a DPIA template, methodology or worked example built for autonomous multi-step agents. The AEPD has gone furthest on the substance — its February 2026 guidance on agentic AI (71 pages, English) is the most detailed regulatory treatment we have found, and on the trigger question it says only that AI agents are “undoubtedly a new technology, but it does not necessarily imply that it entails the obligation to carry out a data protection impact assessment (DPIA) in all cases … It will depend on what processing it is incorporated into and what type of agentic AI system is proposed to be used.” Nobody has yet turned that into an instrument. This template addresses AI solutions, not agents. If you are assessing AI now, it is the nearest starting point we know of — and we hope it helps.
