Data PrivacyWhat is a Factsheet in Data Protection Impact Assessment?

September 2, 20230
What is a Factsheet in Data Protection Impact Assessment?


A Data Protection Impact Assessment (DPIA) is a process designed to help organisations identify and minimise the data protection risks of a project or plan. This is a trite requirement under data protection laws including the Digital Personal data Protection Act,2023 in India or the General Data Protection Regulation (GDPR) in the European Union.

A factsheet in a DPIA serves as a comprehensive summary or overview of the assessment. It is essentially a distilled version of the DPIA that quickly highlights the key points, such as the data being collected, the purpose for the collection, potential risks, and mitigations.

The factsheet is generally intended for a varied audience that can range from stakeholders and decision-makers to the general public. Therefore, it should be easily understandable without sacrificing the necessary detail.

Key Components of a DPIA Factsheet


The key component can be summarised as under;

  1. Project Name and Description: A brief outline of what the project is about.
  2. Data Controller: Information about the organization that is responsible for the data.
  3. Purpose of Data Collection: Why the data is being collected and processed.
  4. Data Categories: Types of data being collected (e.g., personal data, sensitive data, etc.).
  5. Data Sources: Where the data will come from (e.g., directly from individuals, third-party services, etc.).
  6. Data Processing Activities: Steps or procedures involved in the handling of the data.
  7. Data Recipients: Entities or individuals who will have access to the data.
  8. Risk Assessment: A brief overview of potential risks to data protection and privacy.
  9. Mitigation Measures: Steps that will be taken to minimise identified risks.
  10. Legal Compliance: A mention of the laws and regulations that are relevant to the project, and how compliance will be ensured.
  11. Contact Information: Who to contact for more information about the DPIA or data protection issues.
How to Prepare a Factsheet in a Proper Manner?


The preparation of the factsheet is very crucial for proper DPIA in any organisation. The important factors to be considered are as below:

  1. Gather Information: Before creating a factsheet, make sure you have all the information gathered from the DPIA process. The factsheet will be a summary of this information.
  2. Understand the Audience: Tailor the language and content based on who will be reading the factsheet.
  3. Use a Clear Structure: Use headings, bullet points, and numbers to make it easy to read and understand.
  4. Be Concise but Detailed: Provide enough detail to give a comprehensive overview but be as concise as possible to make it quickly digestible.
  5. Use Plain Language: Avoid jargon or technical terms that could confuse non-experts.
  6. Review for Accuracy: Make sure all information is accurate and up-to-date. Any mistakes can undermine the trustworthiness of the DPIA and may have legal implications.
  7. Get Feedback: Before finalising, seek feedback from stakeholders or experts to make sure the factsheet accomplishes its goal of effectively summarising the DPIA.
  8. Update Regularly: Any changes to the DPIA should be reflected in the factsheet. Make sure it is kept up-to-date.
  9. Make It Accessible: The factsheet should be easily accessible, whether that means being downloadable from a website or available in paper form.
  10. Legal Review: Depending on the complexity and risk associated with the project, consider having the factsheet reviewed by legal experts to ensure compliance with relevant laws and regulations.

By paying attention to these aspects, you can ensure that your DPIA factsheet is an effective tool for communicating the data protection implications of your project.

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.