← Back to sample deliverables

Sample DPIA structure for an AI chatbot

This is a redacted outline of the structure we use when documenting an AI chatbot or other AI system under GDPR. It shows the shape of the work, not client-confidential content.

Download outlineStart with a £500 scoping review

What this proves: we do not treat a DPIA as a generic template. The document has to follow the actual architecture, data flows, vendors, risks, and controls in the system being deployed.

1. System summary

  • What the AI system does, who uses it, and where it sits in the workflow
  • Whether it is customer-facing, internal-only, or decision-support
  • Which vendors, models, and infrastructure providers are involved

2. Roles, lawful basis, and scope

  • Controller / processor split across client, vendor, and subprocessor chain
  • Lawful basis for each processing purpose
  • Any Article 9 or child-data issues that raise the risk level

3. Personal data inventory

  • Data categories collected, inferred, or generated by the system
  • User inputs, logs, metadata, transcripts, and model outputs
  • Retention periods and deletion rules for each category

4. Data flow and transfer map

  • Where data enters, where it is stored, and who receives it
  • Cross-border transfers to LLM providers, cloud hosts, analytics, and support tools
  • DPAs, SCCs, and zero-retention settings documented in one place

5. Risk assessment

  • Likelihood and severity of harm to individuals
  • Prompt leakage, excessive retention, over-collection, model error, and unauthorized access
  • Specific operational risks caused by the AI architecture, not just generic GDPR boilerplate

6. Controls and mitigations

  • Data minimisation rules before prompts are sent to the model
  • Human handoff, confidence thresholds, audit logging, and access control
  • Contractual, technical, and procedural controls mapped directly to each risk

7. Residual risk and sign-off

  • What risk remains after mitigation
  • Whether consultation with the DPO or regulator is required
  • Approval, review cadence, and trigger points for updating the DPIA

If you want the actual document

The paid scoping review gives you the real output for your system: specific data flows, specific vendor controls, and a clear view of what needs to happen before launch.

Book the scoping review