LET'S TALK
← All work
GDPR Art 35GDPR Art 36WP29 WP248DPIADeep Prototype

DPIATracker — GDPR Art 35 DPIA Register

12 processing activities scored against the 9 WP29 / Art 35(3) criteria. Risk matrix (likelihood × severity, inherent vs residual), mitigation roadmap with ship-state per item, DPO sign-off. 2 activities flagged for Art 36 prior consultation with the supervisory authority.

DPIATracker — GDPR Art 35 DPIA Register preview
Open live →

What it is

The shape behind every DPIA register (OneTrust DPIA, Vanta DPIA, internal Notion templates). Each high-risk processing activity gets the same artifact — 9-criteria screen, 5×5 risk matrix, mitigation roadmap, sign-off chain.

What’s in it

  • 12 processing activities — fraud-scoring ML, employee productivity monitor, AI-generated marketing personalization, optional face-match login, support-transcript LLM, behavioral targeting, AI recruitment ATS, children’s product (13-17), delivery-driver geolocation, server access logs, internal AI bug-triage, KYC onboarding.
  • 9 WP29 criteria screened per activity (Art 35(3) + WP248):
    1. Evaluation / scoring (profiling)
    2. Automated decisions with legal effect (Art 22)
    3. Systematic monitoring
    4. Sensitive data / highly personal nature
    5. Large-scale processing
    6. Matching/combining datasets
    7. Vulnerable data subjects
    8. Innovative use / new technology
    9. Prevents data subjects from exercising rights
  • 5×5 risk matrix (likelihood × severity) — inherent vs residual after mitigation. The matrix cell is highlighted for the current activity.
  • Mitigation roadmap per activity — done / in-progress / todo, with the actual control (e.g., “human review for any auto-decline (Art 22(3))”).
  • Art 36 flag — 2 activities (employee productivity monitor, AI recruitment ATS, face-match login, delivery geolocation) require prior consultation with the supervisory authority because residual risk remains high after mitigation.
  • DPO sign-off chain — date + signer per approved activity.

Why this shape

GDPR Art 35 mandates a DPIA “where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.” The hardest part is not writing one DPIA — it’s running a register where every activity is current, scored, and mapped to the right mitigations. DPIATracker prototypes that register directly, with the 9-criteria screen, 5×5 matrix, and Art 36 flag built in.

How it ships

Single HTML file, ~20KB. Zero dependencies. 12 activities × 9 criteria × 5×5 matrix + mitigation roadmap in 240 lines of vanilla JavaScript.

Open the tool →