Assessment types

Fides includes eight assessment templates. Each template corresponds to a specific regulatory framework or methodology. This page provides full reference information for each type.

Template summary

GDPR Data Protection Impact Assessment

Region: European Union and European Economic Area

Legal basis: GDPR Article 35 requires a DPIA before processing that is "likely to result in a high risk to the rights and freedoms of natural persons." EDPB guidelines on DPIAs identify processing types that presumptively require one, including systematic profiling, large-scale processing of special categories, and systematic monitoring.

When it's required: Your organization must conduct a DPIA before commencing high-risk processing and consult with the supervisory authority under Article 36 if the residual risk remains high after mitigation.

Question groups:

1. Project Overview
2. Data Inventory
3. Data Flows
4. Legal Basis and Compliance
5. Risk Assessment
6. Risk Mitigations
7. Individual Rights
8. Governance and Approval

UK GDPR DPIA

Region: United Kingdom

Legal basis: UK GDPR Article 35 (as retained in UK law post-Brexit) and ICO guidance on DPIAs. The ICO has published a DPIA template and step-by-step guidance that this template aligns with.

When it's required: Required for the same categories of high-risk processing as EU GDPR, adapted for UK data subjects and the ICO as the relevant supervisory authority.

Question groups: Aligned to the ICO DPIA template structure, covering project description, data flows, consultation, necessity and proportionality, risks, and sign-off.

EU AI Act Fundamental Rights Impact Assessment

Region: European Union

Legal basis: EU AI Act (Regulation 2024/1689), Article 27. Deployers of high-risk AI systems that are bodies governed by public law, or private entities providing public services, must conduct a fundamental rights impact assessment before putting the system into use. Article 27(4) allows existing GDPR DPIA findings to complement the FRIA where relevant.

When it's required: Required before deploying any high-risk AI system as classified under Annex III of the EU AI Act, when the deployer is a public body or provides public services. Organizations using AI systems for employment decisions, credit scoring, law enforcement, migration management, or access to essential services should evaluate whether this assessment applies.

Question groups:

1. Process and Purpose
2. AI System Classification
3. Affected Groups
4. Risk Assessment
5. Mitigation Measures
6. Monitoring and Review

California CPRA Risk Assessment

Region: California, USA

Legal basis: California Privacy Rights Act (CPRA), which amended CCPA. Cal. Civ. Code § 1798.185(a)(15) directs the California Privacy Protection Agency (CPPA) to issue regulations requiring risk assessments for processing that presents significant risk to consumers' privacy or security.

When it's required: Required for processing of sensitive personal information and for certain automated decision-making activities, as defined by CPPA regulations.

Question groups: Covers processing description, data flows, benefits and risks, risk mitigation measures, and executive sign-off aligned to CPPA regulatory guidance.

Colorado CPA Data Protection Assessment

Region: Colorado, USA

Legal basis: Colorado Privacy Act, C.R.S. § 6-1-1309. Controllers must conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to consumers, including processing for targeted advertising, profiling, selling personal data, and processing sensitive data.

When it's required: Required before commencing any of the enumerated heightened-risk activities. The Attorney General may request assessments as part of an investigation.

Question groups: Structured around the CPA's mandatory assessment factors: processing purpose, necessity, proportionality, safeguards, and consumer rights mechanisms.

Virginia VCDPA Data Protection Assessment

Region: Virginia, USA

Legal basis: Virginia Consumer Data Protection Act, Va. Code § 59.1-579. Controllers must conduct a data protection assessment for processing activities that present a heightened risk of harm to consumers.

When it's required: Required for targeted advertising, profiling with legal or similarly significant effects, selling personal data, and processing sensitive data.

Question groups: Covers processing description, data categories, purposes, benefits, consumer risks, risk mitigation, and controller sign-off.

US Multi-State Data Protection Assessment

Region: United States (generic)

Legal basis: Designed to satisfy the data protection assessment requirements across multiple state privacy laws simultaneously, including Colorado CPA, Virginia VCDPA, Connecticut CTDPA, Montana MCDPA, and others with similar requirements.

When it's required: Use this template when a processing activity spans multiple US states with DPA requirements, to produce a single assessment document that addresses all applicable frameworks.

Question groups: Covers the common core required by all covered state laws, with additional questions for state-specific requirements. Answers that satisfy the strictest state law are generally sufficient for all.

Generic Privacy Impact Assessment

Region: Global

Legal basis: Based on the CNIL (French data protection authority) PIA methodology, which is widely recognized as a best-practice framework applicable regardless of jurisdiction.

When to use it: Use this template when no jurisdiction-specific template applies, for voluntary PIAs on lower-risk processing, or as a baseline assessment before determining which jurisdiction-specific template to use.

Question groups:

1. Project Overview
2. Data Inventory
3. Data Flows
4. Legal Basis and Compliance
5. Risk Assessment
6. Risk Mitigations
7. Individual Rights
8. Governance and Approval