Data Protection Impact Assessment (DPIA) Template
Version 2.0 - Effective 2026-07-08 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
For clients (controllers) deploying the Whistle intake assistant, especially where enquiries may include special-category data (for example health information or legal matters). Under Article 35 of the EU GDPR and UK GDPR, a DPIA is required where processing is likely to result in a high risk to individuals. Client deployments receive a pre-filled DPIA starter in their onboarding pack; this is the full template it is based on.
Screening: is a DPIA required?
Answer these before starting (drawn from the ICO screening criteria and the Article 29 Working Party / EDPB criteria). If you answer yes to two or more, a DPIA is expected; many firms complete one on a single yes as good practice.
- Will the deployment process special-category data at scale (for example, a personal-injury or medical-negligence intake where health details are routinely volunteered)?
- Are the data subjects potentially vulnerable (accident victims, people facing criminal allegations, employees in disputes, children)?
- Does the processing use innovative technology (an AI assistant qualifies under ICO guidance)?
- Will data be matched or combined with other datasets, or used for evaluation or scoring with significant effects?
- Is there systematic monitoring of individuals?
If a DPIA is required, complete the four parts below and keep the signed record.
1. Describe the processing
- What: AI-assisted intake, qualification and booking of website enquiries via the Whistle widget, operated by Amaigo as your processor.
- Data: name, email, phone, enquiry category, de-identified summary, booking details; potentially special-category data volunteered by the individual in free text.
- Data subjects: your website visitors and prospective clients.
- Flows: structured fields capture contact data; free-text messages are redacted of contact details before AI processing; the AI sub-processor operates under no-training, bounded-retention commercial terms; storage is in the EU. See the sub-processor list and Security Overview.
- Scope and context: record expected volume, sensitivity of your practice areas, and whether transcript storage is enabled (off by default).
- Retention: your configured
retentionDays(default 365 days), automated purge, erasure override. See the Retention Policy.
2. Necessity and proportionality
- Lawful bases: typically legitimate interests for responding to enquiries, with consent collected in-widget for storing details and contacting the individual; for special-category data volunteered in intake, identify an Article 9 condition (for legal practices, commonly Art. 9(2)(f) establishment, exercise or defence of legal claims, or explicit consent). Record your analysis.
- Minimisation: contact data via structured fields only; free text redacted before AI processing; de-identified summaries rather than transcripts; no transcripts stored by default.
- Transparency: in-widget AI disclosure and consent statements (Consent Notice); your privacy notice updated with the supplied paragraph; AI Transparency Notice.
- Proportionality: the assistant only qualifies, books or escalates; it does not advise or decide.
3. Risks to individuals
Complete likelihood and severity (low / medium / high) and residual risk for your context. Mitigations listed are those built into the service; add your own.
| Risk | Likelihood | Severity | Mitigations (Amaigo) | Residual risk |
|---|---|---|---|---|
| Sensitive data volunteered in free text reaching the AI | ___ | ___ | On-screen guidance not to share sensitive detail; automated redaction of contact details before AI processing; AI provider under no-training, bounded-retention commercial terms; no content logging | ___ |
| International transfer to the US AI provider | ___ | ___ | EU-US Data Privacy Framework plus UK Extension as primary mechanism, SCCs Module 3 plus UK Addendum as automatic fallback; transfer risk assessment maintained at /legal/tra | ___ |
| Redaction failure or novel PII formats | ___ | ___ | Defence in depth: structured capture as the primary channel for contact data, no transcript storage by default, minimisation in the system prompt | ___ |
| Unauthorised access to lead data | ___ | ___ | EU hosting, encryption in transit and at rest, tenant isolation, token-protected admin endpoints; see Security Overview | ___ |
| Excess retention | ___ | ___ | Automated purge against configurable retentionDays; erasure requests override retention; see Retention Policy |
___ |
| Prospective-client confidentiality and privilege expectations | ___ | ___ | Persistent AI disclosure; no legal advice by design; outcomes handled by humans at your firm; enterprise no-training terms and processing at your direction, distinct from consumer AI tools; see AI Transparency Notice | ___ |
| Automated decision-making concerns | ___ | ___ | The assistant never automatically rejects a prospective client: it qualifies, books or hands off, and outcomes are routed to your firm for human handling, keeping deployments outside EU GDPR Art. 22 and UK GDPR Arts. 22A to 22D solely-automated decision territory | ___ |
4. Measures and outcome
- Technical and organisational measures: see the DPA Annex B and the Security Overview; record any additional controller-side measures (staff training, access restrictions on lead alerts, non-engagement follow-up letters).
- Consultation: record whether data subjects or your supervisory authority were consulted, and why or why not.
- Outcome: state whether residual risks are acceptable. If a high residual risk cannot be mitigated, prior consultation with your supervisory authority is required under Article 36 of the EU GDPR or UK GDPR before processing starts.
| Sign-off | Entry |
|---|---|
| Overall residual risk (low / medium / high) | ____________________ |
| DPIA outcome (proceed / proceed with measures / consult SA) | ____________________ |
| Controller DPO or decision-maker (name, role) | ____________________ |
| Date and signature | ____________________ |
| Review date (at least annually or on material change) | ____________________ |
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.