BRUSSELS — The Business Software Alliance (BSA) has called on the European Data Protection Board (EDPB) to ensure its new voluntary Data Protection Impact Assessment (DPIA) template remains flexible, risk-based, and practical to implement across different organizations and processing activities.

In its response to the EDPB's public consultation, BSA welcomed efforts to promote greater consistency in GDPR compliance across the EU, while cautioning against a "check-the-box" approach to DPIAs.

"The goal of a DPIA is to identify and mitigate risks to individuals' rights and freedoms," said Irma Gudžiūnaitė, Director, Policy – EMEA at BSA. "The EDPB's initiative can improve consistency across the EU, but the final template should remain flexible, proportionate, and focused on actual privacy risks. Organizations should be able to tailor assessments to the nature of their processing activities rather than excessive documentation requirements."

BSA's submission highlights five priorities: preserving flexibility, reinforcing the risk-based nature of DPIAs, providing greater clarity on when they are required, ensuring proportionality, and promoting interoperability with other regulatory frameworks.

BSA noted that some elements of the draft template—such as detailed requirements on technical infrastructure, data quality metrics, and assessments of alternative approaches—may exceed what Article 35 GDPR requires. The association also called for greater certainty on when a DPIA is necessary.

To avoid duplicative compliance efforts, BSA emphasized that organizations should be able to build on assessments conducted under other frameworks, including the EU AI Act, and supplement them where needed. BSA also supports the proposed Digital Omnibus amendments to Article 35 GDPR, which would help harmonize DPIA requirements across the EU and provide greater legal certainty.

The consultation is particularly important because national data protection authorities may align their own templates with the EDPB model, making the final template a de facto standard for privacy risk assessments and GDPR compliance across Europe.