Skip to content
Privacy Assessments
Reference
Assessment Types

Assessment types

This feature requires Fides Cloud or Fides Enterprise. For more information, talk to our solutions team. (opens in a new tab)

Fides includes eleven assessment templates. Each template corresponds to a specific regulatory framework or methodology. This page provides full reference information for each type.

Template summary

NameRegionAuthority
GDPR Data Protection Impact AssessmentEU / EEAGDPR Article 35, EDPB guidelines
UK GDPR DPIAUnited KingdomUK GDPR Article 35, ICO guidance
EU AI Act Fundamental Rights Impact AssessmentEuropean UnionEU AI Act (Regulation 2024/1689), Article 27
California CPRA / CCPA Risk AssessmentCalifornia, USACPRA / CCPA, CPPA final rules (2025)
Colorado CPA Data Protection AssessmentColorado, USAColorado Privacy Act (C.R.S. § 6-1-1309)
Virginia VCDPA Data Protection AssessmentVirginia, USAVirginia CDPA (Va. Code § 59.1-579)
US Multi-State Data Protection AssessmentUSA (generic)Multiple US state privacy laws
Generic Privacy Impact AssessmentGlobalCNIL PIA methodology
UK ICO Record of Processing Activities (ROPA)United KingdomUK GDPR Article 30, ICO guidance
Ireland DPC Record of Processing Activities (ROPA)IrelandEU GDPR Article 30, DPC guidance
France CNIL Record of Processing Activities (ROPA)FranceEU GDPR Article 30, CNIL guidance

GDPR Data Protection Impact Assessment

Region: European Union and European Economic Area

Legal basis: GDPR Article 35 requires a DPIA before processing that is "likely to result in a high risk to the rights and freedoms of natural persons." EDPB guidelines on DPIAs identify processing types that presumptively require one, including systematic profiling, large-scale processing of special categories, and systematic monitoring.

When it's required: Your organization must conduct a DPIA before commencing high-risk processing and consult with the supervisory authority under Article 36 if the residual risk remains high after mitigation.

Question groups:

  1. Project Overview
  2. Data Inventory
  3. Data Flows
  4. Legal Basis and Compliance
  5. Risk Assessment
  6. Risk Mitigations
  7. Individual Rights
  8. Governance and Approval

UK GDPR DPIA

Region: United Kingdom

Legal basis: UK GDPR Article 35 (as retained in UK law post-Brexit) and ICO guidance on DPIAs. The ICO has published a DPIA template and step-by-step guidance that this template aligns with.

When it's required: Required for the same categories of high-risk processing as EU GDPR, adapted for UK data subjects and the ICO as the relevant supervisory authority.

Question groups: Aligned to the ICO DPIA template structure, covering project description, data flows, consultation, necessity and proportionality, risks, and sign-off.

EU AI Act Fundamental Rights Impact Assessment

Region: European Union

Legal basis: EU AI Act (Regulation 2024/1689), Article 27. Deployers of high-risk AI systems that are bodies governed by public law, or private entities providing public services, must conduct a fundamental rights impact assessment before putting the system into use. Article 27(4) allows existing GDPR DPIA findings to complement the FRIA where relevant. Article 27(5) requires the AI Office to publish a standardised questionnaire template that deployers must use when notifying the market surveillance authority of FRIA results.

When it's required: The FRIA obligation under Article 27 applies from 2 August 2026, when the Regulation's high-risk AI system provisions become applicable. The assessment must be performed before the first use of the high-risk AI system. Applies to high-risk AI systems classified under Annex III when the deployer is a public body or provides public services. Organizations using AI systems for employment decisions, credit scoring, law enforcement, migration management, or access to essential services should evaluate whether this assessment applies. Systems used as safety components in the management of critical digital infrastructure, road traffic, or the supply of water/gas/heating/electricity are exempt from the FRIA obligation.

Question groups:

  1. Process and Purpose
  2. Duration and Frequency
  3. Affected Populations
  4. Risk Identification
  5. Human Oversight
  6. Mitigation and Governance

California CPRA / CCPA Risk Assessment

Region: California, USA

Legal basis: CCPA Regulations (Title 11, Division 6, Chapter 1, Article 10), final text approved by the California Office of Administrative Law on 22 September 2025. Compliance required from 1 January 2026.

When it's required: Required for processing that presents significant risk to consumers' privacy, including selling personal information, sharing PI for cross-context behavioral advertising, processing sensitive personal information, using automated decision-making technology (ADMT) for significant decisions, training ADMT for identification or biometric recognition, automated inference of sensitive traits, and systematic observation in educational or employment contexts. Assessments must be conducted before initiating the processing activity (or, for activities underway before 1 January 2026, completed by 31 December 2027). Assessments must be reviewed at least every three years and re-reviewed within 45 days of material changes. The CPPA or Attorney General may request a full copy within 30 calendar days.

Question groups:

  1. Processing Scope and Purpose(s)
  2. Significant Risk Determination
  3. Data Categories
  4. Consumer Notification
  5. Consumer Rights
  6. Retention Periods
  7. Third-Party Recipients
  8. Service Provider Contracts
  9. Technical Safeguards
  10. Benefits vs. Risks Analysis
  11. Automated Decision-Making Technology Details
  12. Stakeholder Involvement and External Consultation
  13. Detailed Negative Impact Analysis
  14. Review and Approval
  15. Review Cadence and Change Management
  16. CPPA Submission Packet

Colorado CPA Data Protection Assessment

Region: Colorado, USA

Legal basis: Colorado Privacy Act, C.R.S. § 6-1-1309. Controllers must conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to consumers, including processing for targeted advertising, profiling, selling personal data, and processing sensitive data.

When it's required: Required before commencing any of the enumerated heightened-risk activities. The Attorney General may request assessments as part of an investigation.

Question groups: Structured around the CPA's mandatory assessment factors: processing purpose, necessity, proportionality, safeguards, and consumer rights mechanisms.

Virginia VCDPA Data Protection Assessment

Region: Virginia, USA

Legal basis: Virginia Consumer Data Protection Act, Va. Code § 59.1-579. Controllers must conduct a data protection assessment for processing activities that present a heightened risk of harm to consumers.

When it's required: Required for targeted advertising, profiling with legal or similarly significant effects, selling personal data, and processing sensitive data.

Question groups: Covers processing description, data categories, purposes, benefits, consumer risks, risk mitigation, and controller sign-off.

US Multi-State Data Protection Assessment

Region: United States (generic)

Legal basis: Designed to satisfy the data protection assessment requirements across multiple state privacy laws simultaneously, including Colorado CPA, Virginia VCDPA, Connecticut CTDPA, Montana MCDPA, and others with similar requirements.

When it's required: Use this template when a processing activity spans multiple US states with DPA requirements, to produce a single assessment document that addresses all applicable frameworks.

Question groups: Covers the common core required by all covered state laws, with additional questions for state-specific requirements. Answers that satisfy the strictest state law are generally sufficient for all.

Generic Privacy Impact Assessment

Region: Global

Legal basis: Based on the CNIL (French data protection authority) PIA methodology, which is widely recognized as a best-practice framework applicable regardless of jurisdiction.

When to use it: Use this template when no jurisdiction-specific template applies, for voluntary PIAs on lower-risk processing, or as a baseline assessment before determining which jurisdiction-specific template to use.

Question groups:

  1. Project Overview
  2. Data Inventory
  3. Data Flows
  4. Legal Basis and Compliance
  5. Risk Assessment
  6. Risk Mitigations
  7. Individual Rights
  8. Governance and Approval

UK ICO Record of Processing Activities (ROPA)

Region: United Kingdom

Legal basis: UK GDPR Article 30, Data Protection Act 2018, and ICO Documentation Guidance. Controllers and processors are required to maintain records of processing activities under Article 30.

When it's required: All controllers and processors must maintain a ROPA. Fields marked as required in this template are mandated by Article 30; additional fields are recommended by the ICO to support wider accountability obligations under Article 5(2).

Question groups:

  1. Controller Identification (Art 30(1)(a))
  2. Processing Operation and Purposes (Art 30(1)(b))
  3. Data Subjects and Personal Data (Art 30(1)(c))
  4. Recipients and Data Sharing (Art 30(1)(d))
  5. International Transfers (Art 30(1)(e))
  6. Retention and Erasure (Art 30(1)(f))
  7. Security Measures (Art 30(1)(g))
  8. Lawful Basis and Special Categories (Arts 6, 9)
  9. Automated Decision-Making and Profiling (Art 22)
  10. DPIA and Impact Assessments (Art 35)
  11. Data Subject Rights (Arts 12-22)
  12. Consent Records (Art 7)
  13. Personal Data Breaches (Art 33)
  14. Processor Arrangements
  15. Review

Ireland DPC Record of Processing Activities (ROPA)

Region: Ireland

Legal basis: EU GDPR Article 30, Data Protection Act 2018 (Ireland), and DPC Guidance on Records of Processing Activities. The DPC expects ROPA input from all relevant business units and requires lawful basis documentation beyond the Article 30 minimum.

When it's required: All controllers and processors must maintain a ROPA. Fields marked as required are mandated by the GDPR and/or explicitly required by DPC guidance; additional fields are recommended by the DPC.

Question groups:

  1. Controller Identification (Art 30(1)(a))
  2. Processing Operation and Purposes (Art 30(1)(b))
  3. Data Subjects and Personal Data (Art 30(1)(c))
  4. Recipients and Data Sharing (Art 30(1)(d))
  5. International Transfers (Art 30(1)(e))
  6. Retention and Erasure (Art 30(1)(f))
  7. Security Measures (Art 30(1)(g))
  8. Lawful Basis and Special Categories (Arts 6, 9)
  9. Automated Decision-Making and Profiling (Art 22)
  10. DPIA and Impact Assessments (Art 35)
  11. Data Subject Rights (Arts 12-22)
  12. Consent Records (Art 7)
  13. Personal Data Breaches (Art 33)
  14. Processor Arrangements
  15. Review

France CNIL Record of Processing Activities (ROPA)

Region: France

Legal basis: EU GDPR Article 30, Loi Informatique et Libertés (as amended), and CNIL guidance on the registre des activités de traitement. The CNIL provides detailed guidance on maintaining processing records aligned with French data protection law.

When it's required: All controllers and processors must maintain a ROPA. Fields marked as required are mandated by the GDPR and/or explicitly required by CNIL guidance; additional fields are recommended by the CNIL. Field names in this template include their French equivalents for reference.

Question groups:

  1. Processing Operation Identification
  2. Controller Identification (Art 30(1)(a))
  3. Purposes of Processing (Art 30(1)(b))
  4. Data Subjects and Personal Data (Art 30(1)(c))
  5. Recipients and Data Sharing (Art 30(1)(d))
  6. International Transfers (Art 30(1)(e))
  7. Retention and Erasure (Art 30(1)(f))
  8. Security Measures (Art 30(1)(g))
  9. Lawful Basis and Special Categories (Arts 6, 9)
  10. Automated Decision-Making and Profiling (Art 22)
  11. Impact Assessments (Art 35)
  12. Data Subject Rights (Arts 12-22)
  13. Consent Records (Art 7)
  14. Personal Data Breaches (Art 33)
  15. Processor Arrangements
  16. Review
ConfigurationAPI Reference