Get started

Sample DPIA

A pre-filled DPIA your DPO can adapt in an afternoon.

Schools running Earn Your Stripes need a Data Protection Impact Assessment under UK GDPR and the Children’s Code. This template is ICO-aligned, written from the school’s perspective, and pre-filled with everything we already know — sub-processors, retention, lawful basis, residency, the platform-level risks and the controls that mitigate them. Your DPO fills in the school-specific sections and signs it off.

Download Word file (.docx)Download Markdown (.md)

About 16 pages once printed. Last reviewed: May 2026.

What’s inside

Seven ICO-aligned steps.

The template follows the ICO’s recommended structure. Every section marked “Pre-filled” is the platform’s answer. Every section marked “School fills in” is your homework.

1

Why we are doing a DPIA

The triggers — children’s data, special-category-adjacent material, automated moderation, systematic monitoring — and why the ICO recommends a DPIA before processing starts.

2

Describe the processing

What data is processed, whose data, how it’s collected and used, sub-processors, retention and international transfers — all pre-filled with the platform’s answers. The school adds its own roster details.

3

Consultation

The Article 35(9) requirement to consult data subjects. School fields for parent / pupil / governor consultation and any objections on file.

4

Necessity and proportionality

Lawful basis (Article 6(1)(e) public task for pupil processing), why the scheme achieves its purpose, what alternatives have been considered, and how data is minimised.

5

Identify and assess risks

Eleven platform-level risks already mapped — likelihood, severity, mitigations, residual — with a blank section for the school’s additional risks.

6

Measures to reduce risk

The platform’s standing controls (tenant isolation, moderation, magic-link, EXIF strip, audit log, 24h DSL escalation) plus space for the school’s own measures.

7

Sign off

Signature blocks for the person responsible, the headteacher / DPO, the DSL, and a governor representative, plus the review cadence.

Important

A starting point, not legal advice.

If your processing involves particularly sensitive children’s data — looked-after children, children with a court-recorded protection order, or children of public figures — please commission a tailored DPIA from a qualified data protection practitioner and refer to the ICO’s own template.

ICO DPIA guidance
  • Your school is the data controller; we are the processor
  • Pupil data stays in Azure UK South
  • Two sub-processors only (Azure, Stripe)
  • KCSIE-aligned safeguarding operating model
  • Automated moderation fails closed, never open
  • 24-hour DSL escalation built into the platform

Need something the template doesn’t cover?

Data flow diagrams, sub-processor lists, the Children’s Code self-assessment, KCSIE alignment notes — all available on request.

Ask hello@stripesquest.comBack to Trust