Guide · 15 July 2026

Data Protection Impact Assessment prompt set

Prompts for assessing the data-protection risks of collecting or holding gender-history information — minimisation, purpose limitation, and the conditions under which sensitive data can and cannot be used.

By Joanne Lockwood · 4 min read

When to use this

Use this prompt set before you collect, retain, or share any gender-history information — that is, information that reveals, or could be used to infer, a person’s gender history or transition. Under the UK GDPR and Data Protection Act 2018, gender-history information is special-category personal data. It attracts a higher threshold of protection and can only be processed where a separate condition for processing is met alongside a lawful basis.

How to use this template

Work through the prompts as a team — ideally involving your data protection officer. Answer each question in writing before you collect or use the data. If you cannot answer a prompt, that is itself a signal that the processing is not yet defensible. Do not collect gender-history information “just in case”: absence of disclosure is not a gap to close, and curiosity is not a lawful basis.

What data, and why

What data will you collect? (List each field — e.g. previous name, sex assigned at birth, gender marker, medical details.) Why is each field needed? (Tie each field to a specific purpose.) Is there a less intrusive way to achieve that purpose? (Could you collect category-level data, or no data at all?)

Lawful basis for special-category data

What is your lawful basis under Article 6? (e.g. consent, legitimate interests, legal obligation.) What is your condition for processing special-category data under Article 9 and Schedule 1 of the DPA 2018? (Explicitly identify it — not all conditions will apply.) Is the condition valid for this purpose? If relying on consent, is it freely given, specific, informed, and withdrawable?

Purpose limitation

Can this data be reused for another purpose? (If so, what, and is that purpose compatible?) Who might want to reuse it later, and would that be lawful? Have you documented the purpose so that reuse outside it is flagged?

Minimisation

Is each field necessary? (Test each one. If you removed it, what would you lose?) Could you collect less and still achieve the purpose? Are you collecting data you do not yet know how to use? (If yes, do not collect it.)

Access and security

Who can access this data, and on what basis? (Role-based access, not blanket access.) How is it stored? (Encryption, access logs, segregation.) How is it transmitted or shared, if at all?

Retention and deletion

How long will you keep it? (Tie the retention period to the purpose.) What triggers deletion? Who is responsible for deletion, and how is it verified?

Transparency to the data subject

What have you told the data subject? (Privacy notice, collection notice.) Do they know what is collected, why, who sees it, and how long it is kept? Can they exercise their rights — access, rectification, erasure, objection?

Risks to data subjects

What is the risk of outing? (Could disclosure cause distress, harassment, or harm?) What is the risk to dignity and trust? What is the impact if the data is lost, leaked, or misused?

Mitigations

Mitigation: Owner: Residual risk after mitigation:

Residual risk and sign-off

Residual risk level: (Low / medium / high — and the reasoning.) Decision: (Proceed, proceed with mitigations, or do not proceed.) Sign-off: (Data protection officer, accountable lead, date.)

Review

Review date: Review owner: Trigger for earlier review: (e.g. a change in processing, a breach, or a change in law.)


This template provides general information and does not constitute legal advice. It is a scaffold to support your own documented, proportionate decision-making. Adapt it to your context and take specialist advice where your decision warrants it.

Take this further

  • EqIA/DPIA Wizard

    Carries these prompts into a guided six-stage DPIA and exports a record for your data-protection file.

  • Proportionality Check

    Runs the underlying data decision through a structured proportionality test, so the justification is reasoned rather than assumed.

  • Data-protection review

    Where gender-history data is sensitive or contested, a specialist review of the completed DPIA adds the depth a template cannot.

Sources