VeltrixairPrivacy Unit Schedule a call
Resource · Template library

Templates — institutional artefacts for privacy programs.

Templates we use in active engagements, made available for organisations building these capabilities themselves. Three core templates — Records of Processing Activities, Data Protection Impact Assessment, and Personal Data Breach Response Playbook — are downloadable below with substantial inline preview content. Eight supporting templates are catalogued in the ledger. These are starting points, not regulatory compliance guarantees: substantive compliance depends on accurate population, ongoing maintenance, and the underlying processing being genuinely lawful. Adapt to your organisation; engage qualified support where the stakes warrant it.

Template library — at a glance

11 templates · v1.0 · Last revised May 2026
Template ID Template Format Regimes Status
VTX-PRV-TPL-RoPA Records of Processing Activities Master register of all processing activities
.md
 All applicable Available
VTX-PRV-TPL-DPIA Data Protection Impact Assessment 7-step DPIA methodology with risk matrix
.md
 GDPR · DIFC · ADGM · DPDP · PDPL Available
VTX-PRV-TPL-Breach Breach Response Playbook 5-phase incident response with regulator notification
.md
 All applicable · multi-regime Available
VTX-PRV-TPL-DPA Data Processing Agreement Multi-regime DPA template with sub-processor regime
.md
 GDPR · DIFC · ADGM · PDPL In preparation
VTX-PRV-TPL-PrivNotice Privacy Notice Customer-facing privacy notice with regime variants
.md
 All applicable In preparation
VTX-PRV-TPL-Consent Consent Notice Affirmative consent capture with audit trail structure
.md
 DPDP · PDPL · DIFC · ADGM In preparation
VTX-PRV-TPL-VendorAssess Vendor Privacy & Security Assessment Tier-based vendor due diligence questionnaire
.md
 All applicable In preparation
VTX-PRV-TPL-DSAR DSAR Workflow Data subject access request workflow with timelines
.md
 All applicable In preparation
VTX-PRV-TPL-Retention Retention Schedule Records management retention schedule by data category
.md
 All applicable · sectoral overlays In preparation
VTX-PRV-TPL-TIA Transfer Impact Assessment Cross-border transfer risk assessment template
.md
 GDPR · DIFC · ADGM · PDPL In preparation
VTX-PRV-TPL-Training Privacy Awareness Training Plan Role-specific training programme with refresh cadence
.md
 All applicable In preparation
What this template is for

The master register of every processing activity.

A RoPA is the inventory of processing activities required by every major privacy regulation. One row per processing activity, with sufficient detail to satisfy auditor scrutiny under any applicable regime. The template captures the full structure of a per-activity record including lawful basis per regime, cross-border transfer specifics, retention rationale, security measures, and DPIA linkage. Designed as a living document maintained quarterly — not a one-time exercise.

Document structure
11 sections per processing activity record
01
Activity identificationActivity ID, name, business owner accountable for the processing, last reviewed date
02
PurposesPrimary purpose, compatible secondary purposes, authorisation trail for any extensions
03
Lawful basis (per regime)Specific lawful basis with citation under each applicable regime — multi-regime entities document each separately
04
Data subjectsCategories, approximate volume, geographic distribution, presence of special categories or vulnerable individuals
05
Data categoriesIdentifying, demographic, behavioural, financial, health, biometric, children's data with sensitivity classification
06
RecipientsInternal recipients, external processors, joint controllers, government/regulatory disclosures with purpose and lawful basis
07
International transfersPer-transfer record: destination, recipient, source regime, mechanism, TIA reference, regulator authorisation
08
RetentionRetention period, rationale, statutory citation, deletion mechanism, backup retention alignment confirmation
09
Security measuresEncryption at rest and in transit, access controls, audit logging, backup discipline, incident detection — with evidence references
10
DPIA statusWhether DPIA required, determination basis, DPIA reference and date, residual risk level
11
Notes & risk considerationsKnown issues, recent changes, regulator engagement history, audit findings, forward considerations
What auditors look for
DimensionWhat it means in audit context
CompletenessDoes every actual processing activity appear in the register? Activities operating off-register are a frequent finding.
CurrencyAre records current with recent review dates? Dormant registers signal absence of operating discipline.
Lawful basis specificityIs the cited lawful basis genuinely the right one for the processing — or generic?
Cross-border accuracyDo international transfer records match what is actually happening operationally?
DPIA linkageFor high-risk activities, is the DPIA referenced and is the residual risk genuinely acceptable?
Retention defensibilityAre retention periods supported by stated rationale or statutory citation?
What this template is for

A 7-step methodology for high-risk processing.

Required where processing is likely to result in high risk to data subjects' rights and freedoms — large-scale sensitive data, systematic monitoring, automated decision-making, children's data at scale, novel technology including AI. The template walks through identification, necessity and proportionality, risk identification, risk scoring on a 5×5 matrix, mitigation measures, residual risk acceptance, and approval workflow. Designed for substantive risk analysis, not tick-box compliance.

Methodology — 7 steps
From identification to approval
Step 01
Identification of processingPlain-language description, nature, scope, context, purposes, data involved, technology, geographic scope
Step 02
Necessity & proportionalityLawful basis specificity, data minimisation analysis, alternative methods considered, balance test against benefit
Step 03
Identification of risksRisk register: source, affected data subjects, potential consequences. Common categories from confidentiality breach to discrimination
Step 04
Risk assessment matrix5×5 matrix scoring likelihood × impact. Risk scores 1—25 mapped to four bands with action requirements
Step 05
Mitigation measuresPer-risk mitigations across technical, organisational, contractual, procedural, and architectural categories
Step 06
Residual risk assessmentRe-score post-mitigation. Acceptance criteria with escalation thresholds — DPO sign-off through executive approval through regulator consultation
Step 07
Approval & sign-offMulti-party approval matrix: business owner, DPO, InfoSec, Legal, executive sponsor (high residual), regulator (where required)
Risk matrix — 5×5 scoring
Impact →
Likelihood ↓
1 — Negligible
2 — Limited
3 — Significant
4 — Severe
5 — Critical
5 — Almost certain
5Med
10High
15Crit
20Crit
25Crit
4 — Likely
4Low
8Med
12High
16Crit
20Crit
3 — Possible
3Low
6Med
9Med
12High
15Crit
2 — Unlikely
2Low
4Low
6Med
8Med
10High
1 — Very unlikely
1Low
2Low
3Low
4Low
5Med

Action thresholds: Low (1—4) document only · Medium (5—9) mitigation required · High (10—14) substantial mitigation + senior approval to accept residual · Critical (15—25) cannot proceed without remediation OR explicit DPO + executive + regulator approval.

What this template is for

The operational document that activates during a breach.

Different from a breach response plan — a playbook is action-oriented, organised by phase, and designed to be usable under incident pressure. Five phases cover detection through lessons-learned. Includes regulator notification matrices for all major regimes (GDPR/DIFC/ADGM/UAE PDPL/KSA PDPL/DPDP), pre-drafted communication templates for regulator and data subject notification, severity classification, and tabletop exercise programme. The 72-hour clock starts on awareness — the playbook is built around that operational reality.

5-phase response timeline
01 Detection & Triage 0 — 2 hours

Confirm incident, characterise scope, start regulatory clock if applicable. 10-action checklist with triage decision tree.

02 Assessment & Containment 2 — 12 hours

Stop the incident, characterise precise scope and severity, classify (Severe/Significant/Limited), prepare regulator notification.

03 Notification 12 — 72 hours

Regulator notifications per applicable regime, data subject notification where required, external communications discipline.

04 Recovery Ongoing

System restoration, vulnerability remediation, affected-subject support, regulator follow-up management.

05 Lessons Learned Within 30 days

Post-incident review, root cause analysis, corrective actions tracked to closure, playbook update, executive briefing.

Regulator notification matrix
RegimeAuthorityDeadlineChannel
GDPRLead supervisory authority72 hours from awarenessAuthority-specific portal
DIFC DP LawDIFC Commissioner72 hours from awarenessDIFC Commissioner portal
ADGM DP RegsADGM Office of Data Protection72 hours from awarenessADGM portal
UAE Federal PDPLUAE Data OfficeWithout undue delay (Executive Regs)UAE Data Office channel
KSA PDPLSDAIA72 hours from awarenessNDGP notification channel
DPDP ActData Protection Board of IndiaPrompt initial; detailed report 72hrDPB notification channel

Critical principle: multi-regime entities must notify each applicable regulator separately. The 72-hour clock starts on awareness of the breach, not on confirmation. When in doubt, start the clock — late notification is materially worse than early notification of an event that turns out to be non-reportable.

Supporting templates

Eight further artefacts in preparation.

Additional governance templates that round out a complete privacy operating system. These are catalogued for transparency and will be released through the year as we finalise the institutional versions. Engagement clients receive these directly as part of project work; standalone availability follows.

VTX-PRV-TPL-DPA In preparation

Data Processing Agreement

Multi-regime DPA template with sub-processor regime, audit rights, breach notification SLAs, and return/deletion mechanics calibrated for organisations subject to two or more regimes simultaneously.

GDPR · DIFC · ADGM · PDPLQ3 2026
VTX-PRV-TPL-PrivNotice In preparation

Privacy Notice

Customer-facing privacy notice with regime-specific variants (Federal PDPL Arabic, DIFC GDPR-aligned, ADGM, KSA Arabic, DPDP English plus 22 scheduled languages framework).

All applicableQ3 2026
VTX-PRV-TPL-Consent In preparation

Consent Notice

Affirmative consent capture with audit trail structure. Granular per-purpose consent, withdrawal mechanism specification, demonstrability evidence requirements per regime.

DPDP · PDPL · DIFC · ADGMQ3 2026
VTX-PRV-TPL-VendorAssess In preparation

Vendor Privacy & Security Assessment

Tier-based vendor due diligence questionnaire covering processor obligations, security posture, sub-processor regime, breach notification capability, audit rights, residency.

All applicableQ3 2026
VTX-PRV-TPL-DSAR In preparation

DSAR Workflow

Data subject access request workflow with response timelines per regime (14-day Federal PDPL, 30-day DIFC/ADGM, 30-day GDPR), identity verification protocols, exemption analysis.

All applicableQ4 2026
VTX-PRV-TPL-Retention In preparation

Retention Schedule

Records management retention schedule by data category with sectoral overlay accommodation (banking 5+ years, healthcare records, employment, KYC). Backup retention alignment guidance.

All · sectoral overlaysQ4 2026
VTX-PRV-TPL-TIA In preparation

Transfer Impact Assessment

Cross-border transfer risk assessment template. Destination country legal framework analysis, recipient safeguards, residual risk evaluation, supplementary measures specification.

GDPR · DIFC · ADGM · PDPLQ4 2026
VTX-PRV-TPL-Training In preparation

Privacy Awareness Training Plan

Role-specific training programme with refresh cadence, comprehension assessment, completion records discipline. Tracks to accountability evidence under all major regimes.

All applicableQ1 2027
Use guidance

These are starting points, not regulatory compliance certificates.

Each template provides a credible structural foundation calibrated to regulatory expectations. Substantive compliance depends on accurate population to reflect your actual operations, ongoing maintenance against changing regulations and processing, and the underlying processing being genuinely lawful. Templates do not substitute for qualified legal advice on specific situations, regulator-engagement protocols, or the substantive privacy programme that gives the templates operational meaning. Where the stakes warrant it — large data subject populations, sensitive categories, active enforcement context, multi-regime exposure — engage qualified support to validate the population and operating effectiveness.

Templates are tools, not solutions.

A template populated quickly and never maintained is worse than no template at all — it provides false comfort while documenting actual gaps. If you need substantive support populating these templates against your specific operations, validating the result against active regulatory expectations, or building the broader privacy programme they are designed to live within, a 30-minute scoping call costs nothing.

Schedule a call