Welcome to Intric Support Center
Security & Compliance
DPIA
Step-by-Step Guide

Step-by-Step Guide

This interactive guide is designed to make the DPIA process as simple and clear as possible. The process is usually carried out over the initial phases of the project and also allows time for your Data Protection Officer’s final review. The process is divided into 6 clear steps. In each step we cover what you need to do and what material you get from Intric to move forward.

The guide is supported by Intric’s DPIA Assistant, which helps you with supporting questions, discussion material, and example text for each step. The Assistant is available in the Arena library.

Click a step to read more.

Purpose

For the DPIA work to be effective, the right people need to be involved from the start. The Data Protection Officer must by law be part of the process. Both the Swedish Authority for Privacy Protection (IMY) and the EDPB stress that early involvement is preferable.

In this step you will:

  • Understand which template and structure apply to your organization
  • Set clear boundaries for what is to be assessed
  • Survey existing documentation
  • Involve the right people from the start

What you need to do

Schedule a kick-off meeting
Schedule a kick-off meeting with your Data Protection Officer (DPO) and other relevant representatives from your organization, in line with your existing processes. This might include those responsible for information security, IT, and business representatives.

Review internal documents and procedures
Check whether you have your own DPIA template or use IMY’s or SKR’s template. At this stage it is also useful to look at information security policies, document management plans, and any AI policies.

Define your purpose
Draft which departments will use Intric, how many users are involved, and what your main use cases are and what problems you want to solve.

Complete step 1 in Intric’s DPIA Assistant
Our interactive Assistant guides you through the preparatory steps and helps you structure the work.

What Intric provides

To help you get started we give you access to our basic agreement package and security material:

  • DPIA Assistant to support the preparatory work
  • Example purpose descriptions from different business areas
  • 🔍 Annex 1 and 2 supporting material for your DPA: DPA Template

Purpose

In this step you map the full data lifecycle. It is important to distinguish between the system’s technical functions and your specific content.

What you need to do

A practical way to approach this is a simple three-part exercise:

1. Describe the purpose
Why will the system be used and what should it achieve?

2. Describe processes and content
How will the process work in Intric? What will the AI Assistants do, and which specific documents or types of information will be uploaded to achieve the purpose?

3. Identify personal data
From the information in step 2 you can extract and document:

  • a) Whose data is processed? (Only employees, or also customers or individuals mentioned in your documents?)
  • b) What types of personal data are involved? (For example names, email addresses, or even special categories such as health data or trade union membership?)

Describe your internal technical setup
Because Intric provides the external platform and infrastructure (servers, AI models, etc.), you typically only need to describe the technology you use internally to enable use. This usually covers:

  • Identity and login: Your SSO solution (e.g. Microsoft Entra ID or Google Workspace) integrated to control access and permissions
  • Clients and hardware: For example that the system is accessed via the organization’s managed computers or mobile devices
  • Network: For example any internal requirement to be on the organization’s network or VPN to log in

What Intric provides

We fill in the technical details about the system and our infrastructure. You get ready-made text from us on:

  • Example wording for purpose and aims from previous DPIAs
  • System overview and data flow: Ready-made descriptions and flow diagrams showing how the system handles users, search queries, and documents
🔍 System architecture and technical overview: System Architecture and Technical Overview
  • Geographic storage: We specify exactly in which country and in which data centers your data is stored
  • Sub-processor list: A full list of our sub-processors, where they are located, what data they process, and why
🔍 DPA and sub-processor list: DPA Template

Purpose

This step is about formally ensuring that you have a legal basis to process the data and that the core data protection principles are met:

  • Processing is proportionate to the purpose
  • Data is used only for that specific purpose
  • Data is minimized and retained in line with your rules
  • Data subject rights can be fulfilled

This is often simpler than it sounds—you have probably already made similar legal assessments and have a legal basis for your other IT tools or existing workflows. It is usually a matter of aligning with your Data Protection Officer so you can apply the same reasoning to your use of Intric.

What you need to do

Document legal basis
For each type of processing (e.g. login vs. document content) you must state a legal basis under the GDPR (e.g. Public interest or Legitimate interest).

Define retention and disposal rules (storage minimization)
State how long data will be kept and who is responsible for removing old documents.

Define procedures for data subject rights
Describe your internal process for how a user requests a copy of their data, rectification, or erasure.

What Intric provides

We show that the platform technically meets the GDPR’s requirements:

  • Technical measures for minimization: We describe how our platform supports role-based access control (RBAC), so that people only see data they are entitled to
🔍 RBAC and access control: Role-Based Access Control (RBAC)
  • Technical support for data subject rights: Instructions for how to export user data or perform a full erasure of a user’s history in the platform
🔍 Data handling: export, erasure, and deletion: Data Handling: Export, Erasure, and Deletion
  • Technical support for deletion: Instructions for how to configure the platform to automatically remove data (e.g. Assistant history) according to a given timeframe
🔍 Configure retention and erasure: Data Handling: Export, Erasure, and Deletion
  • Information on international transfers: We clarify whether data (e.g. when processed by AI) leaves the EU/EEA, to which countries, and which legal transfer mechanisms (e.g. SCCs) and safeguards apply

Purpose

The GDPR requires risks to be assessed before the system is put into use. It is important to remember that risks are directly linked to how you choose to use the system and what type of information you process.

When you assess risks, focus on the impact on data subjects (not business risks to your organization). Risks can broadly be grouped by how they affect individuals’ rights and data security:

  • Unauthorized access or disclosure (confidentiality): The wrong person gains access to personal data, for example due to incorrect permissions or a data breach
  • Purpose creep and misuse: The system or data is used for something other than originally intended
  • Loss or manipulation of data (integrity and availability): Data is deleted by mistake, lost, or altered so that it becomes incorrect
  • Processor-related risks: Risks linked to how the platform and its sub-processors handle data

What you need to do

Identify operational risks
Focus on risks linked to how you use the system. For example:

  • (Category: Loss or manipulation of data) The risk that sensitive documents are uploaded by mistake
  • (Category: Unauthorized access or disclosure) The risk that users have overly broad access to documents they should not see
  • (Category: Purpose creep and misuse) The risk of purpose creep (the system starts to be used for the wrong purposes)

Assess likelihood and severity
Rate each identified risk on a scale (often 1–5).

What Intric provides

We help you with the technical processor-related risks:

  • Example operational risks from previous DPIAs: We provide ready-made risk descriptions for scenarios that may apply to your organization
  • Example processor risks from previous DPIAs: We provide ready-made risk descriptions for scenarios such as a data breach at our side, or risks related to international transfers
  • Certifications and example procedure descriptions: ISO 27001, supplier control process, etc.
🔍 Certifications and technical and organizational measures: Intric's TOMs

Purpose

In this step you define measures to reduce the risks identified in the previous step to an acceptable level. These are split into technical, organizational, and contractual safeguards (known as “TOMs”—Technical and Organizational Measures), both internally in your organization and externally with us as the processor.

A crucial part of this work is making sure end users receive adequate training and information, which is a condition for you to ensure internal compliance with your procedures.

What you need to do

Define your internal measures
Describe how you will address the risks you have identified. This can be technical (e.g. “We enable MFA”) or organizational (e.g. “We create a clear policy on what may be uploaded”).

Assign responsibility and deadlines
For each measure, someone in your organization must be responsible.

Assess residual risk
Recalculate the risk level after your measures are in place. Is the risk still too high?

What Intric provides

We provide the solutions to the technical risks:

  • Example TOMs for your organization based on previous DPIAs
  • Training material: Support material for your administrators and users so they can use the system securely from day one
  • Intric’s technical and organizational measures: A full technical list of the safeguards we apply, both technical and organizational
🔍 Intric's TOMs: Technical and Organizational Measures
  • Best practices and technical options: We guide you on how to configure the system (e.g. how to separate Workspaces securely) to address your identified operational risks
  • Contractual guarantees: Requirements and commitments that legally bind us in our DPA and in the DPAs we have with our sub-processors

Purpose

In the final step the DPIA is formally reviewed, approved, and anchored in the organization before the system goes live.

What you need to do

DPO review
Your Data Protection Officer must review the document, provide written recommendations, and approve the assessment.

Formal decision
The project manager or business owner makes a formal decision (yes/no) on whether the system may be introduced based on the risks.

Communicate to users
Inform users about the DPIA’s conclusions and the procedures they must follow.

What Intric provides

To help you feel confident before launch:

  • Review of processor facts: We can review your DPIA draft to verify that our system architecture or technical limitations have not been misunderstood