DPIA Generator

# DPIA Draft: AI customer support triage

## Purpose
Classify customer requests, draft internal recommendations, and route complex cases to support specialists.

## Data categories
- Name
- email address
- support message
- account metadata

## Data subjects
- Customers
- support agents

## Personal data usage
The workflow uses message content to classify intent and generate an internal support summary.

## Automated decision-making
No solely automated consequential decision-making is documented in this draft.

## Third-party providers
- Corelyx
- model provider
- support inbox provider

## Necessity assessment
The processing should be limited to data necessary for the documented workflow purpose. Each node should have a defined input, output, retention need, and owner.

## Proportionality assessment
The workflow should use the least intrusive data source, minimise prompt content, avoid unnecessary special-category data, and provide human oversight where the output affects people.

## Risk analysis
- Unnecessary personal-data exposure in prompts or connector payloads.
- Inaccurate, biased, or poorly explained AI recommendations.
- Excessive retention of prompts, outputs, or decision evidence.
- Insufficient review before customer, employee, patient, or candidate impact.

## Mitigation measures
- Minimise personal data before AI/model calls.
- Use human approval before consequential actions.
- Restrict access to workflow logs and generated reports.
- Retain prompts and outputs only where necessary.
- Record model/provider metadata and reviewer decisions.

## Residual risks
- Model output may be inaccurate or biased.
- Data-source quality may affect recommendations.
- Third-party provider configuration may change.

## Approval workflow
Business owner, technical owner, privacy/compliance reviewer, and legal reviewer should approve this DPIA before production deployment when high risk remains.