DPIAs
Higher-risk processing and formal privacy risk review under GDPR Article 35.
Assessments · DPIA · PIA · TIA · EU AI Act
Assess new processing, vendors, transfers and AI systems before they become regulatory problems — one governed workflow from template to approved decision record, with the evidence trail attached.

Privacy teams often run assessments across email, spreadsheets, Word documents and shared drives. Acompli turns assessment work into a governed workflow for templates, owners, evidence, risk scoring, approvals, RoPA links and exportable decision records.
For the surrounding guidance, see the types of privacy assessment, how to conduct a DPIA, the DPIA template, the legitimate interests assessment template, and privacy assessment software compared.
Start / choose your assessment
Start with a structured template for DPIAs, LIAs, TIAs, processor reviews, AI governance workflows and related regulatory assessments, or generate a tailored assessment from scratch.
The AI template builder tags RoPA-affiliated questions as it generates your template, so Article 30 fields are mapped before a single answer is written.
Higher-risk processing and formal privacy risk review under GDPR Article 35.
Vendor oversight, due diligence, and contract governance reviews.
International transfers, supplementary measures, and transfer governance.
New systems, migrations, and technology implementations involving personal data.
AI classification, governance, transparency, and human oversight obligations.
Create tailored workflows for your own governance or operational requirements.
Contributors complete assessments with access to the systems, suppliers, locations, documents, and organisational records that matter — so the assessment starts from real context rather than a blank page.
Certain question types connect directly to your Knowledge Base. When an assessment asks which IT systems are involved, respondents select from your actual system inventory. The assessment and the data map stay in sync through mapped fields and review.
Assessment routing
This explains the practical routing logic behind the assessment product: new processing, lawful-basis decisions, transfers, processors and AI systems each need a different review path and output record.

Evidence lineage
Assessment answers are not just form text. They become cited, reusable evidence that can feed DPIAs, RoPA fields, risk records, transfer reviews and vendor files without re-keying.

The privacy assessment answer
Privacy assessment software is the tool a privacy team uses to run, review and record the assessments that govern new processing — the Data Protection Impact Assessment (DPIA) required under GDPR Article 35, the Legitimate Interests Assessment (LIA) behind an Article 6(1)(f) lawful basis, the Transfer Impact Assessment (TIA) for restricted transfers, the Article 28 processor review, the broader Privacy Impact Assessment (PIA), and the Fundamental Rights Impact Assessment (FRIA) for high-risk AI under the EU AI Act.
What separates a privacy assessment platform from a folder of templates is provenance. In Acompli each assessment runs through a controlled workflow, is approved by a named reviewer, and is kept as a decision record rather than a static document. The approved outcome feeds the connected Article 30 RoPA and risk register, so the assessment that justifies a processing activity stays attached to it — AI may draft, classify or flag, but a person approves the result.
Key takeaways
Acompli supports structured privacy and governance assessments, including DPIAs, PIAs, TIAs, AI risk assessments and vendor assessments. Each assessment can have owners, questions, evidence, risk scoring, approvals and a decision record.
Start from a template, assign business, legal, privacy, security and vendor owners, collect evidence, score risks, record approvals, link the assessment to RoPA and export the decision record.
Which assessment
Privacy law turns on a handful of distinct assessments, each with its own trigger and legal basis. Acompli runs all of them through one workflow, and the approved output of each feeds the same connected record.
| Assessment | What it checks | Legal basis / trigger | Status | Feeds |
|---|---|---|---|---|
| DPIA — Data Protection Impact Assessment | Risk to people’s rights and freedoms from a high-risk processing operation, and the measures to reduce it. | GDPR Article 35 — high-risk processing (Art 35(3): large-scale special-category data, systematic profiling, large-scale monitoring). | Mandatory | A decision record → Article 30 RoPA and risk register. |
| LIA — Legitimate Interests Assessment | Whether legitimate interests can be the lawful basis — the purpose, necessity and balancing tests. | Grounded in GDPR Article 6(1)(f); the three-part test is ICO and EDPB guidance. | Required to rely on the basis | The lawful-basis record in the RoPA. |
| TIA — Transfer Impact Assessment | Whether a restricted transfer keeps protection essentially equivalent to the EU standard. | Derived from Schrems II and GDPR Chapter V / Article 46; EDPB Recommendations 01/2020. | Required for Article 46 transfers without adequacy | The transfer-safeguard record. |
| Article 28 processor review | Whether a processor offers “sufficient guarantees”, evidenced in a written contract. | GDPR Article 28(1) and (3). | Required before engaging a processor | The vendor decision record. |
| PIA — Privacy Impact Assessment | Broader privacy risk of a new project, before a high-risk threshold is reached. | Not a GDPR instrument; best practice, closest to privacy by design (Article 25). | Voluntary / best practice | An early screen that escalates to a DPIA if needed. |
| FRIA — Fundamental Rights Impact Assessment | Impact on fundamental rights of deploying a high-risk AI system. | EU AI Act (Regulation (EU) 2024/1689) Article 27 — certain deployers of high-risk AI. | Mandatory for in-scope EU deployers (not the UK) | The AI-governance record; complements a DPIA. |
Which tool
Teams choosing assessment software meet four broad types. The right one turns less on feature count than on whether one workflow runs every assessment and the approved output stays connected to the Article 30 record.
| Type of tool | Best for | Strengths | Watch-out |
|---|---|---|---|
| All-in-one privacy suite | Large enterprises running many assessment types at scale | Breadth across modules in one platform | Assessments are often disconnected from the RoPA and risk register, and heavier to run |
| Single-assessment point tool | Teams that need only one assessment type (e.g. DPIA only) | Focused and simple | Doesn’t run DPIA, LIA, TIA and Article 28 in one workflow — work is re-keyed across tools |
| Spreadsheet or template pack | Occasional assessments, or first-timers | Cheap and quick to start | Static, with no approval trail — the output is a document, not a living record |
| Assessment-fed, provenance-led platform (where Acompli sits) | Privacy and DPO teams running DPIA, LIA, TIA and Article 28 in one governed workflow | One workflow across every assessment type, with human-approved decision records that auto-flow into the Article 30 RoPA | Built for the governed-provenance use case |
Connected guides
Acompli helps teams collect assessment answers from the people closest to the project while keeping privacy control over the workflow. That means fewer long interviews, fewer lost spreadsheets and a clearer record of who said what, when and with what evidence.
Last reviewed: June 11, 2026. Each assessment page keeps a distinct job and links to the relevant deeper answer.
DPIA, TIA, RoPA, and AI Act answers are supported by primary legal and regulator sources on their own pages. Assessments links the workflow together.
Recent assessment and accountability updates
Recent enforcement, transfer and AI-governance developments are exactly what a DPIA, TIA or EU AI Act assessment is meant to anticipate.
The Irish High Court has upheld the Data Protection Commission's €530 million fine against TikTok over the transfer of EEA user data to China and related transparency failures, confirming one of the largest GDPR penalties on record while allowing a narrow appeal on the size of the fine to proceed.
Read update →Novo Nordisk has disclosed a security incident in which attackers copied personal data from internal systems, including pseudonymised clinical trial data covering biomarkers and lifestyle factors, and directly identifying information about healthcare professionals - a breach that illustrates the layered sensitivity of health-sector data.
Read update →A compromise of market intelligence platform Klue allowed attackers to steal OAuth tokens connecting customer Salesforce environments, exposing business data across numerous organisations including Tanium, Gong, Huntress, and LastPass - a textbook SaaS supply-chain attack built on a forgotten legacy credential.
Read update →Assessment FAQ
Privacy assessment software runs structured assessments - DPIAs, PIAs, TIAs, legitimate-interest and vendor reviews - as governed workflows instead of documents. In Acompli, each assessment starts from a template, drafts answers from your organisational knowledge base with every AI draft flagged for review, and ends with a named approver, so the outcome is a decision record, not a Word file.
Run structured assessments connected to your systems, documents, and records. Keep answers, reviewer approvals and downstream outputs in one governed workflow.