Assessments · DPIA · PIA · TIA · EU AI Act

Privacy assessment software your reviewers can stand behind

Assess new processing, vendors, transfers and AI systems before they become regulatory problems — one governed workflow from template to approved decision record, with the evidence trail attached.

01Templates02Context03Drafting04Review05Outputs06Continuity

Download the assessments brochure (PDF) →

Acompli active assessments screen showing assessment status chips, review workflow rows, recent assessments, assessment types and workflow status.
DPIA, PIA and TIA workflows

DPIA, PIA and TIA workflows in one place

Privacy teams often run assessments across email, spreadsheets, Word documents and shared drives. Acompli turns assessment work into a governed workflow for templates, owners, evidence, risk scoring, approvals, RoPA links and exportable decision records.

For the surrounding guidance, see the types of privacy assessment, how to conduct a DPIA, the DPIA template, the legitimate interests assessment template, and privacy assessment software compared.

  1. 01Choose assessment
  2. 02Contextual completion
  3. 03AI-assisted drafting
  4. 04Review & approval
  5. 05Connected outputs
  6. 06Continuity

Start / choose your assessment

Pre-built templates or build your own

Start with a structured template for DPIAs, LIAs, TIAs, processor reviews, AI governance workflows and related regulatory assessments, or generate a tailored assessment from scratch.

The AI template builder tags RoPA-affiliated questions as it generates your template, so Article 30 fields are mapped before a single answer is written.

DPIAs

Higher-risk processing and formal privacy risk review under GDPR Article 35.

Processor Assessments

Vendor oversight, due diligence, and contract governance reviews.

Transfer Impact Assessments

International transfers, supplementary measures, and transfer governance.

IT & Change Assessments

New systems, migrations, and technology implementations involving personal data.

EU AI Act Assessments

AI classification, governance, transparency, and human oversight obligations.

Custom Assessments

Create tailored workflows for your own governance or operational requirements.

02Contextual Completion

Work from real organisational context

Contributors complete assessments with access to the systems, suppliers, locations, documents, and organisational records that matter — so the assessment starts from real context rather than a blank page.

Certain question types connect directly to your Knowledge Base. When an assessment asks which IT systems are involved, respondents select from your actual system inventory. The assessment and the data map stay in sync through mapped fields and review.

Context
Systems & ProcessorsSelect from your registered IT estate and managed supplier list.
Project DocumentsContracts, DPAs, retention schedules, vendor questionnaires — parsed and indexed.
Locations & TransfersRegistered locations, transfer mechanisms, and safeguards.

Assessment routing

Which assessment is created from which fact?

This explains the practical routing logic behind the assessment product: new processing, lawful-basis decisions, transfers, processors and AI systems each need a different review path and output record.

Technical infographic showing assessment trigger signals, assessment paths, evidence captured and approved outputs for DPIA, LIA, TIA, Article 28 and AI Act records.

Evidence lineage

Approved answers become reusable compliance facts

Assessment answers are not just form text. They become cited, reusable evidence that can feed DPIAs, RoPA fields, risk records, transfer reviews and vendor files without re-keying.

Technical infographic showing how assessment answers become controlled, reusable evidence and downstream records across DPIA, RoPA, risk and transfer workflows.

The privacy assessment answer

What is privacy assessment software?

Privacy assessment software is the tool a privacy team uses to run, review and record the assessments that govern new processing — the Data Protection Impact Assessment (DPIA) required under GDPR Article 35, the Legitimate Interests Assessment (LIA) behind an Article 6(1)(f) lawful basis, the Transfer Impact Assessment (TIA) for restricted transfers, the Article 28 processor review, the broader Privacy Impact Assessment (PIA), and the Fundamental Rights Impact Assessment (FRIA) for high-risk AI under the EU AI Act.

What separates a privacy assessment platform from a folder of templates is provenance. In Acompli each assessment runs through a controlled workflow, is approved by a named reviewer, and is kept as a decision record rather than a static document. The approved outcome feeds the connected Article 30 RoPA and risk register, so the assessment that justifies a processing activity stays attached to it — AI may draft, classify or flag, but a person approves the result.

Key takeaways

Privacy assessment software, in four points

  • Assessments should start early before high-risk processing begins, not after launch.
  • Templates and questionnaires reduce inconsistency, but approvals and evidence make the result defensible.
  • Acompli links assessments to RoPA, data mapping, vendors, risks and evidence so the assessment does not become a disconnected document.
  • AI can draft and flag, but a human approves the final assessment outcome.

What GDPR and EU AI Act assessments does Acompli support?

Acompli supports structured privacy and governance assessments, including DPIAs, PIAs, TIAs, AI risk assessments and vendor assessments. Each assessment can have owners, questions, evidence, risk scoring, approvals and a decision record.

Assessment workflows with one decision trail

Start from a template, assign business, legal, privacy, security and vendor owners, collect evidence, score risks, record approvals, link the assessment to RoPA and export the decision record.

Which assessment

Which privacy assessment do you need?

Privacy law turns on a handful of distinct assessments, each with its own trigger and legal basis. Acompli runs all of them through one workflow, and the approved output of each feeds the same connected record.

AssessmentWhat it checksLegal basis / triggerStatusFeeds
DPIA — Data Protection Impact AssessmentRisk to people’s rights and freedoms from a high-risk processing operation, and the measures to reduce it.GDPR Article 35 — high-risk processing (Art 35(3): large-scale special-category data, systematic profiling, large-scale monitoring).MandatoryA decision record → Article 30 RoPA and risk register.
LIA — Legitimate Interests AssessmentWhether legitimate interests can be the lawful basis — the purpose, necessity and balancing tests.Grounded in GDPR Article 6(1)(f); the three-part test is ICO and EDPB guidance.Required to rely on the basisThe lawful-basis record in the RoPA.
TIA — Transfer Impact AssessmentWhether a restricted transfer keeps protection essentially equivalent to the EU standard.Derived from Schrems II and GDPR Chapter V / Article 46; EDPB Recommendations 01/2020.Required for Article 46 transfers without adequacyThe transfer-safeguard record.
Article 28 processor reviewWhether a processor offers “sufficient guarantees”, evidenced in a written contract.GDPR Article 28(1) and (3).Required before engaging a processorThe vendor decision record.
PIA — Privacy Impact AssessmentBroader privacy risk of a new project, before a high-risk threshold is reached.Not a GDPR instrument; best practice, closest to privacy by design (Article 25).Voluntary / best practiceAn early screen that escalates to a DPIA if needed.
FRIA — Fundamental Rights Impact AssessmentImpact on fundamental rights of deploying a high-risk AI system.EU AI Act (Regulation (EU) 2024/1689) Article 27 — certain deployers of high-risk AI.Mandatory for in-scope EU deployers (not the UK)The AI-governance record; complements a DPIA.

Which tool

Which type of privacy assessment software fits you?

Teams choosing assessment software meet four broad types. The right one turns less on feature count than on whether one workflow runs every assessment and the approved output stays connected to the Article 30 record.

Type of toolBest forStrengthsWatch-out
All-in-one privacy suiteLarge enterprises running many assessment types at scaleBreadth across modules in one platformAssessments are often disconnected from the RoPA and risk register, and heavier to run
Single-assessment point toolTeams that need only one assessment type (e.g. DPIA only)Focused and simpleDoesn’t run DPIA, LIA, TIA and Article 28 in one workflow — work is re-keyed across tools
Spreadsheet or template packOccasional assessments, or first-timersCheap and quick to startStatic, with no approval trail — the output is a document, not a living record
Assessment-fed, provenance-led platform (where Acompli sits)Privacy and DPO teams running DPIA, LIA, TIA and Article 28 in one governed workflowOne workflow across every assessment type, with human-approved decision records that auto-flow into the Article 30 RoPABuilt for the governed-provenance use case

Connected guides

Collaborative privacy assessments without email chains

Acompli helps teams collect assessment answers from the people closest to the project while keeping privacy control over the workflow. That means fewer long interviews, fewer lost spreadsheets and a clearer record of who said what, when and with what evidence.

Last reviewed: June 11, 2026. Each assessment page keeps a distinct job and links to the relevant deeper answer.

Recent assessment and accountability updates

Regulatory signals that shape your assessments

Recent enforcement, transfer and AI-governance developments are exactly what a DPIA, TIA or EU AI Act assessment is meant to anticipate.

Assessment FAQ

Frequently Asked Questions

Privacy assessment software runs structured assessments - DPIAs, PIAs, TIAs, legitimate-interest and vendor reviews - as governed workflows instead of documents. In Acompli, each assessment starts from a template, drafts answers from your organisational knowledge base with every AI draft flagged for review, and ends with a named approver, so the outcome is a decision record, not a Word file.

More assessment operations questions

See assessments in action

Run structured assessments connected to your systems, documents, and records. Keep answers, reviewer approvals and downstream outputs in one governed workflow.