DPIA Software

DPIA Software

AAcompli ResearchUpdated June 202611 min read

DPIA software is the tool a privacy team uses to run the Article 35 Data Protection Impact Assessment required by the EU and UK GDPR. The best DPIA software does more than fill in a template — it works the substance of the necessity-and-proportionality assessment, records where each answer came from, and keeps a named human accountable for the sign-off. That distinction — a tickbox form versus a defensible decision record — is what separates a tool that passes a demo from one that holds up when a supervisory authority asks why processing went ahead. This guide covers what DPIA software is, why it is a legal requirement, how it actually works, and the criteria that matter when you choose one.

Key takeaways

  • A DPIA is a legal obligation under Article 35 of the EU and UK GDPR wherever processing is likely to be high-risk; skipping a required one is independently sanctionable under Article 83(4)(a).
  • The real work is the Article 35(7) substance — a systematic description, a necessity-and-proportionality assessment, the risks to individuals, and the mitigations — not template tickboxes.
  • The test of DPIA software is provenance, not paperwork: can it show where each answer came from, who approved it, and what the residual-risk decision was — the questions a DPC or ICO inquiry asks.
  • The strongest tools connect the assessment: an approved DPIA feeds the Article 30 RoPA and risk register, complements an EU AI Act FRIA under Article 27, and is reusable across LIAs and TIAs — with a human deciding each outcome.

What is DPIA software?

DPIA software runs the Data Protection Impact Assessment — the structured evaluation the GDPR requires before processing that is likely to result in a high risk to individuals. A blank Word template can capture answers, but it stores only what someone last typed. DPIA software treats each assessment as a governed decision record: it carries the systematic description of the processing, the necessity-and-proportionality reasoning, the risks to individuals and their likelihood and severity, the mitigating measures, the recorded DPO advice and a named approver — and it knows where each of those answers came from.

That provenance is the point. When the Data Protection Commission (DPC) in Ireland or the Information Commissioner's Office (ICO) in the UK looks at a project file, the question is not “do you have a DPIA document” but “can you show the assessment was defensible, dated before the processing, and acted on.” Acompli treats the completed DPIA as source evidence rather than a one-off form: the approved assessment becomes a record that can be reused when the activity changes, a regulator asks, or a similar project starts later.

Why do you need DPIA software?

A DPIA is not optional documentation where the processing is high-risk — it is a legal obligation. Article 35 of the EU GDPR (applied in Ireland through the Data Protection Act 2018) and of the UK GDPR requires the assessment before high-risk processing begins, and the failure to run one where it was required is an independently sanctionable breach under Article 83(4)(a) — separate from any later breach of the substantive rules. The practical test, in both jurisdictions, is whether a regulator could later open the project file and find a defensible Article 35(7) assessment that pre-dates the processing.

The reason to use software rather than a document is defensibility. A standalone DPIA file shows a conclusion but rarely the reasoning, the evidence, or the approval behind it; a regulator reads that gap as weak accountability. DPIA software preserves the full decision trail — who answered, what evidence supported each answer, which risks were identified, what mitigations were chosen and who approved the outcome — so a later inquiry is answered by an export, not an archaeology project.

How does DPIA software work?

The strongest DPIA software runs the assessment as a controlled workflow, so the substance is worked rather than improvised in a blank document. In Acompli the pipeline runs in four governed stages:

  • Screen: a structured template asks the Article 35(3)/(4) trigger questions first, so borderline projects get a documented decision on whether a DPIA is required rather than a guess.
  • Draft: the assessment starts from an Article 35(7) template and draws context from the organisational knowledge base; evidence-grounded AI drafting maps responses to each field with a per-field citation back to the source it came from.
  • Review: drafted answers enter a review queue where a named person can trace every field to its evidence, weigh the necessity-and-proportionality reasoning, and approve, edit or reject it before sign-off.
  • Carry through: approved findings flow downstream — into the Article 30 RoPA, the risk register and vendor reviews — and the assessment surfaces for re-review when an upstream fact changes.

This is the honest meaning of “DPIA automation”: automation reduces the typing, the chasing and the re-keying, not the accountability. The AI drafts, classifies and surfaces; a person approves the outcome, the residual-risk and DPO-advice decisions are recorded rather than assumed, and nothing publishes itself. (See the Acompli DPIA module for how the workflow runs in the platform.)

What should DPIA software include?

Whatever the vendor, score a tool against what a supervisory-authority inquiry actually tests — not how polished the form looks. The criteria that matter:

  • Full Article 35(7) coverage — the systematic description of processing, the necessity-and-proportionality assessment, the risks to individuals, and the measures that address them, as distinct fields rather than one free-text box.
  • Screening against the regulator's high-risk list — the Article 35(4) operations the DPC publishes for Ireland and the ICO's screening checklist for the UK, with the EDPB nine-criteria test applied.
  • Evidence traceability — every answer links back to the source response, system or contract that produced it, so a claim can be substantiated, not just asserted.
  • Recorded DPO advice — the Article 35(2) consultation captured as a dated decision, not an afterthought.
  • Reviewer-attributed version history — what changed, who changed it, who approved it, and when.
  • An Article 36 prior-consultation trigger — where a high residual risk remains after mitigation, the tool should flag the prior-consultation workflow rather than let the project proceed silently.
  • Downstream connections — approved outputs carried through to the Article 30 RoPA and the risk register, with a Schrems II transfer flag routing affected processing to a Transfer Impact Assessment.
  • A self-contained export — a record the DPC or ICO can read without a login to your platform.

For a structured side-by-side of DPIA tools against these criteria, see DPIA tools compared for Irish organisations.

Key capabilities to expect

  • Article 35(4) screening templates — trigger questions against the DPC and ICO high-risk lists.
  • Necessity-and-proportionality assessment — the Article 35(7) substance worked as structured fields.
  • Evidence-grounded AI drafting — drafts with per-field citations back to source, human-approved.
  • Risk scoring & mitigation tracking — residual-risk decisions and an Article 36 trigger.
  • Article 30 & risk-register mapping — approved findings flow into the RoPA and risk register.
  • Reusable across LIAs & TIAs — clone an approved assessment for related necessity tests with an audit trail.

Who needs DPIA software?

Any organisation that runs processing likely to result in a high risk to individuals needs a DPIA, and in practice that reaches most organisations of any scale — the obligation is keyed to risk, not headcount, so smaller teams are not meaningfully exempt. Privacy and DPO functions use DPIA software to make a daunting assessment a guided, repeatable workflow; larger groups need entity-scoped assessments so each subsidiary can show its own supervisory authority a defensible record. Because the underlying necessity-and-proportionality logic also drives Legitimate Interests Assessments, Transfer Impact Assessments and EU AI Act work, the same tool earns its place across the assessment programme. See the Acompli DPIA module for how the workflow runs in the platform, and the DPIA requirements guide for Ireland and the UK for the underlying legal detail.

Common questions about DPIA software

What is DPIA software?

DPIA software is the tool a privacy team uses to run the Data Protection Impact Assessment required by Article 35 of the EU and UK GDPR. Rather than work the assessment in a Word file, it treats each DPIA as a governed decision record — the systematic description of the processing, the necessity-and-proportionality assessment, the risk-to-individuals analysis, the mitigations and the DPO advice — with a named approver accountable for the outcome. In Acompli, the approved assessment becomes reusable evidence that can feed the Article 30 RoPA and the risk register instead of being re-typed.

Why do businesses need DPIA software?

Where processing is likely to result in a high risk to individuals, a DPIA is a legal obligation under Article 35 of the EU and UK GDPR — and failing to run one where it was required is independently sanctionable under Article 83(4)(a), separate from any later breach. DPIA software keeps that assessment defensible: it captures the Article 35(7) elements as dated decisions before processing begins, preserves the reasoning behind each answer, and produces the record a DPC or ICO inquiry can follow, rather than a free-text note that cannot show why processing went ahead.

How does DPIA software work?

Good DPIA software runs the assessment as a controlled workflow rather than a blank document. In Acompli a DPIA starts from a structured Article 35(7) template, draws context from the organisational knowledge base, and routes responses through evidence-grounded AI drafting where each drafted answer carries a link back to the source it came from; a named reviewer then traces, edits, approves or rejects every field before sign-off. The AI drafts, classifies and surfaces; a person approves the outcome — nothing publishes itself, and the residual-risk decision and DPO advice are recorded, not assumed.

What features make the best DPIA software?

Score a tool on what a supervisory-authority inquiry actually tests, not on how slick the form looks: full Article 35(7) field coverage (description, necessity and proportionality, risks to individuals, mitigations), Article 35(4) screening against the regulator's high-risk list, evidence traceability from each answer back to its source, recorded DPO advice under Article 35(2), reviewer-attributed version history, an Article 36 prior-consultation trigger for unresolved high residual risk, and a self-contained export the regulator can read. Crucially, the assessment should carry approved outputs through to the Article 30 RoPA and risk register — a tool that only produces a standalone document fails the join-the-dots question an audit asks.

How does an approved DPIA feed the Article 30 RoPA?

A completed DPIA already contains most of what an Article 30 RoPA entry needs: the purposes of processing, the categories of data and data subjects, recipients and third-country transfers, retention periods and the technical and organisational security measures. In Acompli, approved DPIA answers map directly into the matching Article 30 fields, so the RoPA reflects the assessed reality of the processing rather than a separately-maintained spreadsheet — and if the DPIA changes (a new supplier, a new transfer, a new lawful basis), the linked Article 30 record and the risk register move with it. The AI proposes the mapping; a person approves it.

Does DPIA software help with the EU AI Act FRIA?

It can, because the two assessments overlap. A high-risk AI system under Annex III of the EU AI Act is, in nearly every realistic case, also high-risk processing under GDPR Article 35 — systematic monitoring, automated decisions with significant effects, profiling or special-category data. The Fundamental Rights Impact Assessment that Article 27 of the AI Act requires of certain deployers does not replace the DPIA where personal data is processed; a well-built DPIA already covers much of the ground a FRIA reuses. Acompli's AI System Register is an opt-in early-access capability designed to surface Annex III flags into the DPIA workflow rather than run as a parallel form, so the classification connects back to the same processing activity — and a human, not the tool, decides the outcome.

Can a DPIA be reused across similar processing activities?

Yes, with care. Article 35(1) of the GDPR explicitly allows a single DPIA to address a set of similar processing operations that present similar high risks, and the DPC and ICO both recognise programme-level assessments. The reuse only holds where the risks, controls, lawful basis and affected individuals stay materially the same — a new transfer destination or change in data categories needs a fresh assessment or a documented delta. Because the underlying necessity-and-proportionality logic is the same as a Legitimate Interests Assessment or a Transfer Impact Assessment, good DPIA software lets an approved assessment be cloned and edited for a related LIA or TIA, with a clear audit trail of what changed rather than a one-off file.

Is DPIA software suitable for organisations of all sizes?

Yes. Any organisation that runs processing likely to result in a high risk to individuals needs a DPIA, and smaller organisations are not meaningfully exempt — the Article 35 obligation is keyed to risk, not headcount. Smaller teams benefit most from screening templates and evidence-grounded drafting that turn a daunting assessment into a guided workflow; larger groups need entity-scoped assessments and a defensible decision record each subsidiary can show its own supervisory authority. Acompli scales the same governed DPIA workflow from a single entity to a multi-entity group, with human sign-off the constant at every size.

Primary sources

  1. GDPR Articles 35 and 36 (EUR-Lex, Regulation (EU) 2016/679)
  2. DPC — Guide to Data Protection Impact Assessments
  3. ICO — Data Protection Impact Assessments (DPIAs)

Related research

DPIA Tools Compared

How to choose an Article 35 tool — the criteria a DPC or ICO inquiry tests.

Read article →

DPIA Requirements: Ireland & UK

Article 35 requirements under the EU and UK GDPR, with the DPC and ICO compared.

Read article →

RoPA Software

The Article 30 register an approved DPIA feeds — what to look for in a RoPA tool.

Read article →

See also: DPIA module · Assessments · RoPA Management module · Risk Management

Book a DPIA software demo →