Screen early
Decide whether Article 35 is triggered before design choices are fixed.
Data Protection Impact Assessments · GDPR Article 35
Identify, assess and reduce the risks of high-risk processing before it begins — with templates, risk scoring, mitigation tracking and approvals that leave a decision record the DPC or ICO can follow, linked to your RoPA, vendors and data map.
Last reviewed June 15, 2026
Article 35 answer
A DPIA is not just a compliance form. It records what a project will do with personal data, why the processing is necessary, what could go wrong for individuals, and which controls reduce the risk before launch.
Acompli treats the completed DPIA as source evidence: approved answers can feed the risk register, Article 30 RoPA entries, vendor reviews and the wider compliance record.
Decide whether Article 35 is triggered before design choices are fixed.
Description, necessity and proportionality, risks, and measures stay in one governed record.
DPO advice, reviewer sign-off, residual risk, mitigation owners and review dates are preserved.
Carry the relevant facts into Article 30, the risk register, vendor records and the data map.
GDPR Article 35 requires a DPIA before processing that is likely to result in a high risk to individuals. Common triggers include systematic monitoring, large-scale special category data, profiling, automated decisions with significant effects, vulnerable people, new technologies and processing where individuals may struggle to exercise their rights.
If high residual risk remains after mitigation, Article 36 prior consultation may be needed before processing starts. Failing to run a required DPIA is an Article 83(4)(a) infringement, so the record needs to be defensible, not just complete. Acompli preserves each of these decisions — screening outcome, DPO advice, reviewer sign-off and the Article 36 trigger — as dated, attributable entries in the assessment record.
Processing description, necessity and proportionality, risks to individuals, and measures addressing those risks.
DPO advice, reviewer sign-off, residual-risk decisions and the Article 36 trigger are recorded before launch.
Where Acompli fits
Acompli starts the DPIA from a structured template, draws context from the organisational knowledge base, supports AI-assisted drafting, routes every answer through human review, and carries approved findings into risk and RoPA workflows.
| Workflow | What changes | Output |
|---|---|---|
| Template and context | Structured templates draw from organisational context instead of a blank document. | A complete draft assessment. |
| Human review | AI-assisted answers, risk notes and improvements remain drafts until a reviewer approves them. | A signed-off decision record. |
| Connected evidence | Approved answers carry into RoPA, risk, vendor and data-map work without re-keying. | Reusable governance evidence. |
| Ongoing updates | Supplier, transfer or lawful-basis changes surface the affected assessment and Article 30 record for review. | A living compliance record. |
DPIA FAQ
Article 35 requirements, DPC and ICO expectations, RoPA linkage, AI systems, transfers and review cadence.
DPIA software is the tool a privacy team uses to run Data Protection Impact Assessments under GDPR Article 35 in a controlled, repeatable way. In Acompli, each DPIA runs from a template through questionnaires, risk scoring and mitigation tracking to a named approver - and the approved answers become reusable evidence that can feed the risk register, Article 30 records and vendor reviews.
Article 35 of the GDPR (Regulation (EU) 2016/679) is the legal basis for the Data Protection Impact Assessment. It requires a controller to carry out a DPIA before any processing that is likely to result in a high risk to the rights and freedoms of natural persons, in particular where new technologies are used (Article 35(1)). Article 35(3) sets three cases where a DPIA is always required, Article 35(7) lists the four mandatory contents, and Article 35(2) requires the controller to seek the DPO's advice. In Ireland the DPC, and in the UK the ICO, each publish a list of processing operations that require a DPIA under Article 35(4).
Article 35(7) GDPR sets the four mandatory contents of a DPIA: (a) a systematic description of the envisaged processing operations and their purposes; (b) an assessment of the necessity and proportionality of the processing in relation to those purposes; (c) an assessment of the risks to the rights and freedoms of data subjects; and (d) the measures envisaged to address those risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance. Acompli templates each of these fields with version control, records the DPO's advice under Article 35(2), and carries the approved assessment into the Article 30 RoPA.
Look for Article 35 screening criteria, templates and questionnaires, risk scoring with mitigation tracking, reviewer approvals, and a preserved decision record. Acompli adds the connections a DPC or ICO inquiry will probe: each assessment links to the systems, vendors and transfers it covers, and approved answers carry through to the risk register and RoPA instead of dying in a document.
Yes - if it preserves the decision record. Acompli keeps the full trail behind each assessment: who answered, what evidence supported each answer, which risks were identified, what mitigations were chosen and who approved the outcome. When the DPC or ICO asks why processing went ahead, the answer is an export, not an archaeology project.
Three Article 35(3) cases always trigger one: systematic and extensive profiling with legal or significant effects, large-scale processing of special-category or criminal-offence data, and systematic monitoring of publicly accessible areas at scale. Beyond those, the DPC's Article 35(4) list and the ICO's screening checklist add operations such as workplace monitoring, health data processing, combining datasets and location tracking - and if two or more of the EDPB's nine criteria apply, run the assessment. Acompli's screening template asks these trigger questions first, so borderline projects get a documented decision instead of a guess.
Article 35(7) sets the mandatory core: a systematic description of the processing, a necessity and proportionality assessment, the risks to individuals, and the measures addressing them - plus a record of DPO advice under Article 35(2). In April 2026 the EDPB published its first harmonized EU-wide DPIA template, which Irish and UK teams can map to DPC and ICO expectations. Acompli's templates carry these fields with version control and approvals, and existing Word or Excel DPIAs can be imported so historical assessments live in the same governed record.
A completed DPIA contains most of what Article 30 GDPR requires for a RoPA entry: the purposes of processing, categories of personal data and data subjects, recipients including third-country transfers, retention periods, the description of technical and organisational security measures, and the controller / DPO contact details. The DPC and ICO both expect a current, accurate Article 30 register, and a DPIA done well is the cleanest source for those fields. In Acompli, approved DPIA answers map directly into Article 30 fields so the RoPA reflects the assessed reality of the processing rather than a separately-maintained spreadsheet; if the DPIA changes (new supplier, new transfer, new lawful basis), the Article 30 record changes with it.
Yes, in nearly every realistic case. An Annex III high-risk AI system under the EU AI Act will also be high-risk processing under GDPR Article 35: it typically involves systematic monitoring, automated decision-making with significant effects, profiling, or special-category data. The EU AI Act adds a separate Fundamental Rights Impact Assessment (FRIA) obligation for certain deployers under Article 27, but a FRIA does not replace a DPIA where personal data is processed. The DPC and EDPB position is that the GDPR DPIA remains required, and a well-built DPIA already covers the Article 35(7) ground a FRIA reuses. Acompli's AI Register module is available on opt-in (early access) and is designed to surface Annex III flags into the DPIA workflow rather than run as a parallel form, so the four classification fields — risk tier, Annex III, Article 6(3), GPAI — connect back to the same processing activity that triggered the DPIA.
Yes. Schrems II (CJEU C-311/18) and the EDPB Recommendations 01/2020 changed what a defensible DPIA must show for any processing that transfers personal data outside the EEA. A DPIA that pre-dates Schrems II — or that names SCCs without a Transfer Impact Assessment — is no longer current evidence. The DPC's enforcement record, including the €1.2bn Meta decision, treats inadequate transfer documentation as a substantive breach. A current DPIA for any non-EEA processing should reference the relevant transfer mechanism (SCCs, adequacy, BCRs), link to a completed TIA assessing third-country law and supplementary measures, and record the residual risk. Acompli flags affected processing activities when a transfer destination, supplier, or sub-processor changes so the DPIA is updated rather than left stale.
Yes, where the processing is likely to result in a high risk to individuals. Under GDPR Article 35 in Ireland (enforced by the DPC) and UK GDPR Article 35 in the UK (enforced by the ICO, with the Data Protection Act 2018 in support), a controller must complete a DPIA before high-risk processing begins. The DPC has published a list of processing operations that require a DPIA in Ireland; the ICO has published its own screening list and DPIA template for the UK. Failure to do a DPIA where one was required is an independently sanctionable breach under Article 83(4)(a), separate from any later breach of the substantive rules. The practical test, in both jurisdictions, is whether a regulator could later look at the project file and find a defensible Article 35(7) assessment that pre-dates the processing. Acompli date-stamps each approved assessment and its sign-off, so that pre-dating record exists by default.
DPIA software should track every element listed in Article 35(7) plus the evidence trail behind each answer: the systematic description of processing, the necessity and proportionality assessment, the risk-to-individuals analysis, the mitigating measures, the DPO advice recorded under Article 35(2), reviewer sign-off, residual-risk decisions, and the Article 36 prior-consultation trigger where a high residual risk remains. The DPC Guide to DPIAs and EDPB Guidelines 04/2022 expect each of these to be a recorded, dated decision rather than a free-text note. For Ireland and the UK, the software should also link the DPIA to Article 30 fields, to any related TIA for Schrems II transfers, and to the risk register, so a single audit request can be answered from one record. In Acompli those links are native: each assessment connects to its Article 30 entry, related TIA and risk-register records, so the export answers the request in one pass.
The DPC and ICO both treat a DPIA as a living record rather than a one-off form. The DPC Guide to DPIAs and ICO 'How do we do a DPIA?' state that a DPIA should be reviewed whenever the nature, scope, context, or purposes of the processing change, when a new technology is introduced, when a new supplier or transfer is added, or where the risk profile shifts. A pragmatic baseline is an annual review for active high-risk processing, with event-driven re-review whenever a supplier, sub-processor, transfer destination, lawful basis, or data category changes. Acompli triggers DPIA re-review from changes in linked Article 30 fields, supplier records, or transfer destinations, so review is event-driven rather than calendar-only.
Yes, with care. Article 35(1) GDPR explicitly allows a single DPIA to address a set of similar processing operations that present similar high risks, and both the DPC and ICO recognise programme-level DPIAs (for example a group rollout, a vendor framework, or a class of customer scoring models). The reuse only holds where the risks, controls, lawful basis, and affected individuals remain materially the same; a new supplier, new transfer destination, or change in data categories typically requires a fresh assessment or a documented delta. Acompli treats an approved DPIA as evidence that can be cloned and edited for a similar activity, with a clear audit trail of what changed, rather than a one-off Word file.
The best DPIA software is decided by how well it screens Article 35 triggers early, structures the four Article 35(7) contents with version control, records DPO advice and reviewer approvals, and preserves a defensible decision record a regulator can follow. Acompli's angle is to govern these as connected, human-approved records tied to the wider GDPR and EU AI Act programme - each assessment linked to its RoPA activity, risk register and supplier records, and each answer traceable to approved evidence. For an unbiased read of the DPIA options, our DPIA software comparison guide and full comparison library compile public-source capability charts and head-to-head vendor breakdowns, and flag honestly where competitors do more than Acompli.
Acompli turns DPIAs into living, audit-ready records linked to risk and Article 30 entries, with the evidence behind every decision.