Data Protection Impact Assessments · GDPR Article 35

DPIA software that turns Article 35 into a decision record

Identify, assess and reduce the risks of high-risk processing before it begins — with templates, risk scoring, mitigation tracking and approvals that leave a decision record the DPC or ICO can follow, linked to your RoPA, vendors and data map.

Last reviewed June 15, 2026

Article 35 answer

What DPIA software needs to prove

A DPIA is not just a compliance form. It records what a project will do with personal data, why the processing is necessary, what could go wrong for individuals, and which controls reduce the risk before launch.

Acompli treats the completed DPIA as source evidence: approved answers can feed the risk register, Article 30 RoPA entries, vendor reviews and the wider compliance record.

Screen early

Decide whether Article 35 is triggered before design choices are fixed.

Record Article 35(7)

Description, necessity and proportionality, risks, and measures stay in one governed record.

Keep decisions attributable

DPO advice, reviewer sign-off, residual risk, mitigation owners and review dates are preserved.

Reuse approved evidence

Carry the relevant facts into Article 30, the risk register, vendor records and the data map.

What Article 35 requires

GDPR Article 35 requires a DPIA before processing that is likely to result in a high risk to individuals. Common triggers include systematic monitoring, large-scale special category data, profiling, automated decisions with significant effects, vulnerable people, new technologies and processing where individuals may struggle to exercise their rights.

If high residual risk remains after mitigation, Article 36 prior consultation may be needed before processing starts. Failing to run a required DPIA is an Article 83(4)(a) infringement, so the record needs to be defensible, not just complete. Acompli preserves each of these decisions — screening outcome, DPO advice, reviewer sign-off and the Article 36 trigger — as dated, attributable entries in the assessment record.

Required contents

Processing description, necessity and proportionality, risks to individuals, and measures addressing those risks.

Governance checks

DPO advice, reviewer sign-off, residual-risk decisions and the Article 36 trigger are recorded before launch.

Where Acompli fits

A DPIA record connected to the rest of compliance

Acompli starts the DPIA from a structured template, draws context from the organisational knowledge base, supports AI-assisted drafting, routes every answer through human review, and carries approved findings into risk and RoPA workflows.

WorkflowWhat changesOutput
Template and contextStructured templates draw from organisational context instead of a blank document.A complete draft assessment.
Human reviewAI-assisted answers, risk notes and improvements remain drafts until a reviewer approves them.A signed-off decision record.
Connected evidenceApproved answers carry into RoPA, risk, vendor and data-map work without re-keying.Reusable governance evidence.
Ongoing updatesSupplier, transfer or lawful-basis changes surface the affected assessment and Article 30 record for review.A living compliance record.

DPIA FAQ

DPIA questions answered

Article 35 requirements, DPC and ICO expectations, RoPA linkage, AI systems, transfers and review cadence.

What is DPIA software?

DPIA software is the tool a privacy team uses to run Data Protection Impact Assessments under GDPR Article 35 in a controlled, repeatable way. In Acompli, each DPIA runs from a template through questionnaires, risk scoring and mitigation tracking to a named approver - and the approved answers become reusable evidence that can feed the risk register, Article 30 records and vendor reviews.

What is Article 35 of the GDPR?

Article 35 of the GDPR (Regulation (EU) 2016/679) is the legal basis for the Data Protection Impact Assessment. It requires a controller to carry out a DPIA before any processing that is likely to result in a high risk to the rights and freedoms of natural persons, in particular where new technologies are used (Article 35(1)). Article 35(3) sets three cases where a DPIA is always required, Article 35(7) lists the four mandatory contents, and Article 35(2) requires the controller to seek the DPO's advice. In Ireland the DPC, and in the UK the ICO, each publish a list of processing operations that require a DPIA under Article 35(4).

What are the requirements of Article 35(7) GDPR?

Article 35(7) GDPR sets the four mandatory contents of a DPIA: (a) a systematic description of the envisaged processing operations and their purposes; (b) an assessment of the necessity and proportionality of the processing in relation to those purposes; (c) an assessment of the risks to the rights and freedoms of data subjects; and (d) the measures envisaged to address those risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance. Acompli templates each of these fields with version control, records the DPO's advice under Article 35(2), and carries the approved assessment into the Article 30 RoPA.

What should DPIA software include?

Look for Article 35 screening criteria, templates and questionnaires, risk scoring with mitigation tracking, reviewer approvals, and a preserved decision record. Acompli adds the connections a DPC or ICO inquiry will probe: each assessment links to the systems, vendors and transfers it covers, and approved answers carry through to the risk register and RoPA instead of dying in a document.

Can DPIA software help with regulator questions?

Yes - if it preserves the decision record. Acompli keeps the full trail behind each assessment: who answered, what evidence supported each answer, which risks were identified, what mitigations were chosen and who approved the outcome. When the DPC or ICO asks why processing went ahead, the answer is an export, not an archaeology project.

Which processing operations trigger a DPIA in Ireland and the UK?

Three Article 35(3) cases always trigger one: systematic and extensive profiling with legal or significant effects, large-scale processing of special-category or criminal-offence data, and systematic monitoring of publicly accessible areas at scale. Beyond those, the DPC's Article 35(4) list and the ICO's screening checklist add operations such as workplace monitoring, health data processing, combining datasets and location tracking - and if two or more of the EDPB's nine criteria apply, run the assessment. Acompli's screening template asks these trigger questions first, so borderline projects get a documented decision instead of a guess.

More detailed questions
What should a DPIA template include?

Article 35(7) sets the mandatory core: a systematic description of the processing, a necessity and proportionality assessment, the risks to individuals, and the measures addressing them - plus a record of DPO advice under Article 35(2). In April 2026 the EDPB published its first harmonized EU-wide DPIA template, which Irish and UK teams can map to DPC and ICO expectations. Acompli's templates carry these fields with version control and approvals, and existing Word or Excel DPIAs can be imported so historical assessments live in the same governed record.

How does a completed DPIA feed our Article 30 RoPA?

A completed DPIA contains most of what Article 30 GDPR requires for a RoPA entry: the purposes of processing, categories of personal data and data subjects, recipients including third-country transfers, retention periods, the description of technical and organisational security measures, and the controller / DPO contact details. The DPC and ICO both expect a current, accurate Article 30 register, and a DPIA done well is the cleanest source for those fields. In Acompli, approved DPIA answers map directly into Article 30 fields so the RoPA reflects the assessed reality of the processing rather than a separately-maintained spreadsheet; if the DPIA changes (new supplier, new transfer, new lawful basis), the Article 30 record changes with it.

Does an Annex III AI system also need a GDPR DPIA?

Yes, in nearly every realistic case. An Annex III high-risk AI system under the EU AI Act will also be high-risk processing under GDPR Article 35: it typically involves systematic monitoring, automated decision-making with significant effects, profiling, or special-category data. The EU AI Act adds a separate Fundamental Rights Impact Assessment (FRIA) obligation for certain deployers under Article 27, but a FRIA does not replace a DPIA where personal data is processed. The DPC and EDPB position is that the GDPR DPIA remains required, and a well-built DPIA already covers the Article 35(7) ground a FRIA reuses. Acompli's AI Register module is available on opt-in (early access) and is designed to surface Annex III flags into the DPIA workflow rather than run as a parallel form, so the four classification fields — risk tier, Annex III, Article 6(3), GPAI — connect back to the same processing activity that triggered the DPIA.

Do DPIAs need updating after Schrems II for international transfers?

Yes. Schrems II (CJEU C-311/18) and the EDPB Recommendations 01/2020 changed what a defensible DPIA must show for any processing that transfers personal data outside the EEA. A DPIA that pre-dates Schrems II — or that names SCCs without a Transfer Impact Assessment — is no longer current evidence. The DPC's enforcement record, including the €1.2bn Meta decision, treats inadequate transfer documentation as a substantive breach. A current DPIA for any non-EEA processing should reference the relevant transfer mechanism (SCCs, adequacy, BCRs), link to a completed TIA assessing third-country law and supplementary measures, and record the residual risk. Acompli flags affected processing activities when a transfer destination, supplier, or sub-processor changes so the DPIA is updated rather than left stale.

What should DPIA software track to be defensible in a DPC or ICO audit?

DPIA software should track every element listed in Article 35(7) plus the evidence trail behind each answer: the systematic description of processing, the necessity and proportionality assessment, the risk-to-individuals analysis, the mitigating measures, the DPO advice recorded under Article 35(2), reviewer sign-off, residual-risk decisions, and the Article 36 prior-consultation trigger where a high residual risk remains. The DPC Guide to DPIAs and EDPB Guidelines 04/2022 expect each of these to be a recorded, dated decision rather than a free-text note. For Ireland and the UK, the software should also link the DPIA to Article 30 fields, to any related TIA for Schrems II transfers, and to the risk register, so a single audit request can be answered from one record. In Acompli those links are native: each assessment connects to its Article 30 entry, related TIA and risk-register records, so the export answers the request in one pass.

How often should a DPIA be reviewed under the DPC and ICO guidance?

The DPC and ICO both treat a DPIA as a living record rather than a one-off form. The DPC Guide to DPIAs and ICO 'How do we do a DPIA?' state that a DPIA should be reviewed whenever the nature, scope, context, or purposes of the processing change, when a new technology is introduced, when a new supplier or transfer is added, or where the risk profile shifts. A pragmatic baseline is an annual review for active high-risk processing, with event-driven re-review whenever a supplier, sub-processor, transfer destination, lawful basis, or data category changes. Acompli triggers DPIA re-review from changes in linked Article 30 fields, supplier records, or transfer destinations, so review is event-driven rather than calendar-only.

Can a DPIA be reused across similar processing activities?

Yes, with care. Article 35(1) GDPR explicitly allows a single DPIA to address a set of similar processing operations that present similar high risks, and both the DPC and ICO recognise programme-level DPIAs (for example a group rollout, a vendor framework, or a class of customer scoring models). The reuse only holds where the risks, controls, lawful basis, and affected individuals remain materially the same; a new supplier, new transfer destination, or change in data categories typically requires a fresh assessment or a documented delta. Acompli treats an approved DPIA as evidence that can be cloned and edited for a similar activity, with a clear audit trail of what changed, rather than a one-off Word file.

What is the best DPIA software?

The best DPIA software is decided by how well it screens Article 35 triggers early, structures the four Article 35(7) contents with version control, records DPO advice and reviewer approvals, and preserves a defensible decision record a regulator can follow. Acompli's angle is to govern these as connected, human-approved records tied to the wider GDPR and EU AI Act programme - each assessment linked to its RoPA activity, risk register and supplier records, and each answer traceable to approved evidence. For an unbiased read of the DPIA options, our DPIA software comparison guide and full comparison library compile public-source capability charts and head-to-head vendor breakdowns, and flag honestly where competitors do more than Acompli.

See it on your own processing

Acompli turns DPIAs into living, audit-ready records linked to risk and Article 30 entries, with the evidence behind every decision.