Rapid Onboarding

From scattered records to a working privacy platform in days

Bring existing DPIAs, RoPA registers, supplier lists, system inventories, policies and documents into Acompli. Import, connect, enrich and start running assessments from a governed compliance foundation.

01Import02Connect03Enrich04Map05Cascade06Operate
Acompli Rapid Onboarding Brochure — page 1
View brochure
The onboarding workflow

Six stages from raw data to a governed compliance programme

Bring your data in any format — Word DPIAs, Excel registers, ServiceNow exports, SharePoint policies, architecture diagrams. Each import triggers a chain of downstream automation that populates registers, generates data flows, and classifies every entity.

01Import

Bring your existing compliance estate

Upload up to 50 existing DPIAs and import your RoPA register with AI-powered column mapping. Bulk-load IT systems, vendors, and locations from any spreadsheet format.

AI extracts question-answer pairs from documents, detects frameworks (GDPR, EU AI Act, ISO 27701), and proposes matching templates or tailored drafts for review. Duplicate detection via file hashing prevents re-imports.

Assessment import

50 files per batch. PDF, DOCX, DOC. AI Q&A extraction with OCR for scanned documents.

RoPA spreadsheet import

Excel or CSV. AI maps columns to regulatory compliance fields with confidence scores.

Knowledge base bulk load

Up to 10,000 rows. IT systems, vendors, and locations from any spreadsheet or URL.

Accepted →PDF, DOCX, DOC, XLSX, XLS, CSV — including OneTrust and TrustArc export formats

Onboarding answer

How fast can a privacy team be operational with Acompli?

Because Acompli imports your existing Article 30 RoPA export, your Word/PDF DPIAs, and your CMDB or vendor inventory and maps each field for review — rather than asking you to rebuild from a blank tenant — a regulated Irish or UK firm can be operational in days. The DPC (Ireland) and the ICO (UK) both expect a current Article 30 record at the moment of inquiry, so onboarding speed is an accountability question, not just a procurement one.

AI enrichment classifies and maps the imported entities; a person reviews and approves before anything becomes an official record, and every import is hash- and time-stamped for a defensible trail back to source.

Key takeaways

  • Operational in days, not months — you upload existing records (RoPA in XLSX/CSV, DPIAs in Word/PDF, a CMDB or vendor list) and AI enrichment maps them for human review.
  • No schema rewrite or rekeying — an Article 30 import preserves all seven controller fields the DPC and ICO look for under Article 30(1)(a)–(g), and Word/PDF DPIAs keep their Article 35(7) narrative verbatim with the original file hash- and time-stamped as evidence. See what a RoPA must contain.
  • Transfers and AI systems are surfaced for review — flows to non-EEA countries are flagged as Schrems II items (SCCs, an adequacy decision, or an Article 49 derogation), and imported AI systems are flagged against EU AI Act Annex III; the high-risk determination stays human-approved. Read the Schrems II / TIA guide · EU AI Act module (AI System Register available on opt-in (early access)).
  • Every import is auditable — each file is hash- and time-stamped with who imported what, so the trail back to source is defensible under the Data Protection Act 2018 (Ireland) and the UK GDPR (ICO).

Primary sources

What a migrated programme must preserve for the DPC and ICO

An Article 30 import preserves the seven controller fields under Article 30(1)(a)–(g); Word/PDF DPIAs keep their Article 35(7) narrative verbatim; transfers to non-EEA countries are surfaced as Schrems II items for review. The high-risk EU AI Act determination stays human-approved.

Last reviewed: 3 June 2026.

Migration comparison

How does Acompli onboarding compare to migrating from OneTrust or TrustArc?

OneTrust and TrustArc migrations typically run a 6–18 week professional-services engagement because the destination expects records in its own schema. Acompli inverts that: you upload your existing exports and AI enrichment maps each field into the governed register for human review. When comparing onboarding, score each vendor on the criteria the DPC and ICO would actually care about.

Onboarding criterion (what a DPC/ICO audit needs)Typical OneTrust / TrustArc migrationAcompli rapid onboarding
Time to a current Article 30 register6–18 week services engagementOperational by Day 3 when source records exist
Importing your existing RoPARe-mapped into the vendor’s fixed schemaXLSX/CSV or vendor-native export mapped to Article 30(1)(a)–(g) for review
Existing Word/PDF DPIAsOften retyped into a fixed formBulk-imported; Article 35(7) narrative kept verbatim, original kept as evidence
International transfers (Schrems II)Manual discovery exerciseNon-EEA flows flagged for an SCC / adequacy / Article 49 review
Audit trail of the import itselfVaries by engagementEvery file hash- and time-stamped: who imported what, and what it produced

The high-risk and legal classifications above remain the controller’s decision — AI drafts, maps, and flags; a human approves. For the underlying obligations see RoPA requirements guide (Ireland & UK), when a DPIA is required, and Transfer Impact Assessments.

Common questions

Onboarding questions answered

What does 'operational in days' actually mean — what happens on Day 1, Day 2, Day 3?

Day 1 (Foundation): the setup wizard provisions your tenant, the knowledge-base import loads your IT systems and vendors, connectors are configured (ServiceNow, Jira, SharePoint, cloud storage), your existing Article 30 RoPA is imported, Word/PDF DPIAs are batch-uploaded, and the first data-flow diagrams are drafted from imported records. Day 2 (Enhancement): AI drafts assessment templates from your historical responses, the enrichment pipeline tags every record with GDPR metadata (lawful basis, retention, transfer mechanism), vendor contract discovery locates DPAs and privacy notices, the risk register is reviewed, and workflows are switched on. Day 3 (Operational): team members log in to assigned tasks, the DPO reviews dashboards, scheduled sync runs against external sources, and the first new DPIA is launched. The DPC and ICO both expect a current Article 30 record at any audit moment — Day 3 means you can produce one.

What must a RoPA import preserve to remain defensible under Article 30?

An Article 30 import must preserve all seven controller fields the DPC and ICO look for in an audit: (a) controller and DPO identity, (b) processing purposes, (c) categories of data subjects and personal data, (d) categories of recipients including processors and third countries, (e) third-country transfers and the transfer mechanism (SCCs, adequacy decision, or derogation under Article 49), (f) retention periods, and (g) a general description of the technical and organisational measures under Article 32. Processors must additionally preserve the categories of processing carried out on behalf of each controller per Article 30(2). Acompli's import maps each column from your source export into these fields and flags any missing element so the gap is visible before go-live, not in front of a regulator.

Can Acompli bulk-import Word and PDF DPIAs without rekeying?

Yes. Upload the folder of historical DPIAs as .docx or .pdf and the platform extracts each Article 35(7) section — systematic description, necessity and proportionality assessment, risks to data subjects, and safeguards — into a structured record while preserving the original document as evidence. The narrative answers are kept verbatim, then AI suggests matching template fields so the next iteration uses the same shape. EDPB Guidelines 04/2022 and the WP248 criteria are used as the classification spine for what counts as high-risk. The original file is hash-stamped and time-stamped against the imported record so the audit trail back to the source is intact.

What should a privacy platform onboarding prove?

It should preserve the records you already have, show what was imported, flag gaps before go-live, and leave an audit trail for the migration. In Acompli that means RoPA imports, historical DPIAs, vendor lists, transfer context and AI-system signals are mapped into governed records before the team starts new work.

Can the platform map international transfers from a CMDB and surface Schrems II exposure?

Yes. The ServiceNow / Jira / cloud-storage connectors and spreadsheet imports populate the knowledge base of systems and vendors, and the enrichment pipeline tags each vendor with its hosting region and processing locations. Any flow to a non-EEA country is surfaced as a Schrems II item that requires either Standard Contractual Clauses with supplementary measures, an adequacy decision (e.g. UK, EU–US Data Privacy Framework for certified recipients), or an Article 49 derogation. The Schrems II judgment (C-311/18) and the DPC's €1.2bn Meta decision (May 2023) both make explicit that controllers must be able to demonstrate, per transfer, that the destination's surveillance regime does not undermine the protection — Acompli surfaces the transfer so the Transfer Impact Assessment is a focused workflow rather than a discovery exercise.

How does onboarding classify high-risk AI systems from an imported inventory?

When the IT-asset inventory is imported, AI systems in the knowledge base are flagged for review against Annex III of the EU AI Act (the high-risk use cases including employment, education, essential services, law enforcement, migration, and justice). The AI Register module is available on opt-in (early access) and frames each entry across four classification fields — risk tier, Annex III applicability, Article 6(3) exception, and GPAI status. Self-attestation drives the classification; the platform structures the evidence but legal classification remains the controller's responsibility, working with counsel where needed. This is a roadmap area: today the value is rapid discovery and structured intake so an Annex III review is targeted rather than starting from a blank sheet.

More detailed questions

See rapid onboarding in action

Bring the records you already have and your platform is operational in days, not months. No re-keying. No consultants. No migration project.