Rapid Onboarding
From scattered records to a working privacy platform in days
Bring existing DPIAs, RoPA registers, supplier lists, system inventories, policies and documents into Acompli. Import, connect, enrich and start running assessments from a governed compliance foundation.
Six stages from raw data to a governed compliance programme
Bring your data in any format — Word DPIAs, Excel registers, ServiceNow exports, SharePoint policies, architecture diagrams. Each import triggers a chain of downstream automation that populates registers, generates data flows, and classifies every entity.
Bring your existing compliance estate
Upload up to 50 existing DPIAs and import your RoPA register with AI-powered column mapping. Bulk-load IT systems, vendors, and locations from any spreadsheet format.
AI extracts question-answer pairs from documents, detects frameworks (GDPR, EU AI Act, ISO 27701), and proposes matching templates or tailored drafts for review. Duplicate detection via file hashing prevents re-imports.
Assessment import
50 files per batch. PDF, DOCX, DOC. AI Q&A extraction with OCR for scanned documents.
RoPA spreadsheet import
Excel or CSV. AI maps columns to regulatory compliance fields with confidence scores.
Knowledge base bulk load
Up to 10,000 rows. IT systems, vendors, and locations from any spreadsheet or URL.
Onboarding answer
How fast can a privacy team be operational with Acompli?
Because Acompli imports your existing Article 30 RoPA export, your Word/PDF DPIAs, and your CMDB or vendor inventory and maps each field for review — rather than asking you to rebuild from a blank tenant — a regulated Irish or UK firm can be operational in days. The DPC (Ireland) and the ICO (UK) both expect a current Article 30 record at the moment of inquiry, so onboarding speed is an accountability question, not just a procurement one.
AI enrichment classifies and maps the imported entities; a person reviews and approves before anything becomes an official record, and every import is hash- and time-stamped for a defensible trail back to source.
Key takeaways
- Operational in days, not months — you upload existing records (RoPA in XLSX/CSV, DPIAs in Word/PDF, a CMDB or vendor list) and AI enrichment maps them for human review.
- No schema rewrite or rekeying — an Article 30 import preserves all seven controller fields the DPC and ICO look for under Article 30(1)(a)–(g), and Word/PDF DPIAs keep their Article 35(7) narrative verbatim with the original file hash- and time-stamped as evidence. See what a RoPA must contain.
- Transfers and AI systems are surfaced for review — flows to non-EEA countries are flagged as Schrems II items (SCCs, an adequacy decision, or an Article 49 derogation), and imported AI systems are flagged against EU AI Act Annex III; the high-risk determination stays human-approved. Read the Schrems II / TIA guide · EU AI Act module (AI System Register available on opt-in (early access)).
- Every import is auditable — each file is hash- and time-stamped with who imported what, so the trail back to source is defensible under the Data Protection Act 2018 (Ireland) and the UK GDPR (ICO).
Primary sources
What a migrated programme must preserve for the DPC and ICO
An Article 30 import preserves the seven controller fields under Article 30(1)(a)–(g); Word/PDF DPIAs keep their Article 35(7) narrative verbatim; transfers to non-EEA countries are surfaced as Schrems II items for review. The high-risk EU AI Act determination stays human-approved.
Last reviewed: 3 June 2026.
Connected Acompli pages
What a RoPA must contain details the Article 30 fields; the Schrems II / TIA guide covers transfers; EU AI Actowns the Annex III classification (AI System Register on opt-in / early access).
How does Acompli onboarding compare to migrating from OneTrust or TrustArc?
OneTrust and TrustArc migrations typically run a 6–18 week professional-services engagement because the destination expects records in its own schema. Acompli inverts that: you upload your existing exports and AI enrichment maps each field into the governed register for human review. When comparing onboarding, score each vendor on the criteria the DPC and ICO would actually care about.
| Onboarding criterion (what a DPC/ICO audit needs) | Typical OneTrust / TrustArc migration | Acompli rapid onboarding |
|---|---|---|
| Time to a current Article 30 register | 6–18 week services engagement | Operational by Day 3 when source records exist |
| Importing your existing RoPA | Re-mapped into the vendor’s fixed schema | XLSX/CSV or vendor-native export mapped to Article 30(1)(a)–(g) for review |
| Existing Word/PDF DPIAs | Often retyped into a fixed form | Bulk-imported; Article 35(7) narrative kept verbatim, original kept as evidence |
| International transfers (Schrems II) | Manual discovery exercise | Non-EEA flows flagged for an SCC / adequacy / Article 49 review |
| Audit trail of the import itself | Varies by engagement | Every file hash- and time-stamped: who imported what, and what it produced |
The high-risk and legal classifications above remain the controller’s decision — AI drafts, maps, and flags; a human approves. For the underlying obligations see RoPA requirements guide (Ireland & UK), when a DPIA is required, and Transfer Impact Assessments.
Common questions
Onboarding questions answered
What does 'operational in days' actually mean — what happens on Day 1, Day 2, Day 3?
Day 1 (Foundation): the setup wizard provisions your tenant, the knowledge-base import loads your IT systems and vendors, connectors are configured (ServiceNow, Jira, SharePoint, cloud storage), your existing Article 30 RoPA is imported, Word/PDF DPIAs are batch-uploaded, and the first data-flow diagrams are drafted from imported records. Day 2 (Enhancement): AI drafts assessment templates from your historical responses, the enrichment pipeline tags every record with GDPR metadata (lawful basis, retention, transfer mechanism), vendor contract discovery locates DPAs and privacy notices, the risk register is reviewed, and workflows are switched on. Day 3 (Operational): team members log in to assigned tasks, the DPO reviews dashboards, scheduled sync runs against external sources, and the first new DPIA is launched. The DPC and ICO both expect a current Article 30 record at any audit moment — Day 3 means you can produce one.
What must a RoPA import preserve to remain defensible under Article 30?
An Article 30 import must preserve all seven controller fields the DPC and ICO look for in an audit: (a) controller and DPO identity, (b) processing purposes, (c) categories of data subjects and personal data, (d) categories of recipients including processors and third countries, (e) third-country transfers and the transfer mechanism (SCCs, adequacy decision, or derogation under Article 49), (f) retention periods, and (g) a general description of the technical and organisational measures under Article 32. Processors must additionally preserve the categories of processing carried out on behalf of each controller per Article 30(2). Acompli's import maps each column from your source export into these fields and flags any missing element so the gap is visible before go-live, not in front of a regulator.
Can Acompli bulk-import Word and PDF DPIAs without rekeying?
Yes. Upload the folder of historical DPIAs as .docx or .pdf and the platform extracts each Article 35(7) section — systematic description, necessity and proportionality assessment, risks to data subjects, and safeguards — into a structured record while preserving the original document as evidence. The narrative answers are kept verbatim, then AI suggests matching template fields so the next iteration uses the same shape. EDPB Guidelines 04/2022 and the WP248 criteria are used as the classification spine for what counts as high-risk. The original file is hash-stamped and time-stamped against the imported record so the audit trail back to the source is intact.
What should a privacy platform onboarding prove?
It should preserve the records you already have, show what was imported, flag gaps before go-live, and leave an audit trail for the migration. In Acompli that means RoPA imports, historical DPIAs, vendor lists, transfer context and AI-system signals are mapped into governed records before the team starts new work.
Can the platform map international transfers from a CMDB and surface Schrems II exposure?
Yes. The ServiceNow / Jira / cloud-storage connectors and spreadsheet imports populate the knowledge base of systems and vendors, and the enrichment pipeline tags each vendor with its hosting region and processing locations. Any flow to a non-EEA country is surfaced as a Schrems II item that requires either Standard Contractual Clauses with supplementary measures, an adequacy decision (e.g. UK, EU–US Data Privacy Framework for certified recipients), or an Article 49 derogation. The Schrems II judgment (C-311/18) and the DPC's €1.2bn Meta decision (May 2023) both make explicit that controllers must be able to demonstrate, per transfer, that the destination's surveillance regime does not undermine the protection — Acompli surfaces the transfer so the Transfer Impact Assessment is a focused workflow rather than a discovery exercise.
How does onboarding classify high-risk AI systems from an imported inventory?
When the IT-asset inventory is imported, AI systems in the knowledge base are flagged for review against Annex III of the EU AI Act (the high-risk use cases including employment, education, essential services, law enforcement, migration, and justice). The AI Register module is available on opt-in (early access) and frames each entry across four classification fields — risk tier, Annex III applicability, Article 6(3) exception, and GPAI status. Self-attestation drives the classification; the platform structures the evidence but legal classification remains the controller's responsibility, working with counsel where needed. This is a roadmap area: today the value is rapid discovery and structured intake so an Annex III review is targeted rather than starting from a blank sheet.
More detailed questions
Is onboarding without a consulting engagement actually realistic for a regulated Irish or UK firm?
Yes, when the source data exists in some form. The constraint is not platform complexity — it is whether you already have a RoPA export, a DPIA folder, and a CMDB or vendor list. If those exist in Excel, Word, PDF, or a previous tool's export, Day 1–3 onboarding is realistic. If they do not exist at all, the first weeks become a discovery exercise regardless of platform — and Acompli's AI enrichment shortens that too, because uploaded policies, contracts, and architecture diagrams populate the knowledge base. The Data Protection Act 2018 expects a current Article 30 record from any controller subject to it; the platform's job is to make 'current' a daily state rather than a quarterly project.
See rapid onboarding in action
Bring the records you already have and your platform is operational in days, not months. No re-keying. No consultants. No migration project.