Research
The Psychology of DPIA Completion: Why Domain Experts Struggle with Compliance Questions
Data Protection Impact Assessments require input from people across the organisation — product managers, engineers, HR leads, marketing directors, operations heads. These contributors are experts in their domains. They understand the systems they operate, the data they handle, and the business processes they manage. Yet when faced with a DPIA questionnaire, many of them stall. Questions go unanswered. Assessments drag on for weeks. The DPO chases responses while projects wait in compliance limbo.
This is not a failure of effort or intention. It is a cognitive accessibility problem. DPIA questions are written in the language of data protection law, not the language of the contributor's expertise. The result is a fundamental mismatch between what people know and what they are being asked to express — and that mismatch creates friction, delay, and often poor-quality responses.
The Expertise Paradox
Consider a product manager who has spent months designing a new customer loyalty programme. They understand the business logic deeply: how points are earned, what rewards are offered, how the programme integrates with existing systems, which vendors are involved. They could explain all of this fluently to a colleague or present it in a product review.
Now they receive a DPIA question: "What is the lawful basis for processing personal data in this activity, and what evidence supports its applicability?"
The product manager knows the answer is somewhere in their understanding of the programme. But the question is framed in legal terminology they are not fluent in. They are not sure what counts as a "lawful basis" — is it the Terms and Conditions? The marketing consent checkbox? Something else? What does "evidence supports its applicability" mean in practice? They hesitate, intend to circle back, and the question sits unanswered.
This pattern repeats across organisations. The people who hold the information are not the same people who speak the language of the questions. And this creates a structural bottleneck that no amount of chasing or escalation can fully resolve.
The Psychology of Avoidance
Psychological research on task avoidance tells us that people defer work that creates cognitive discomfort. When a task requires translation between domains of expertise — when you know the answer in one "language" but must express it in another — the mental effort increases significantly. Add uncertainty about correctness ("Am I saying the right thing?") and the stakes of formal documentation ("This is going on record"), and you have a recipe for procrastination.
DPIA completion often becomes the last item on the to-do list. Contributors push it to the end of the day, then to tomorrow, then to next week. Not because they do not care about compliance, but because the task feels difficult in a way that is hard to articulate. The questionnaire sits open in a browser tab, creating a low-level background stress that compounds over time.
For organisations without dedicated Data Protection Officers — or where the DPO is stretched thin across many projects — this creates a painful dynamic. The people who need to provide information avoid the task; the people who need the information to proceed have limited ability to help in the moment of difficulty. The gap between these two groups is where DPIAs go to die.
The Communication Gap
In traditional DPIA workflows, when a contributor is stuck, their options are limited:
- Send an email: Ask the DPO or privacy team for clarification. Wait for a response. This can take hours or days, and by the time the answer arrives, the contributor has context-switched to other work and lost momentum.
- Make a guess: Write something that sounds reasonable and hope it passes review. This leads to vague, boilerplate responses that may require significant rework and fail to capture the actual processing activity.
- Leave it blank: Skip the question and move on, hoping someone else will fill it in or that it will become clear later. This creates visible gaps that slow down review and approval.
None of these options are good. The email chain introduces delay. The guess introduces quality risk. The blank introduces visible incompleteness. All three create friction for the people who must eventually review and approve the assessment.
Bringing Expertise to the Point of Need
Acompli addresses this gap by embedding intelligent assistance directly into the completion workflow — not as a replacement for human expertise, but as a translation layer between domain knowledge and compliance language.
The Advisory Helper
The first AI assistant in Acompli is the advisory helper: a contextual guide that explains what a question is really asking and what a good answer looks like. This helper knows both the general meaning of DPIA questions (from GDPR requirements and best practice guidance) and the specific context of the current project (from the project description and other completed responses).
A contributor stuck on the "lawful basis" question can ask the advisory helper: "What does this question mean in the context of my loyalty programme?" The helper might respond:
This question is asking which legal ground under Article 6 of GDPR permits you to process personal data for this activity. Based on your project description, the most likely bases are (a) consent from the customer when they enrol, or (b) contractual necessity if the loyalty programme is part of your terms. For a loyalty programme with optional marketing features, you may need different bases for different processing purposes — core programme participation (likely contract) versus promotional communications (likely consent). Think about: what happens if a customer withdraws consent — can they still participate in the programme?
This is immediate, contextual guidance at the moment of difficulty. The contributor does not wait for an email response. They do not guess in the dark. They receive an explanation that bridges their domain knowledge to the compliance question — and that makes the task feel achievable rather than daunting.
The Assessment Search Helper
The second AI assistant addresses a different problem: finding information that already exists within the assessment. In complex DPIAs, contributors may complete their sections without visibility into what colleagues have written. Information is duplicated, or worse, inconsistent. New team members joining a project mid-stream have no easy way to understand what has already been documented.
The assessment search helper allows anyone to ask natural language questions about the assessment content:
- "What retention periods have been specified for customer data?"
- "Which third-party vendors are mentioned in this assessment?"
- "What does this assessment say about international data transfers?"
The helper searches the assessment, surfaces relevant answers with citations to source questions, and provides a synthesised response. This turns the assessment from a static form into a queryable knowledge base — making it far easier for contributors to stay aligned and for reviewers to quickly verify consistency.
Reducing Cognitive Load, Not Replacing Expertise
It is important to understand what these helpers are and are not doing. They are not answering compliance questions on behalf of the contributor. The human still provides the substantive information: which systems are involved, what data is collected, how long it is retained, who has access. The AI helpers make it easier for contributors to express what they know in a format that meets compliance requirements.
This distinction matters because it preserves accountability. The contributor remains the source of truth for their domain. The AI is a facilitator, not a substitute. What changes is the accessibility of the task — the cognitive friction between knowing something and documenting it correctly.
Research on cognitive load theory supports this approach. When learners (or in this case, contributors) face tasks that exceed their working memory capacity, performance degrades and motivation drops. Reducing extraneous cognitive load — explaining terminology, providing context, making information findable — allows people to focus their mental resources on the substantive work. [1]
The Organisational Impact
When DPIA completion becomes less psychologically daunting, several things change at the organisational level:
- Faster completion: Contributors complete their sections in fewer sessions because they are not stuck waiting for clarification or avoiding difficult questions.
- Higher quality responses: Guidance at the point of need produces responses that are more precise and more relevant to the actual question being asked.
- Reduced DPO bottleneck: Privacy teams spend less time explaining basic concepts and more time on substantive review and risk assessment.
- Better team onboarding: New contributors can query the assessment to understand context rather than reading the entire document or scheduling briefing calls.
- Improved morale: Compliance work becomes less of a burden and more of a collaborative process with visible support.
Democratising Privacy Expertise
Not every organisation can afford a full-time DPO. Not every DPO can be available for every question from every contributor. The reality of GDPR compliance is that privacy expertise is a scarce resource, and that scarcity creates the bottlenecks that slow assessments and frustrate project teams.
Acompli's approach is to extend the DPO's reach without compromising quality. The AI helpers encode privacy knowledge and best practice guidance in a form that is accessible at the moment of need. Contributors get instant support that is contextual to their specific project. DPOs get assessments that are more complete and more consistent when they arrive for review.
This is not a replacement for human privacy expertise. It is an amplification of that expertise — making it available at scale across the organisation, embedding it in the workflow where it is most needed, and reducing the translation burden between domain knowledge and compliance language.
From Burden to Flow
The psychology of task completion tells us that people perform best when they experience flow: a state where challenge is matched by capability and where progress feels achievable. DPIA completion, for most contributors, is the opposite of flow. It is a task where challenge exceeds perceived capability, where progress feels uncertain, and where the reward for completion is merely the removal of an unpleasant obligation.
Acompli is designed to shift that dynamic. By providing guidance that reduces perceived challenge, by making the assessment searchable and understandable, and by embedding support at the point of need, the platform makes DPIA completion feel less like a compliance burden and more like a structured workflow with clear help available.
The result is assessments that get completed faster, with higher quality, by contributors who feel supported rather than stuck. And that changes the organisational relationship with GDPR compliance — from something to be endured to something that can actually be done well.
References
- Cognitive Load Theory: Implications for Medical Education — Van Merriënboer, J.J.G. & Sweller, J., 2010