Assessments & RiskUpdated June 14, 2026; refreshed July 8, 202614 min read

DPIA Requirements in Ireland and the UK: A GDPR Article 35 Compliance Guide

A Data Protection Impact Assessment (DPIA) is mandatory before any processing likely to result in a high risk to individuals, under Article 35 of the EU GDPR in Ireland and the UK GDPR in the UK. This guide compares how the DPC and the ICO define the trigger, what the assessment must contain, and when you must consult the regulator first.

Illustration of a data protection impact assessment risk matrix with Ireland and UK map markers
1 / 11

01Assessments & Risk

What is a DPIA, and when is it required?

A Data Protection Impact Assessment (DPIA) is mandatory whenever processing is likely to result in a high risk to the rights and freedoms of individuals, and it must be completed before that processing begins. This rule comes from Article 35 of the EU GDPR, which applies in Ireland, and from the materially identical Article 35 of the UK GDPR, which applies in the United Kingdom. A DPIA is a structured analysis that describes the processing, tests whether it is necessary and proportionate, identifies risks to people, and records the measures put in place to reduce those risks.

The obligation is risk-triggered, not optional. If a new project, system, or processing change clears the high-risk threshold, the DPIA is a legal requirement rather than a best-practice document. For organisations operating across both Ireland and the UK, the core test is harmonised, but the regulator you answer to, the published trigger lists, and the prior-consultation route differ, which is why a single internal DPIA process needs to be jurisdiction-aware.

03Assessments & Risk

What automatically triggers a DPIA?

Article 35(3) of both the EU GDPR and the UK GDPR sets out three categories of processing that always require a DPIA. On top of that statutory minimum, each supervisory authority publishes its own Article 35(4) list of additional processing types that mandate a DPIA in its jurisdiction. You should screen new processing against both the Article 35(3) categories and the relevant national list before relying on a more general risk judgement.

The three Article 35(3) categories are common to Ireland and the UK and are the clearest starting point for screening.

  • Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, where decisions produce legal or similarly significant effects on the individual.
  • Processing of special category data (Article 9) or criminal-offence data (Article 10) on a large scale.
  • Systematic monitoring of a publicly accessible area on a large scale.
  • Beyond these, the DPC's national list and the ICO's national list each add further mandatory-DPIA scenarios specific to Ireland and the UK respectively.

04Assessments & Risk

The DPC list (Ireland) and the ICO list (UK)

In Ireland, the DPC adopted its list of processing operations requiring a DPIA on 15 November 2018 under Article 35(4). Its ten entries cover scenarios such as using personal data on a large scale for a purpose other than that for which it was originally collected, profiling vulnerable people (including children) to target marketing or online services, using profiling, algorithmic means, or special category data to determine access to services or to produce legal or similarly significant effects, systematically monitoring or tracking individuals' location or behaviour, profiling individuals on a large scale, processing biometric or genetic data in combination with other risk factors, indirectly sourcing data where transparency obligations are not met, and combining or cross-referencing datasets for profiling. The DPC stresses that its list does not displace the general duty to risk-assess all processing.

In the UK, the ICO publishes its own list under Article 35(4) of ten further types of processing that require a DPIA, in addition to the three Article 35(3) categories. These cover innovative technology (such as AI and novel applications of existing technology), denial of a service, product, or benefit based on automated decision-making, large-scale profiling, biometric data, genetic data, combining or matching data from multiple sources, invisible or indirect collection where it is hard to provide a privacy notice, tracking of individuals' location or behaviour, use of children's or vulnerable individuals' data for marketing, profiling, or automated decisions, and processing that could risk physical harm. The ICO frames its list as a screening checklist to be read alongside the EDPB criteria below.

  • Screen against the three Article 35(3) categories first, then the national list for your jurisdiction.
  • Ireland: apply the DPC's adopted Article 35(4) list of ten operations and the DPC's DPIA guidance.
  • UK: apply the ICO's list of ten processing types plus the ICO screening checklist.
  • Document the screening decision itself, including the case where you conclude a DPIA is not required.

05Assessments & Risk

The EDPB nine criteria for high-risk processing

Where processing is not on a published list, you still need a method to decide whether it is high risk. The guidance WP248 rev.01, originally issued by the Article 29 Working Party and endorsed by the European Data Protection Board (EDPB), sets out nine criteria. The ICO's UK guidance maps closely to the same criteria, so this framework is a reliable common screen across both jurisdictions.

As a rule of thumb, WP248 indicates that processing meeting two or more of these criteria will usually require a DPIA, and that a single criterion can be enough in some cases. When in doubt, the safer and more defensible position is to carry out the DPIA and record the reasoning. In Acompli, that screening decision is captured with its rationale, so the conclusion that a DPIA was or was not required can be produced later alongside the assessment itself.

  • Evaluation or scoring, including profiling and prediction.
  • Automated decision-making with legal or similarly significant effect.
  • Systematic monitoring of individuals.
  • Sensitive data or data of a highly personal nature, including special category and criminal-offence data.
  • Processing on a large scale.
  • Matching or combining datasets.
  • Data concerning vulnerable data subjects, such as children, employees, or patients.
  • Innovative use of new technological or organisational solutions.
  • Processing that prevents individuals from exercising a right or using a service or contract.

06Assessments & Risk

What must a DPIA contain? (Article 35(7))

Article 35(7) sets the minimum content of a DPIA, and it is identical in the EU GDPR (Ireland) and the UK GDPR. A document that does not address all four elements is unlikely to satisfy the DPC or the ICO, even if it is detailed in other respects. Both regulators also expect the DPIA to be a living record that is reviewed when the processing changes.

The four mandatory components are set out below. In practice, regulators also expect the DPIA to record whether the data protection officer was consulted, whether the views of data subjects were sought where appropriate, and how the conclusions were signed off.

  • A systematic description of the processing operations and the purposes of the processing, including any legitimate interest pursued.
  • An assessment of the necessity and proportionality of the processing in relation to its purposes.
  • An assessment of the risks to the rights and freedoms of data subjects.
  • The measures envisaged to address those risks, including safeguards, security measures, and mechanisms to ensure protection of personal data and demonstrate compliance.

07Assessments & Risk

Prior consultation under Article 36

Article 36 is the step that catches teams out. If, after applying your mitigations, the DPIA still shows that the processing would result in a high residual risk, you must consult the supervisory authority before you start processing. The trigger is residual risk, not the initial risk, so a DPIA that lands on high risk after mitigation cannot simply be filed; it must be escalated.

Because the GDPR and the UK GDPR are directly applicable, Article 36 governs prior consultation in both jurisdictions on the same timeline: the supervisory authority must provide written advice within up to eight weeks of the request, extendable by a further six weeks for complex processing, and that period can be paused while the authority gathers information it has asked for. The controller cannot begin the processing until consultation is complete, and the authority can advise, set conditions, or use its powers to prevent the processing. In Ireland the request goes to the DPC through its prior-consultation channel; in the UK it goes to the ICO. (Note: Section 84 of the Irish Data Protection Act 2018 sets out a separate DPIA and prior-consultation duty for law-enforcement processing under the Law Enforcement Directive, which is distinct from general Article 36 GDPR consultation.)

  • Trigger: high residual risk remaining after your planned mitigations.
  • Ireland: consult the DPC under Article 36 GDPR; written advice within up to eight weeks, extendable by six weeks for complex cases.
  • UK: consult the ICO under Article 36 UK GDPR; written advice within up to eight weeks, extendable by six weeks for complex cases.
  • You must not start the high-risk processing while consultation is pending.

08Assessments & Risk

DPC Ireland vs ICO UK: a side-by-side comparison

The substantive DPIA test is harmonised across Ireland and the UK, but the regulator, the national trigger list, the supporting statute, and the prior-consultation channel differ. Organisations that operate in both markets should run one DPIA methodology that is configured to apply the correct jurisdictional layer.

Ireland (DPC, EU GDPR)UK (ICO, UK GDPR)
Supervisory authority: Data Protection Commission (DPC).Supervisory authority: Information Commissioner's Office (ICO).
Legal basis: Article 35 EU GDPR, with the Data Protection Act 2018 giving further effect to the GDPR.Legal basis: Article 35 UK GDPR, with the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025.
National trigger list: DPC list of ten operations adopted 15 November 2018 under Article 35(4).National trigger list: ICO list of ten processing types under Article 35(4), plus an ICO screening checklist.
High-risk screen: Article 35(3) categories plus EDPB WP248 nine criteria.High-risk screen: Article 35(3) categories plus ICO criteria aligned to WP248.
Required content: Article 35(7) four elements.Required content: Article 35(7) four elements (materially identical).
Prior consultation: DPC under Article 36 GDPR; written advice within up to eight weeks, extendable by six weeks.Prior consultation: ICO under Article 36 UK GDPR; written advice within up to eight weeks, extendable by six weeks.
Guidance source: DPC DPIA guidance and adopted Article 35(4) list.Guidance source: ICO DPIA guidance, screening checklist, and sample template.

09Assessments & Risk

Common pitfalls in DPIA practice

Most DPIA failures are process failures rather than analytical ones. The assessment is started too late, treated as a one-off form, or detached from the records and assessments that prove its conclusions. The pitfalls below are the ones regulators most often surface in audits and investigations. With Acompli, each DPIA links to the record of processing activities and the transfer assessments that evidence its conclusions, so the disconnected-evidence pitfall is closed before an audit surfaces it.

  • Starting too late: the DPIA must run before processing begins and alongside design, not after launch as a paperwork exercise.
  • Skipping the screening record: failing to document why a DPIA was not needed is itself a gap, because you cannot show the decision was made.
  • Stopping at high residual risk: identifying high residual risk but not triggering Article 36 prior consultation is a serious and common error.
  • Treating it as static: not revisiting the DPIA when the system, vendor, purpose, or data categories change leaves the record inaccurate.
  • Missing the four Article 35(7) elements: omitting the necessity and proportionality assessment, in particular, is a frequent weakness.
  • Disconnected evidence: a DPIA that does not link back to the record of processing activities, transfer assessments, and supplier reviews is hard to defend on audit.

10Assessments & Risk

2026 regulatory developments

In the UK, the Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being commenced in phases, with the bulk of its data protection provisions taking effect on 5 February 2026. It reforms several parts of the UK data protection framework, including the automated decision-making rules, but it largely retains the DPIA regime: the obligation to carry out a DPIA for processing likely to result in a high risk, and the underlying definition of high-risk processing, remain fundamentally unchanged. Organisations should continue to follow Article 35 and the ICO's DPIA guidance, while watching for ICO guidance updates that reflect the Act.

In Ireland and the wider EU, the DPC continues as lead supervisory authority for many large cross-border controllers, and DPIA expectations are tightening around AI-driven processing, profiling, and international transfers. Where a DPIA covers an AI system, the EU AI Act may impose a parallel fundamental rights impact assessment (FRIA) under Article 27 for certain deployers of high-risk AI, such as public bodies, private providers of public services, and deployers using AI for creditworthiness or life and health insurance decisions. Article 27 states that the FRIA complements, rather than replaces, the GDPR DPIA, so where the two overlap you can reuse evidence across them. Mapping which assessment applies, and reusing evidence across them, is becoming a core part of getting AI projects to launch.

11Assessments & Risk

How Acompli supports DPIA workflows

Acompli's DPIA module is designed to assist privacy teams, not to replace human judgement. It guides screening against the Article 35(3) categories, the relevant DPC or ICO national list, and the EDPB criteria; drafts and structures the Article 35(7) content; classifies and surfaces likely risks for review; and routes the assessment to the data protection officer and approvers. The software drafts, classifies, surfaces, and routes, but a human always reviews and approves the outcome, and final legal calls remain with your DPO or legal advisers.

Because the DPIA is connected to the wider record, approved assessments can feed your record of processing activities and link to related transfer assessments, so the evidence stays consistent across tools. Where the processing involves AI systems, Acompli's AI System Register is available on opt-in (early access) to help map EU AI Act obligations against GDPR DPIAs; that capability is not a shipped guarantee for every organisation. The goal is audit-readiness: a documented, current, and defensible DPIA that a regulator can be shown on request, with a human owner accountable for the decision.

Where Acompli fits for DPIA requirements

Best for Irish and UK teams focused on audit defensibility: Acompli keeps each DPIA as a structured, evidence-linked record with the Article 35(7) answers, DPO advice, residual-risk decision, reviewer approval and downstream RoPA or risk-register links visible together. It drafts, classifies, surfaces and routes the work, but a human reviewer approves the assessment and owns the final necessity, proportionality and risk judgement.

See the Acompli DPIA module

Primary sources

DPIA requirements FAQ

When is a DPIA legally required in Ireland and the UK?

A DPIA is required before any processing that is likely to result in a high risk to the rights and freedoms of individuals. In Ireland this obligation comes from Article 35 of the EU GDPR, enforced by the Data Protection Commission, and in the UK from Article 35 of the UK GDPR, enforced by the Information Commissioner's Office. Three categories always require one: systematic and extensive automated evaluation or profiling with significant effects, large-scale processing of special category or criminal-offence data, and large-scale systematic monitoring of a publicly accessible area. Each regulator also publishes its own additional list of processing that requires a DPIA.

What is the difference between the DPC and ICO DPIA requirements?

The core test is the same in both jurisdictions because Article 35 of the EU GDPR and the UK GDPR are materially identical, including the four mandatory content elements in Article 35(7). The differences are procedural. The Data Protection Commission supervises Ireland and applies its list of ten processing operations adopted on 15 November 2018, with the Data Protection Act 2018 giving further effect to the GDPR. The Information Commissioner's Office supervises the UK, applies its own list of ten processing types and a screening checklist, and operates under the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025. Prior consultation goes to the DPC in Ireland and the ICO in the UK, in both cases under Article 36.

What must a DPIA contain to satisfy a regulator?

Article 35(7) sets the minimum content, and it is the same in Ireland and the UK. A compliant DPIA must include a systematic description of the processing and its purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to individuals' rights and freedoms, and the measures envisaged to address those risks, including safeguards and security measures. Regulators also expect a record of whether the data protection officer was consulted, whether the views of affected individuals were sought where appropriate, and how the assessment was signed off.

What happens if a DPIA shows a high risk that cannot be reduced?

If the DPIA shows that processing would still result in a high residual risk after your planned mitigations, you must consult the supervisory authority before you start, under Article 36. In Ireland you consult the Data Protection Commission and in the UK the Information Commissioner's Office. In both jurisdictions the authority must provide written advice within up to eight weeks of the request, extendable by a further six weeks for complex processing, and that period can be paused while the authority gathers information it has asked for. You cannot begin the processing while the consultation is pending.

Do small or medium-sized organisations have to do DPIAs?

Yes, if their processing is likely to result in a high risk. The DPIA obligation under Article 35 is triggered by the risk level of the processing, not by the size of the organisation or its headcount. A small business running large-scale profiling, deploying new AI-driven decision-making, or processing special category data at scale must complete a DPIA just as a large enterprise would. The under-250-employee relief that exists for some records of processing activities does not apply to DPIAs.

Does deploying AI or new technology automatically require a DPIA?

Often, yes. Innovative or novel technology, including artificial intelligence, is one of the EDPB high-risk criteria and appears on the ICO's list of processing requiring a DPIA. AI that involves profiling, automated decisions with significant effects, large-scale data use, or special category data will usually clear the high-risk threshold. Where an AI system is also in scope of the EU AI Act, a separate fundamental rights impact assessment may apply under Article 27 for certain deployers of high-risk AI; that assessment complements the GDPR DPIA rather than replacing it, so both may be needed.

How does a DPIA differ from a record of processing activities (RoPA)?

A RoPA is the organisation-wide Article 30 register that maps all processing activities, including purposes, data categories, recipients, transfers, and retention. A DPIA is the Article 35 risk assessment for specific processing that is likely to result in a high risk. The RoPA tells you what processing you do; the DPIA examines and mitigates the risk of the riskier subset. They are complementary, and a well-run programme links each DPIA back to the relevant RoPA entries so the evidence stays consistent.

How long should we keep a DPIA, and how often should it be reviewed?

There is no single fixed retention period in the GDPR, but both the DPC and the ICO treat the DPIA as a living document. You should keep it for as long as the processing it covers continues, plus a reasonable period afterwards to demonstrate accountability, and review it whenever the processing changes in a way that could affect the risk, for example a new vendor, a new purpose, additional data categories, or a change in scale. A DPIA that is never revisited quickly becomes inaccurate and weakens your audit position.

Can software complete a DPIA on its own?

No. Tools can assist by guiding the screening, drafting the Article 35(7) content, classifying and surfacing likely risks, and routing the assessment for sign-off, which saves time and improves consistency. But a DPIA requires human judgement about necessity, proportionality, and acceptable risk, and the final decision must be made and approved by a person, typically with input from the data protection officer or legal advisers. Acompli's DPIA module is built to assist and route for human approval, not to make autonomous legal decisions or replace a DPO.

Are DPIA requirements changing under the UK's Data (Use and Access) Act 2025?

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being commenced in phases, with most data protection provisions taking effect on 5 February 2026. It reforms several parts of UK data protection law but largely retains the DPIA regime. The obligation to carry out a DPIA for high-risk processing and the underlying definition of high-risk processing remain fundamentally unchanged, so UK organisations should continue to follow Article 35 of the UK GDPR and the ICO's DPIA guidance, and monitor for updated ICO guidance reflecting the Act. In Ireland, the EU GDPR and DPC guidance continue to apply, with growing regulator focus on AI, profiling, and international transfers.

Market-specific questions (Deutschland / France / Nederland)

Ist eine Datenschutz-Folgenabschätzung (DSFA) in Deutschland verpflichtend?

Ja. Eine DSFA ist nach Artikel 35 DSGVO verpflichtend, wenn eine Verarbeitung voraussichtlich ein hohes Risiko für die Rechte und Freiheiten natürlicher Personen zur Folge hat, und sie muss vor Beginn der Verarbeitung durchgeführt werden. Für Deutschland hat die Datenschutzkonferenz (DSK) gemäß Artikel 35 Absatz 4 DSGVO eine Liste von Verarbeitungsvorgängen veröffentlicht, für die eine DSFA zwingend erforderlich ist (die Muss-Liste für den nicht-öffentlichen Bereich, Version vom 9. Oktober 2019). Diese Liste ist verbindlich, aber nicht abschließend. Für die Aufsicht im nicht-öffentlichen Bereich ist die jeweils zuständige Landesdatenschutzbehörde verantwortlich; die DSK ist das gemeinsame Gremium der deutschen Aufsichtsbehörden. Das Unterlassen einer erforderlichen DSFA ist nach Artikel 83 Absatz 4 DSGVO eigenständig bußgeldbewehrt.

Was muss eine DSFA nach Artikel 35 Absatz 7 DSGVO enthalten?

Artikel 35 Absatz 7 DSGVO legt den Mindestinhalt fest und ist in Deutschland, Irland und dem Vereinigten Königreich identisch. Eine DSFA muss enthalten: eine systematische Beschreibung der geplanten Verarbeitungsvorgänge und der Zwecke der Verarbeitung; eine Bewertung der Notwendigkeit und Verhältnismäßigkeit der Verarbeitung in Bezug auf den Zweck; eine Bewertung der Risiken für die Rechte und Freiheiten der betroffenen Personen; und die zur Bewältigung der Risiken geplanten Abhilfemaßnahmen, einschließlich Garantien und Sicherheitsvorkehrungen. Der oder die Datenschutzbeauftragte ist nach Artikel 35 Absatz 2 DSGVO hinzuzuziehen. Verbleibt nach den Maßnahmen ein hohes Restrisiko, ist die zuständige Aufsichtsbehörde vor Beginn der Verarbeitung nach Artikel 36 zu konsultieren.

Worauf sollten deutsche Unternehmen bei der Auswahl einer DSFA-Software achten?

Eine geeignete Lösung sollte die Prüfung gegen die Kategorien des Artikels 35 Absatz 3, die Muss-Liste der DSK und die neun Kriterien der WP248-Leitlinien unterstützen, den nach Artikel 35 Absatz 7 erforderlichen Inhalt strukturieren und eine nachvollziehbare Freigabe durch den oder die Datenschutzbeauftragte ermöglichen. Acompli unterstützt diese Schritte: Die Software leitet durch die Schwellenwertprüfung, strukturiert den Bewertungsinhalt, ordnet Risiken zur Prüfung ein und leitet die DSFA zur Freigabe weiter. Die abschließende Bewertung von Notwendigkeit, Verhältnismäßigkeit und Restrisiko trifft jedoch immer ein Mensch; die Software ersetzt nicht das fachliche Urteil des oder der Datenschutzbeauftragten.

Une analyse d'impact relative à la protection des données (AIPD) est-elle obligatoire en France ?

Oui. Une AIPD est obligatoire au titre de l'article 35 du RGPD lorsqu'un traitement est susceptible d'engendrer un risque élevé pour les droits et libertés des personnes, et elle doit être réalisée avant le début du traitement. La CNIL a adopté une liste des types d'opérations de traitement pour lesquelles une AIPD est requise (délibération n° 2018-327) ainsi qu'une liste des traitements pour lesquels elle n'est pas requise (délibération n° 2019-118). Selon les lignes directrices du G29 (WP248), un traitement réunissant au moins deux des neuf critères est en principe soumis à une AIPD. L'absence d'une AIPD obligatoire est sanctionnable par la CNIL au titre de l'article 83(4).

Que doit contenir une AIPD selon l'article 35(7) ?

L'article 35(7) du RGPD fixe le contenu minimal, identique en France, en Irlande et au Royaume-Uni. Une AIPD doit comporter : une description systématique des opérations de traitement envisagées et des finalités du traitement ; une évaluation de la nécessité et de la proportionnalité du traitement au regard des finalités ; une évaluation des risques pour les droits et libertés des personnes concernées ; et les mesures envisagées pour faire face à ces risques, y compris les garanties, mesures de sécurité et mécanismes de protection des données. Le délégué à la protection des données (DPO) doit être consulté. Si un risque résiduel élevé subsiste après ces mesures, la CNIL doit être consultée avant le début du traitement, conformément à l'article 36.

Comment choisir un logiciel d'AIPD en France ?

Un outil adapté doit permettre de vérifier le traitement au regard de l'article 35(3), de la liste de la CNIL (délibération n° 2018-327) et des neuf critères du WP248, de structurer le contenu exigé par l'article 35(7) et d'assurer une validation traçable par le DPO. Acompli accompagne ces étapes : le logiciel guide l'analyse de seuil, structure le contenu de l'évaluation, classe les risques en vue de leur examen et achemine l'AIPD pour validation. L'appréciation finale de la nécessité, de la proportionnalité et du risque résiduel revient toujours à une personne : le logiciel assiste le DPO et les équipes, il ne remplace ni leur jugement ni la décision finale.

Is een DPIA verplicht in Nederland?

Ja. Een gegevensbeschermingseffectbeoordeling (DPIA) is op grond van artikel 35 AVG verplicht wanneer een verwerking waarschijnlijk een hoog risico oplevert voor de rechten en vrijheden van betrokkenen, en moet worden uitgevoerd voordat de verwerking begint. De Autoriteit Persoonsgegevens (AP) heeft op grond van artikel 35 lid 4 AVG een formeel besluit vastgesteld, de Lijst verplichte DPIA, gepubliceerd op 27 november 2019, waarin verwerkingen staan waarvoor een DPIA verplicht is. Daarnaast geldt dat een verwerking die voldoet aan twee of meer van de negen criteria uit de WP248-richtsnoeren in beginsel een DPIA vereist. Het achterwege laten van een verplichte DPIA is zelfstandig beboetbaar onder artikel 83 lid 4.

Wat moet een DPIA volgens artikel 35 lid 7 bevatten?

Artikel 35 lid 7 AVG bepaalt de minimuminhoud, die identiek is in Nederland, Ierland en het Verenigd Koninkrijk. Een DPIA moet bevatten: een systematische beschrijving van de voorgenomen verwerkingen en de doeleinden van de verwerking; een beoordeling van de noodzaak en evenredigheid van de verwerking in verhouding tot de doeleinden; een beoordeling van de risico's voor de rechten en vrijheden van betrokkenen; en de maatregelen die worden voorzien om die risico's aan te pakken, waaronder waarborgen en beveiligingsmaatregelen. De functionaris voor gegevensbescherming (FG) moet worden geraadpleegd. Blijft er na de maatregelen een hoog restrisico bestaan, dan moet de AP voor de start van de verwerking worden geraadpleegd op grond van artikel 36.

Waar moeten Nederlandse organisaties op letten bij het kiezen van DPIA-software?

Een geschikte oplossing ondersteunt de toetsing aan artikel 35 lid 3, de Lijst verplichte DPIA van de AP en de negen WP248-criteria, structureert de inhoud die artikel 35 lid 7 vereist, en maakt een controleerbare goedkeuring door de FG mogelijk. Acompli ondersteunt deze stappen: de software begeleidt de drempeltoets, structureert de inhoud van de beoordeling, classificeert risico's ter beoordeling en leidt de DPIA naar goedkeuring. De uiteindelijke afweging van noodzaak, evenredigheid en restrisico maakt altijd een mens; de software assisteert de FG en de teams, maar vervangt hun oordeel of de eindbeslissing niet.