Evidence-linked
Every risk is grounded in approved assessments.
Risk Management · Article 5(2) accountability
Extract candidate risks from approved assessment evidence, route them through review, assign owners and treatment plans, and report on current exposure without re-keying findings into a separate register.

Acompli builds your risk register directly from approved assessments — extraction, consistency checks, treatment plans, and dashboards in one governed workflow.
Before any extraction begins, a readiness assessment validates whether the assessment covers the questions needed for meaningful risk identification, where quality signals are strong, and which areas are likely to produce low-confidence results.
The DPO knows whether the data is ready before any AI analysis runs — not after a set of unreliable results has already been generated.
Does the assessment cover the questions needed for meaningful risk identification?
Where are signals strong? Where are inputs missing or likely to produce low-confidence results?
Clear recommendation on whether to proceed with extraction or improve the assessment first.
The outcome
Six connected stages, one governed register. From assessment evidence to action, every risk has a source, owner, treatment path and audit history.
Every risk is grounded in approved assessments.
Treatment plans with owners, dates and ROI.
Draft-first, reviewed, approved and audit-ready.
Live dashboards reflect the latest reality.
Built for GDPR accountability
Acompli links risk records to assessments, RoPA, suppliers and approvals so privacy teams can evidence how risks were identified, evaluated, treated and reviewed.
Demonstrate how risks are identified, assessed and managed.
Follow up on DPIA results with action and evidence of implementation.
Full audit trail for regulators and internal review.
Clear evidence of risk management over time.
Article 5(2) & Article 35 answer
There is no standalone statutory duty to keep a ‘risk register’ in either jurisdiction, but both regulators expect data protection risks to be documented and acted on. Under GDPR Article 5(2) accountability — enforced by the Data Protection Commission (DPC) in Ireland and, under the UK GDPR, by the ICO — you must be able to demonstrate how risks are identified, rated and treated, and Article 35 requires the risks a DPIA surfaces to be followed up. A risk register is the practical evidence of that.
Acompli builds the register from approved assessments so each entry traces to its source question, response and approval — the kind of demonstrable record the DPC and ICO look for. The AI drafts and scores each entry; nothing is published until the DPO signs off.
Key takeaways
Primary sources
The accountability principle in GDPR Article 5(2) and the DPIA follow-up duty in Article 35 are why a documented, traceable risk record matters in an Irish or UK regulatory review. Acompli builds that record from approved assessments, with every AI-drafted entry grounded against the source text and signed off by the DPO.
Last reviewed: June 11, 2026. For the legal-requirement and when-mandatory detail on the assessments that feed the register, see the DPIA guide and Assessments; for international transfers, see the Transfer Impact Assessment guide.
Assessments is the source workflow that feeds the register; RoPA Management holds the Article 30 record; the TIA guide owns the Schrems II method.
Recent privacy risk updates
Recent enforcement, breach and transfer developments often become risk-register work: update the evidence, confirm owners, review treatment and track residual exposure.
The Irish High Court has upheld the Data Protection Commission's €530 million fine against TikTok over the transfer of EEA user data to China and related transparency failures, confirming one of the largest GDPR penalties on record while allowing a narrow appeal on the size of the fine to proceed.
Read update →Novo Nordisk has disclosed a security incident in which attackers copied personal data from internal systems, including pseudonymised clinical trial data covering biomarkers and lifestyle factors, and directly identifying information about healthcare professionals - a breach that illustrates the layered sensitivity of health-sector data.
Read update →A compromise of market intelligence platform Klue allowed attackers to steal OAuth tokens connecting customer Salesforce environments, exposing business data across numerous organisations including Tanium, Gong, Huntress, and LastPass - a textbook SaaS supply-chain attack built on a forgotten legacy credential.
Read update →Risk FAQ
How Acompli builds and maintains a GDPR risk register grounded in evidence.
Privacy risk management software turns assessment findings, incidents and control gaps into governed risk records. In Acompli, each risk links back to the source DPIA or assessment evidence, carries inherent and residual scoring, has named owners and treatment tasks, and remains draft until a human reviewer approves it.
Risk management is built into the platform — connected to your DPIAs, RoPA, and data map in one workflow.