Risk Management · Article 5(2) accountability

Privacy risk management software for evidence-linked risk records

Extract candidate risks from approved assessment evidence, route them through review, assign owners and treatment plans, and report on current exposure without re-keying findings into a separate register.

01Readiness02Extraction03Consistency04Treatment05Governance06Dashboards
Acompli risk register dashboard showing evidence-linked risk records, owners and treatment status
Risk ownership and mitigation tasks

From assessment to action — with nothing lost in between

Acompli builds your risk register directly from approved assessments — extraction, consistency checks, treatment plans, and dashboards in one governed workflow.

  1. 01Readiness
  2. 02Extraction
  3. 03Consistency
  4. 04Treatment
  5. 05Governance
  6. 06Dashboards
01Readiness

A readiness check before anything runs

Before any extraction begins, a readiness assessment validates whether the assessment covers the questions needed for meaningful risk identification, where quality signals are strong, and which areas are likely to produce low-confidence results.

The DPO knows whether the data is ready before any AI analysis runs — not after a set of unreliable results has already been generated.

Coverage validation

Does the assessment cover the questions needed for meaningful risk identification?

Quality prediction

Where are signals strong? Where are inputs missing or likely to produce low-confidence results?

Proceed or improve

Clear recommendation on whether to proceed with extraction or improve the assessment first.

The outcome

Evidence-linked risk management that drives action

Six connected stages, one governed register. From assessment evidence to action, every risk has a source, owner, treatment path and audit history.

Evidence-linked

Every risk is grounded in approved assessments.

Actionable

Treatment plans with owners, dates and ROI.

Governed

Draft-first, reviewed, approved and audit-ready.

Always current

Live dashboards reflect the latest reality.

Built for GDPR accountability

Meet Article 5(2) accountability and Article 35 DPIA follow-up obligations

Acompli links risk records to assessments, RoPA, suppliers and approvals so privacy teams can evidence how risks were identified, evaluated, treated and reviewed.

01

Article 5(2)

Demonstrate how risks are identified, assessed and managed.

02

Article 35

Follow up on DPIA results with action and evidence of implementation.

03

DPO oversight

Full audit trail for regulators and internal review.

04

Inspector-ready

Clear evidence of risk management over time.

Article 5(2) & Article 35 answer

Is maintaining a data protection risk register a legal requirement in Ireland and the UK?

There is no standalone statutory duty to keep a ‘risk register’ in either jurisdiction, but both regulators expect data protection risks to be documented and acted on. Under GDPR Article 5(2) accountability — enforced by the Data Protection Commission (DPC) in Ireland and, under the UK GDPR, by the ICO — you must be able to demonstrate how risks are identified, rated and treated, and Article 35 requires the risks a DPIA surfaces to be followed up. A risk register is the practical evidence of that.

Acompli builds the register from approved assessments so each entry traces to its source question, response and approval — the kind of demonstrable record the DPC and ICO look for. The AI drafts and scores each entry; nothing is published until the DPO signs off.

Key takeaways

  • Evidence shows why a risk exists, what mitigation was chosen, who approved it and when it was reviewed.
  • Risks should connect to RoPA through the relevant processing activity, data category, system, vendor, transfer or assessment.
  • Risk ownership matters because mitigation needs named owners, review dates and task status.
  • AI may draft and score, but a human reviews and approves the final risk record.
  • No standalone ‘risk register’ law, but it is expected evidence. GDPR Article 5(2) accountability (DPC in Ireland) and the UK GDPR (ICO) require you to show how risks are identified, rated and treated; Article 35 requires DPIA risks to be followed up.
  • The DPC and ICO expect a current, demonstrable risk record — not a stale spreadsheet — in an audit, inquiry or post-breach investigation.
  • When comparing risk-register tools, score on evidence links back to the source DPIA, separate inherent vs residual scoring, and a tracked treatment plan with named owners — the full five-point checklist is in the questions below.
  • For Schrems II transfers, the register should record the destination, the Article 46 mechanism, whether a Transfer Impact Assessment is approved, the supplementary measures and the residual risk.

Primary sources

An evidence-linked register the DPC and ICO can inspect

The accountability principle in GDPR Article 5(2) and the DPIA follow-up duty in Article 35 are why a documented, traceable risk record matters in an Irish or UK regulatory review. Acompli builds that record from approved assessments, with every AI-drafted entry grounded against the source text and signed off by the DPO.

Last reviewed: June 11, 2026. For the legal-requirement and when-mandatory detail on the assessments that feed the register, see the DPIA guide and Assessments; for international transfers, see the Transfer Impact Assessment guide.

Recent privacy risk updates

Risk signals privacy teams need to keep on the register

Recent enforcement, breach and transfer developments often become risk-register work: update the evidence, confirm owners, review treatment and track residual exposure.

Risk FAQ

Risk management questions answered

How Acompli builds and maintains a GDPR risk register grounded in evidence.

Privacy risk management software turns assessment findings, incidents and control gaps into governed risk records. In Acompli, each risk links back to the source DPIA or assessment evidence, carries inherent and residual scoring, has named owners and treatment tasks, and remains draft until a human reviewer approves it.

Market-specific questions

Deutsch

Francais

Nederlands

See risk management in action

Risk management is built into the platform — connected to your DPIAs, RoPA, and data map in one workflow.