Compliance hub overview

What the Compliance module covers

The Compliance module brings together the registers, assessments, and governance documents that privacy teams typically manage in separate spreadsheets or tools. Everything lives under one sidebar so you can move between areas without switching products. Check the pricing page to confirm which subscriptions include Compliance.

When you first open Compliance you land on the Compliance Hub, a card grid that links to every area. From any area you can use the sidebar to jump to another.

The sidebar organises areas into four groups:

• Incidents contains the Breach register and Log breach.
• Assessments contains DPIAs and Legitimate Interest Assessments (LIAs).
• Registers contains Third Parties, Legal basis, Consent, and Training.
• Governance contains Policies and Retention.

Breach register

The Incident register is where you log personal data breaches as required under breach-notification rules in most privacy frameworks.

1. Open Log breach in the sidebar (or the new-breach button on the register page).
2. Fill in the initial form: when the breach was discovered, a short title, what happened, how it was discovered, and the reporter's name and role. The form creates a draft record.
3. On the breach detail page you can then fill in severity, regulatory authority steps, and any other fields that become clear as your investigation progresses.

Each breach has a detail page with an audit event timeline so you can trace when each action was taken. That timeline is useful when preparing regulatory authority notifications or individual communications. For a full walkthrough, see Breach management.

Impact assessments (DPIAs and LIAs)

Impact assessments (known as DPIA under GDPR, or PIA under US frameworks) are required when processing is likely to result in a high risk to individuals.

1. Open Impact assessments in the sidebar to see existing assessments.
2. Create a new assessment. The four-step wizard starts with a screening checklist that uses criteria published by the EDPB — a practical checklist regardless of your jurisdiction — then lets you choose questionnaire templates (Ghost recommends templates based on your screening results), assign respondents, and review before creating.
3. Send questionnaires to stakeholders. Respondents fill in their answers via a unique link. You can accept responses or return them for revision with comments.
4. Once responses are collected, Ghost calculates an automated risk score from the answer weights and surfaces risk factors, recommended remediations, and an outcome recommendation.
5. Use the risk register to document risks manually or populate it from the automated results. Each risk has a likelihood, impact, score, and one or more remediations with owners and statuses.

Legitimate Interest Assessments (LIAs) follow a simpler pattern. Open LIA in the sidebar to document the three-part test: purpose, necessity, and balancing against the individual's rights. Each LIA has its own detail page and timeline. For DPIAs, start with Impact assessment overview, then use Impact assessment questionnaires and responses and Impact assessment risk scoring and sign-off when you need more detail. For LIAs specifically, see Legitimate interest assessments.

Plan limits apply to assessments. See Pricing for what each plan includes.

Third parties, legal basis, consent, and training

The Registers group covers four areas that most compliance programmes track:

• Third Parties is where you list processors and sub-processors. Each third-party record captures the category, country, agreement status, purposes, and any international transfer details. Each third party has a detail page for ongoing due diligence.
• Legal basismaps each processing activity to its legal basis (consent, contract, legitimate interest, and so on). This register complements your Article 30 register and helps you answer "what is our legal basis for this?" quickly.
• Consent tracks where and how you collect consent, what individuals were told, and whether consent is current or withdrawn. Create new records for each consent mechanism you operate.
• Training logs training sessions, who attended, when certificates expire, and which topics were covered. Ghost surfaces expiring training on the Dashboard so nothing lapses quietly.

Each area follows the same pattern: a register page listing all records, a form to create new entries, and a detail page for each record with full editing and an audit timeline. For deep dives, see Third-party management, Consent and legal basis, and Training and policies.

Policies and data retention

Policies is where you maintain your privacy notices, internal policies, and related governance documents. Each policy record tracks the document title, status, review date, and owner. Use it to make sure no policy goes stale between review cycles.

Retention schedules define how long you keep different categories of personal data and what happens when the period expires. Maintaining these schedules in Ghost means they are visible to the whole team alongside your Article 30 register, third-party list, and everything else. For a full walkthrough, see Data retention.

Getting started

Open the Compliance module from the header tools menu. If you do not see it, check with an owner or admin that your organisation's subscription includes Compliance and that your role has the right permissions.

1. Start with the Compliance Hub to see all areas at a glance.
2. Pick the area that is most urgent for your programme (often the incident register or DPIAs).
3. Create your first record to see the form structure, then fill in the rest at your own pace.
4. Use the Dashboard to monitor compliance metrics alongside privacy request and Article 30 register data.

For background on how Ghost's product areas connect, read Introduction to Ghost.