Impact assessment overview

Screening criteria, questionnaire templates (DPIA/PIA), the four-step creation wizard, and the assessment register.

Last updated April 2026

When you need a DPIA

A Data Protection Impact Assessment (DPIA) under GDPR Article 35 (or PIA under US frameworks) is required under most privacy laws when processing is likely to result in a high risk to individuals. Ghost helps you screen the activity, collect evidence through questionnaires, score risk, and keep a register you can export for audits or regulators.

Open Impact assessments from the Compliance sidebar (or the header tools menu, then Compliance). Plan limits apply to how many assessments you can create; see Pricing for details.

Where everything lives

Under Assessments you will find Impact assessments and, separately, LIA for legitimate interest work. This guide is only about DPIAs. For the three-part LIA flow, see Legitimate interest assessments.

For questionnaires, risk scoring, and sign-off, continue with Impact assessment questionnaires and responses and Impact assessment risk scoring and sign-off.

Screening (EDPB criteria)

Screening answers whether a full DPIA is necessary. Ghost uses the nine criteria published by the European Data Protection Board (EDPB) — a practical checklist regardless of your jurisdiction.

On the Impact assessments list, click New assessment.
Add a title (required) and optionally a description for context.
Work through the screening checklist. Tick every criterion that applies: systematic monitoring, large-scale special-category processing, automated decision-making, innovative technology, and so on. Each row includes a short explanation.
Ghost counts your ticks and shows the outcome live. Two or more ticks usually means a full DPIA is required. One tick means the assessment is recommended. Zero means not required by the checklist alone, though your organisation may still want to document the evaluation.
From your ticks, Ghost highlights recommended questionnaire templates and labels some as essential for that risk mix. You pick templates in the next step of the wizard.

Questionnaire templates

Questionnaires are how you collect structured answers from stakeholders (for example a project lead, security contact, or processor). Ghost includes system templates grouped by topic, and you can add custom templates on the Templates page.

Each template has sections and questions. Questions can be short text, long text, single or multiple choice, yes/no, number, or date. Authors can attach risk weights to answer options and help text for respondents.

Go to Impact assessments → Templates in the sidebar to create, duplicate, or remove org templates. In the creation wizard you can also save a customised set as a new template for next time.

Creating an DPIA (four steps)

Title and screening. Name the assessment, run the checklist, and review which templates Ghost recommends.
Templates and questions. Select one or more templates, reorder them, turn individual questions on or off, mark questions required, add custom sections or questions, and optionally save as a new template.
Stakeholders. For each questionnaire, set the respondent (name, email, optional due date). Different questionnaires can go to different people.
Review and create. Confirm title, screening outcome, questionnaire count, and respondents, then create. The new assessment opens in draft with the screening summary, questionnaire cards, and an empty risk register.

The DPIA list

The register table shows title, status, dates, and links into each record, like other Compliance modules. Archived assessments are hidden by default; use Show archived to include them.

Next: Impact assessment questionnaires and responses.

When you need a DPIA

Open Impact assessments from the Compliance sidebar (or the header tools menu, then Compliance). Plan limits apply to how many assessments you can create; see Pricing for details.

Where everything lives

Screening (EDPB criteria)

Screening answers whether a full DPIA is necessary. Ghost uses the nine criteria published by the European Data Protection Board (EDPB) — a practical checklist regardless of your jurisdiction.

On the Impact assessments list, click New assessment.

Add a title (required) and optionally a description for context.

Work through the screening checklist. Tick every criterion that applies: systematic monitoring, large-scale special-category processing, automated decision-making, innovative technology, and so on. Each row includes a short explanation.

Ghost counts your ticks and shows the outcome live. Two or more ticks usually means a full DPIA is required. One tick means the assessment is recommended. Zero means not required by the checklist alone, though your organisation may still want to document the evaluation.

From your ticks, Ghost highlights recommended questionnaire templates and labels some as essential for that risk mix. You pick templates in the next step of the wizard.

Questionnaire templates

Go to Impact assessments → Templates in the sidebar to create, duplicate, or remove org templates. In the creation wizard you can also save a customised set as a new template for next time.

Creating an DPIA (four steps)

Title and screening. Name the assessment, run the checklist, and review which templates Ghost recommends.

Templates and questions. Select one or more templates, reorder them, turn individual questions on or off, mark questions required, add custom sections or questions, and optionally save as a new template.

Stakeholders. For each questionnaire, set the respondent (name, email, optional due date). Different questionnaires can go to different people.

Review and create. Confirm title, screening outcome, questionnaire count, and respondents, then create. The new assessment opens in draft with the screening summary, questionnaire cards, and an empty risk register.