Impact assessment risk scoring and sign-off

Automated scoring, the manual risk register, status workflow, Article 30 register links, PDF export, and practical tips.

Last updated April 2026

Automated risk scoring

After questionnaires are in, Ghost can derive an automated risk score from the weights on each answer. Use Score risk and review (or Re-score risk after big changes).

The Risk assessment tab shows:

An overall risk level (low, medium, high, very high) and numeric score. Hover the info icon for how thresholds work.
Risk factors: specific concerns from the answers, with categories and how they contribute to the score.
Recommended remediations: suggested mitigations tied to those factors.
An outcome recommendation (for example proceed, proceed with conditions, or reconsider), in plain language.

Populate register copies factors and suggested remediations into the manual risk table below so you can edit, add context, or remove what does not apply.

Manual risk register

Below the automated block (or on its own if you skip scoring) sits the editable risk register:

Add a risk with a plain-language description of what could harm individuals.
Set likelihood and impact (1 to 5 each). Ghost derives a score and level.
Add remediations per risk: what will be done, owner, status (planned, in progress, implemented).

That gives you residual risk after mitigations and a clear ownership trail for auditors.

Status workflow

Available actions depend on status and your permissions:

Draft. Move to Start collecting when you are ready to send questionnaires.
Collecting. When questionnaires are far enough along, run scoring and Submit for review.
Under review. An approver can Approve or Reject (rejection needs a reason). Risk can be re-scored here too.
Approved. Can be Reopened with a reason if something changes.
Reopened. Similar to draft: you can run another collection cycle and submit again.

You can Archive to take an assessment off the active list, then Unarchive or delete where your role allows. Draft records can often be deleted directly.

Linking to Article 30 register activities

On the Risk assessment tab, Linked processing activities ties this assessment to rows in your Article 30 register. Use Create activity from here or link from the Article 30 register side. Linked activities can show a risk badge so reviewers see assessment status without hunting.

Exporting

Export PDF on the DPIA detail page builds one file with screening, responses, risk register, remediations, and history. Useful for committees, regulators, or offline storage.

Practical tips

Start the DPIA before go-live when screening points at high risk. Retrofitting under investigation is painful.
Use return-for-revision when answers are thin. Each round is dated and commented so the trail is obvious.
Treat automated scoring as a draft. Adjust the register for your real-world context before you rely on it for decisions.
Link each DPIA to the right processing activity so the register and the assessment stay connected.
Reject with a clear reason when you need to show review was real, not a rubber stamp.

Impact assessment overview · Impact assessment questionnaires and responses · Compliance hub overview

Automated risk scoring

After questionnaires are in, Ghost can derive an automated risk score from the weights on each answer. Use Score risk and review (or Re-score risk after big changes).

The Risk assessment tab shows:

An overall risk level (low, medium, high, very high) and numeric score. Hover the info icon for how thresholds work.

Risk factors: specific concerns from the answers, with categories and how they contribute to the score.

Recommended remediations: suggested mitigations tied to those factors.

An outcome recommendation (for example proceed, proceed with conditions, or reconsider), in plain language.

Populate register copies factors and suggested remediations into the manual risk table below so you can edit, add context, or remove what does not apply.

Manual risk register

Below the automated block (or on its own if you skip scoring) sits the editable risk register:

Add a risk with a plain-language description of what could harm individuals.

Set likelihood and impact (1 to 5 each). Ghost derives a score and level.

Add remediations per risk: what will be done, owner, status (planned, in progress, implemented).

That gives you residual risk after mitigations and a clear ownership trail for auditors.

Status workflow

Available actions depend on status and your permissions:

Draft. Move to Start collecting when you are ready to send questionnaires.

Collecting. When questionnaires are far enough along, run scoring and Submit for review.

Under review. An approver can Approve or Reject (rejection needs a reason). Risk can be re-scored here too.

Approved. Can be Reopened with a reason if something changes.

Reopened. Similar to draft: you can run another collection cycle and submit again.

You can Archive to take an assessment off the active list, then Unarchive or delete where your role allows. Draft records can often be deleted directly.

Practical tips

Start the DPIA before go-live when screening points at high risk. Retrofitting under investigation is painful.

Use return-for-revision when answers are thin. Each round is dated and commented so the trail is obvious.

Treat automated scoring as a draft. Adjust the register for your real-world context before you rely on it for decisions.

Link each DPIA to the right processing activity so the register and the assessment stay connected.

Reject with a clear reason when you need to show review was real, not a rubber stamp.