A privacy program that uses agents needs two layers. OneTrust holds the DPIA. Vanta holds the control evidence. Dock holds what the agent concluded about a new processing activity, which fields it flagged as high risk, and which named person on the privacy team approved or rejected the conclusion.
OneTrust and Vanta stay the system of record for the raw data: assessment templates, processor inventories, control test results. Dock is the system of record for what the agent interprets from that data. Each Dock row carries a pointer back to the platform record (onetrust_assessment_id, vanta_control_id), the agent identity that produced the draft, the privacy reviewer who signed off, the decision, and the timestamp. The agent re-fetches OneTrust and Vanta state via fresh API reads when it needs current values. See agent identity for why the principal field matters.
Dock surface: DPIA Risk Rationale table
| onetrust_assessment_id | processing_activity | agent_risk_score | agent_rationale | reviewer | decision | decided_at |
|---|---|---|---|---|---|---|
| OT-DPIA-4471 | New CRM enrichment vendor | High | Vendor processes EU PII, no current SCCs on file, sub-processor list incomplete | priya.s@acme.com | Block until SCCs signed | 2026-05-28 14:02 UTC |
| OT-DPIA-4472 | Marketing analytics SDK | Medium | Pseudonymous IDs, opt-out flow exists, retention 13 months | priya.s@acme.com | Approve with retention reduction to 6 months | 2026-05-29 09:11 UTC |
| OT-DPIA-4473 | Internal LLM fine-tuning on support transcripts | High | Special category data possible, no consent capture, training irreversible | dpo@acme.com | Reject | 2026-05-29 16:40 UTC |
Workflow: agent drafts, privacy team decides
A product manager kicks off an OneTrust DPIA for a new vendor. The privacy agent reads the OneTrust assessment, pulls the vendor's processing scope, cross-checks Vanta for existing control coverage, and writes a row in the Dock table above. The draft rationale names every clause the agent thinks is high risk and cites which OneTrust question and which Vanta control it relied on.
The privacy lead opens the Dock row, reads the rationale next to the linked OneTrust assessment, edits the score if needed, and sets the decision field. Because rejecting a DPIA or approving training on user data is irreversible at scale, the decision passes through a two-key handshake before the agent writes the outcome back to OneTrust. The dangerous-ops contract defines which decision types require the second signature.
Why this matters
Regulators want DPIAs to show reasoning, not just a score. The UK ICO's DPIA guidance requires a record of how risks were assessed and what mitigations were chosen. The NIST Privacy Framework frames the same expectation as enterprise risk management with named accountability. An agent-only score satisfies neither. A score with attributed human review does.
Keeping rationale in Dock instead of OneTrust's free-text fields means privacy teams can query it. You can ask which DPIAs the agent flagged high but the reviewer overrode, and why. That history feeds agent audit and compliance work and the broader Dock-for-compliance and Dock-for-legal programs.
Run your next DPIA through this loop and see the audit trail it produces.
FAQ
Does the DPIA still live in OneTrust? Yes. OneTrust remains the system of record for the assessment itself, the processor inventory, and the contract artifacts. Dock holds the agent's reasoning and the privacy team's attributed decision.
What if the agent and the reviewer disagree? The reviewer's decision wins and is written to both Dock and OneTrust. The agent's original draft stays in the Dock row as history, so later audits can see where human judgment overrode the model.
How does Vanta fit in? Vanta supplies the current control state the agent reads when scoring risk. If a SOC 2 control is failing or evidence is stale, the agent factors that into the rationale and cites the Vanta control ID in the Dock row.
Why not let the agent approve low-risk DPIAs itself? Approval of a processing activity is a decision with regulatory weight. Naming a human reviewer on every DPIA, even low risk ones, is what lets you answer the regulator's question of who approved this.
