Skip to main content

On-demand webinar coming soon...

Blog

Your complete guide to General Data Protection Regulation (GDPR) compliance

GDPR compliance means an organization that falls within the scope of the GDPR meets the requirements for properly handling personal data.

Robb Taylor-Hiscock
Privacy Content Lead, CIPP/E, CIPM
April 16, 2021

The EU flag on top of the Reichstag building in Berlin, Germany

What does it mean to be GDPR compliant?

At its core, GDPR compliance means an organization that falls within the scope of the General Data Protection Regulation (GDPR) meets the requirements for properly handling personal data as defined in the law.

The GDPR outlines certain obligations organizations must follow which limit how personal data can be used. It also defines eight data subject rights that guarantee specific entitlements for individual’s personal data. Ultimately giving individuals more autonomy over their personal information and how it is used.

 

Overview of the GDPR

The GDPR is the strongest global privacy law in effect today. Created by the European Union (EU) to regulate how organizations collect, handle, and protect personal data of EU residents. The GDPR took effect on May 25, 2018, and is a binding regulation written directly into Member States’ laws. It is designed to strengthen privacy rights by giving data subjects control of how their personal data is obtained, used, and shared.

The GDPR set out with three main goals in mind:

  1. Establish and protect the fundamental privacy rights of individuals.
  2. Unify privacy laws across the EU by replacing the 28 individual EU member state laws and the previous 1995 Data Protection Directive.
  3. Adapt privacy laws that reflect the change the technology landscape has made on personal data over the last 25 years.

 

GDPR terminology

Let’s define some of the basic terminology of the GDPR before we dig into the details.

  • Data Subject is any person formally residing in the EU who has their data collected, held, or processed by a controller or processor.
  • Data Controller refers to the entity responsible for determining the purpose and lawful basis for processing personal data.
  • Data Processor, who collaborates with the Data Controller, refers to the individual responsible for processing personal data on behalf of the controller.
  • Processing involves any automated or manual operation or set of operations performed on personal data or sets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.
  • Personal data refers to any information related to a natural person (‘data subject’) that can directly or indirectly identify that person as it relates to their private, professional, or public life, including a name, email address, photos, or even bank statements.
  • Obtaining the consent of the data subject refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.

 

Does the GDPR apply to your organization?

To decide whether you are covered under the GDPR, you need to consider both the ‘material scope’ (i.e., whether your processing activity is regulated by the GDPR) and the ‘territorial scope’ (i.e., whether you are in a jurisdiction where the GDPR applies).

 

Does the GDPR apply to US companies?

US organizations may fall within the scope of the GDPR. To determine whether or not your organization must comply, the same analysis must be applied by looking at the material and territorial scope of the law outlined below. In short, if your organization processes (i.e., collects, records, structures, stores, alters, uses, discloses, erases, etc.) personal information of someone residing in the EU for the exchange of goods or services or for the purposes of monitoring the behavior of EU-citizens, then you likely fall within the scope of the GDPR.

 

The material scope

The GDPR applies to the processing of personal data carried out wholly or partly by automated means. It also applies to the processing that does not use automated means but forms part of a filing system or is intended to form part of a filing system. This covers most activities that organizations do with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.

 

The territorial scope: Does the GDPR apply outside the EU?

The GDPR applies to the processing of personal data by a controller, or a processor established in the EU, regardless of whether the processing takes place in the EU.

It also has an extraterritorial application for a controller or a processor, which is not established in the EU, if the controller or the processor offers goods or services to data subjects in the EU or monitors data subjects’ behavior taking place in the EU. For example, the GDPR applies to a US online shopping website which attracts and offers goods to customers in the EU. The offering of goods and services could be complimentary, free of charge. This could cover foreign government agencies or non-profit organizations. For example, the GDPR applies to a travel information page run by a US State government that collects personal information such as IP addresses while the site visitors from EU access the free travel information.

 

What are GDPR data subject rights?

The GDPR outlines eight fundamental data subject rights, plus the right to withdraw consent. Let’s take a closer look at these rights:  

  1. Right to be informed (GDPR Articles 12 to 14)
    Data subjects have the right to be informed about the collection and use of their personal data.
  2. Right to access (GDPR Article 15)
    Data subjects have the right to view and request copies of their personal data.
  3. Right to rectification (GDPR Article 16)
    Data subjects have the right to request inaccurate or outdated personal information be updated or corrected.
  4. Right to be forgotten / Right to erasure (GDPR Article 17)
    Data subjects have the right to request their personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
  5. Right for data portability (GDPR Article 20)
    Data subjects have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.
  6. Right to restrict Processing (Article 18)
    Data subjects have the right to request the restriction or suppression of their personal data.
  7. Right to withdraw consent (GDPR Article 7)
    Data subjects have the right to withdraw previously given consent to process their personal data.
  8. Right to object (GDPR Article 21)
    Data subjects have the right to object to the processing of their personal data.
  9. Right to object to automated processing (GDPR Article 22)
    Data subjects have the right to object to decisions being made with their data solely based on automated decision making or profiling.

 

11 step GDPR compliance checklist

Now that we understand the basics, let’s jump into the steps your organization can take to meet GDPR compliance. GDPR compliance can look a bit different depending on your organization, but there are specific steps any organization can take now to create a GDPR compliant privacy program:

  1. Create an actionable plan using the 7 principles of the GDPR
  2. Generate a processing register for article 30
  3. Operationalize Data Protection Impact Assessment (DPIA) and Privacy by Design (PbD)
  4. Build a framework for consent management
  5. Meet EU privacy cookie compliance requirements
  6. Build a data subject rights request portal
  7. Review and remediate processor risks
  8. Prepare an incident reporting & breach management workflow
  9. Review cross border data transfer mechanisms
  10. Implement GDPR compliance training
  11. Appoint a Data Protection Officer (DPO)

 Let’s take a deeper look at each step.

 

Step 1: Create an actionable plan using the 7 principles of the GDPR

The GDPR sets out seven key principles which should be at the core of your approach for personal data processing:

  • Lawfulness, fairness, and transparency – There should be a lawful basis for each processing activity. The data processing is not in a way that is unexpected, and the data subject is informed of the processing.
  • Purpose limitation – Be clear about your purposes for processing and record and specify them in the privacy notice to individuals. Limit the processing to those identified purposes.
  • Data minimization – Only process personal data to the extent necessary.
  • Accuracy – Ensure the personal data that you processed is accurate and up to date. Correct or erase inaccurate personal data as soon as possible.
  • Storage limitation – Only keep personal data if you need it.
  • Integrity and confidentiality (security) – Have appropriate security measures in place to protect the personal data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
  • Accountability – Take responsibility for what you do with personal data and have appropriate measures and records in place to demonstrate your compliance with the data processing principles.
     

The GDPR requires implementation of appropriate technical and organizational measures to implement the data protection principles effectively and safeguard data subject rights. This is called ‘data protection by design and by default’. This means you have to integrate data protection into your processing activities and business practices from the design stage across the entire data processing lifecycle.

 

GDPR Articles:

  • Article 5: Principles Relating to Processing of Personal Data
  • Article 24: Responsibility of the Controller

 

Step 2: Generate a processing register for Article 30

The GDPR requires organizations to keep records of their processing activities and ensure such records are always up to date. Data mapping describes the operational process to generate a central inventory of the organization’s data flows and keeping it up to date.

Although the GDPR does not specifically mention data mapping, it does require both controllers and processors (B2B and B2C) to maintain an inventory of processing activities. GDPR Article 30 is extremely specific in its requirements, so even if an organization has previously performed data mapping, it will need to be updated or redone to meet the GDPR requirements.

 

GDPR Articles:

  • Article 6: Lawfulness of Processing
  • Article 30: Records of Processing Activities (Primary)
  • Article 32: Security of Processing

 

Step 3: Operationalize Data Protection Impact Assessment (DPIA) and Privacy by Design

The GDPR requires controllers to conduct a Data Protection Impact Assessment (DPIA) where processing operations are likely to result in a high risk to individuals. Many details within the GDPR make this more involved than a standard questionnaire; for example, requiring a Data Protection Officer (DPO) involvement in specific workflows, tracking mitigation activities, documenting risk in terms of harm to the individual, data subject consultations, etc.

In addition, organizations in practice implement a lightweight screening questionnaire to analyze risk and then determine if a full DPIA is needed. These workflow and documentation requirements, as well as the user experience and integration expectations of the business users, require purpose-built tools to operationalize the GDPR.

Operationalized properly, the DPIA can be an effective approach to meeting the Data Protection by Design and Default requirement.

 

GDPR Articles:

  • Article 25: Data Protection by Design and by Default
  • Article 35: Data Protection Impact Assessments
  • Article 36: Prior Consultation

 

Step 4: Build a framework for consent management

The GDPR sets a higher standard for organizations processing data based on consent. For example, consent needs to be: specific, clear and in plain language, not buried in legal notices, not grouped with multiple notices, easy to withdraw, etc. In addition, organizations need to be able to demonstrate consent was received in granular ways.

 

GDPR Articles:

  • Article 7: Conditions for Consent

 

Step 5: Meet EU privacy cookie compliance requirements

Under the ePrivacy Directive, organizations must tell people if they are using cookies, and explain what the cookies do and why. User’s consent must be obtained in a process that allows the organization to demonstrate that the consent was actively and clearly given. The users also need to be informed about the different functions of the cookies used on the website, as well as the identity of organizations that deploy the cookies and use the data collected through them. There is an exception for cookies that are essential to provide an online service at the individual’s request, for example, to remember what’s in their online basket, or to ensure security in online banking. The same rules apply if other types of technologies are used to store or gain access to information on someone’s device (for example SDKs for mobile apps).

The ePrivacy Directive requirements apply no matter whether the cookies are processing anonymous or personal data. Even where the cookie data is anonymous, the user consent for collecting them needs to meet the GDPR standards. If the cookie data is not anonymous, the organization will also need to comply with additional GDPR rules for personal data protection, such as conducting a DPIA and recording such processing activity in their records of processing.

The GDPR has influenced the drafting of ePrivacy Regulation that will replace the current ePrivacy Directive and align even closer with the GDPR. Organizations will be facing increased penalties and more focused regulatory action under the Draft ePrivacy Regulation.
 

GDPR Articles:

  • Article 7: Conditions for Consent
  • Article 21: Right to Object
  • ePrivacy Directive / Draft ePrivacy Regulation

 

Step 6: Build a Data Subject Rights (DSAR) request portal

The GDPR gives data subjects specific rights, such as: data portability, access, erasure or “right to be forgotten”, rectification, and more. Additionally, there are specific record keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, securely transmitting the response to the individual, to name a few. Having an automated portal that can help intake and triage these requests is a vital step in managing, tracking, and reporting on your DSAR requests.

 

GDPR Articles:

  • Article 7: Conditions for Consent
  • Article 12: Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject
  • Article 13: Information to be Provided Where Personal Data are Collected from the Data Subject
  • Article 14: Information to be Provided where Personal Data have not been Obtained from the Data Subject
  • Article 15: Right of Access by the Data Subject
  • Article 16: Right to Rectification
  • Article 17: Right to Erasure (“Right to be Forgotten”)
  • Article 18: Right to Restriction of Processing
  • Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing
  • Article 20: Right to Data Portability
  • Article 21: Right to Object

 

Step 7: Review and remediate processor risks

The GDPR holds the controller responsible for actions or breaches by the processor. It is critical to analyze processor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a processor has a breach. In addition, it allows organizations to quickly understand what data was impacted in that breach.

 

 GDPR Articles:

  • Article 28 (1)-(3): Processor
  • Article 24 (1): Responsibility of the Controller
  • Article 29: Processing Under the Authority of the Controller or Processor
  • Article 46 (1): Transfers Subject to Appropriate Safeguards

 

Step 8: Prepare an incident reporting & breach management workflow

The GDPR includes strict 72-hour notification requirements to the supervisory authority and, when a data breach is likely to cause a high risk to the rights and freedoms of natural persons, an additional notification to the data subjects. It’s critical for organizations to have a systematic process in place to meet these requirements.
 

GDPR Articles:

  • Article 33: Notification of a Personal Data Breach to the Supervisory Authority
  • Article 34: Communication of Personal Data Breach to the Data Subject

 

Step 9: Review cross border data transfer mechanisms

The GDPR requires the same level of protection for personal data transferred outside of the EEA. This requires organizations to review and ensure that they have appropriate mechanisms in place for cross border data transfer.

The first thing to consider when transferring personal data to a third country is if there is an ‘adequacy decision’. An adequacy decision means that the European Commission has decided that a third country or an international organization ensures an adequate level of data protection. However, this decision is subject to review by the Commission and can be reverted (e.g., EU-US Privacy Shield). Another example is the European Commission granting the UK two adequacy decisions following Brexit.

In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided ‘appropriate safeguards.’ The most commonly used safeguard is the ‘Standard Contractual Clauses’ (SCCs), which set obligations on the data exporter and the data importer and provide rights for the data subjects.

Data transfer is still possible if there is no adequacy decision or appropriate safeguards. In this scenario, organizations can rely on a derogation, such as explicit consent from the data subject or the transfer is necessary for the performance of a contract. However, this is not recommended, since without appropriate safeguards, there are more risks of a data breach.

 

GDPR Articles:

  • Article 44: General Principle for Transfers
  • Article 45: Transfers on the Basis of an Adequacy Decision
  • Article 46: Transfers Subject to Appropriate Safeguards
  • Article 47: Binding Corporate Rules
  • Article 49: Derogations for Specific Situation

 

Step 10: Implement GDPR compliance training

The GDPR requires a data protection officer to monitor an organization’s compliance with the GDPR, which includes raising awareness and training staff. Organizations should provide their staff with initial and refresher trainings. There should also be a mechanism in place to keep records of the trainings for showing compliance.
 

GDPR Articles:

  • Article 39: Tasks of the Data Protection Officer
  • Article 47: Binding Corporate Rules

 

     

    Step 11:  Appoint a Data Protection Officer (DPO)

    The GDPR requires an organization to appoint a data protection officer (DPO) if it is a public authority or body, or if the organization’s core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.

    The DPO is responsible for ensuring GDPR compliance. They assist the organization to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the data protection authorities.
     

    GDPR Articles:

    • Article 37: Designation of the Data Protection Officer
    • Article 38: Position of the Data Protection Officer
    • Article 39: Tasks of the Data Protection Officer

     

    How OneTrust helps with GDPR compliance

    OneTrust Privacy Automation gives you the tools you need to build a holistic GDPR compliance program. With OneTrust’s Privacy Automation solution you can:

    • Operationalize GDPR specific privacy impact assessments (PIAs), data protection impact assessments (DPIAs), privacy by design (PbD), and other internal privacy and security assessments.
    • Maintain an evergreen map of data flows, cross-border transfers, complete records of processing, and leverage pre-defined Article 30 templates.  
    • Operationalize your incident response plan, manage the incident lifecycle, and get automated breach notification guidance across hundreds of breach notification laws. 
    • Manage the full privacy rights (DSAR) request workflow from intake to fulfilment with pre-built workflows and guidance for GDPR and other privacy regulations with privacy rights requirements. 
    • Scan your websites to identify cookies and trackers and generate geo-specific cookie banners, preference centers, and cookie policies. 
    • Collect, centralize, and sync user consent data across channels, platforms, and systems.

    Request a demo to learn more about how OneTrust Privacy Automation can help you build a GDPR compliance program.


    You may also like

    eBook

    Privacy Management

    Maturing your GDPR compliance program

    This comprehensive eBook explores the key elements of a GDPR compliance program.

    September 11, 2024

    Learn more

    eBook

    Privacy Management

    Understanding data transfers under the GDPR ebook

    In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

    June 05, 2024

    Learn more

    Webinar

    Privacy Management

    Preparing for a new regulation: Lesson learned from the GDPR businesses can apply to the EU AI act?

    Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.

    May 23, 2024

    Learn more

    Webinar

    Privacy Management

    Navigating data privacy in 2024: Global regulatory updates & compliance strategies

    Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.

    March 20, 2024

    Learn more

    Infographic

    Privacy Management

    OneTrust announces partnership with Europrivacy

    Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.

    December 06, 2023

    Learn more

    Webinar

    Technology Risk & Compliance

    Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

    Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

    November 30, 2023

    Learn more

    Webinar

    Privacy Management

    Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges

    Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.

    October 25, 2023

    Learn more

    Infographic

    Privacy & Data Governance

    Understanding the EU Data Boundary

    Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

    September 22, 2023

    Learn more

    Webinar

    Privacy Management

    Privacy in practice: PIA & DPIA with PA Consulting

    Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

    September 21, 2023

    Learn more

    Webinar

    Privacy & Data Governance

    Privacy in practice for data mapping: With PA Consulting and Syngenta

    Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

    September 14, 2023

    Learn more

    Webinar

    Governance & Policy Management

    EU-US DPF: What next for UK businesses?

    Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

    September 06, 2023

    Learn more

    Webinar

    Privacy Management

    Unpacking the EU-US DPF

    In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

    June 28, 2023

    Learn more

    Infographic

    Privacy & Data Governance

    The 3 priorities of the French DPO: Gain visibility, take action, automate

    Download our infographic and learn about the 3 priorities of the French DPO.

    May 30, 2023

    Learn more

    Webinar

    Privacy Management

    GDPR turns 5: Celebrating data protection

    Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

    May 25, 2023

    Learn more

    Webinar

    Privacy Management

    Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech

    Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.

    May 25, 2023

    Learn more

    Webinar

    Privacy Management

    5 years of GDPR: Milestones, challenges, and opportunities

    Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

    May 24, 2023

    Learn more

    Webinar

    Privacy & Data Governance

    Global Panel — GDPR & Healthcare: current regulatory guidance and enforcement

    In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.

    May 24, 2023

    Learn more

    Webinar

    Privacy Management

    Global Panel — GDPR & Retail: building customer loyalty and trust with consent and privacy

    Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.

    May 23, 2023

    Learn more

    eBook

    Privacy Management

    Getting started with GDPR compliance

    This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps. 

    May 23, 2023

    Learn more

    Infographic

    Privacy Management

    Comparing the FADP, Revised FADP, and the GDPR

    Download our infographic to see how the Revised FADP compares with its original version and the GDPR.

    May 23, 2023

    Learn more

    Webinar

    Privacy Management

    Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape

    How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.

    May 22, 2023

    Learn more

    Webinar

    Privacy Automation

    OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

    OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

    April 04, 2023 1 min read

    Learn more

    eBook

    Privacy Management

    The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

    French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

    February 21, 2023

    Learn more

    Webinar

    Privacy & Data Governance

    Data Protection in Financial Services Week: Government keynote and international transfers

    This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.

    February 07, 2023

    Learn more

    Webinar

    Consent & Preferences

    Belgian DPA approves TCF action plan: Where we go from here

    Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.

    January 12, 2023

    Learn more

    Webinar

    Privacy & Data Governance

    Keeping pace with the changing regulatory landscape: UK And EU updates webinar

    Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.

    August 15, 2022

    Learn more

    Webinar

    Ethics & Compliance

    GDPR and the EU Whistleblower Protection Directive webinar

    Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

    July 06, 2022

    Learn more

    Webinar

    Privacy & Data Governance

    4 years of GDPR

    Watch our webinar on the last 4 years of GDPR compliance and trends for the future.

    May 05, 2022

    Learn more

    Webinar

    Privacy Management

    Privacy rights poland: Enhance Your DSAR process with automation, discovery & redaction

    As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends. 

    April 03, 2022

    Learn more

    Webinar

    Privacy & Data Governance

    Know your laws: Comparing CCPA & CPRA vs. GDPR

    Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.

    January 04, 2022

    Learn more

    Checklist

    Privacy & Data Governance

    Transfer Impact Assessment (TIA) checklist

    This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.

    December 01, 2021

    Learn more

    Infographic

    GDPR's 8 fundamental data subject rights

    Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

    August 27, 2021

    Learn more

    eBook

    Privacy & Data Governance

    The ultimate guide to GDPR compliance

    Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.

    August 26, 2021

    Learn more

    eBook

    Privacy & Data Governance

    10 steps to meeting the GDPR Article 30 requirement

    Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

    July 22, 2021

    Learn more

    White Paper

    Privacy Automation

    Mastering PIAs & DPIAs: A complete handbook for privacy experts

    Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.

    July 22, 2021

    Learn more

    Checklist

    Privacy & Data Governance

    GDPR compliance checklist

    Download our GDPR compliance checklist for recommendations on improving your organization's privacy program. 

    June 11, 2021

    Learn more