All framework guides
GDPR Hub
GDPR Compliance Hub
Privacy compliance for EU personal data
Overview
The General Data Protection Regulation (GDPR) governs how organizations collect, process, store, and transfer personal data of individuals in the European Union. It emphasizes lawful basis, data subject rights, privacy by design, and accountability.
Who needs it?
Any organization offering goods or services to EU residents, monitoring their behaviour, or processing EU personal data — regardless of where the company is headquartered.
Key topics
- Lawful basis for processing
- Data subject rights (access, erasure, portability)
- Data Protection Impact Assessments (DPIA)
- Processor agreements and cross-border transfers
- Breach notification (72-hour rule)
- Records of processing activities (RoPA)
Typical timeline
GDPR is not a certifiable standard but requires ongoing compliance. Supervisory authority investigations can happen at any time; DPIAs and RoPA should be maintained continuously.
How ComplAI helps
- GDPR-mapped controls and privacy policy templates
- Vendor assessment workflows for processor due diligence
- Evidence and documentation tracking for accountability
- Cross-mapping with ISO 27701 and ISO 27001 controls
