GDPR

General Data Protection Regulation (EU) 2016/679

GDPR is the EU regulation on personal data protection and privacy. It applies to any organization processing personal data of EU residents, regardless of where the organization is based.

Key requirements

What GDPR requires.

✓Lawful basis for processing personal data
✓Data subject rights management
✓Records of processing activities (RoPA)
✓Data Protection Impact Assessments (DPIA)
✓Breach notification within 72 hours

EU General Data Protection Regulation

General Data Protection Regulation (EU) 2016/679

How Acuna helps

GDPR across all four panes.

Comply

Map GDPR articles to processing activities and define your compliance scope.

Implement

Maintain the RoPA, document lawful bases, implement privacy-by-design controls.

Operate

Manage DPIAs, track data subject requests, monitor third-party processors.

Assure

Evidence accountability obligations, manage breach notifications, prepare for DPA audits.

FAQ

Common questions about GDPR.

How does Acuna support GDPR accountability requirements?

Acuna's evidence traceability connects every processing activity to its documented lawful basis, DPIAs, and implemented controls, giving you a complete accountability trail for supervisory authority reviews.

Can Acuna manage Records of Processing Activities?

Yes. The RoPA is maintained in Acuna's Implement pane, linked to organizational scope, asset registers, and third-party processor records.

How does Acuna handle GDPR data breach management?

Incidents are managed in the Assure pane with breach classification workflows. The 72-hour notification deadline is tracked from the moment an incident is logged.

Does Acuna support GDPR alongside ISO 27701?

Yes. ISO 27701 extends ISO 27001 for privacy. Acuna maps GDPR requirements to ISO 27701 controls, eliminating duplicated work between your privacy and security programs.

How does Acuna manage third-party data processors under GDPR?

Supplier Shield inside Acuna manages processor onboarding, DPA verification, and ongoing monitoring, meeting Article 28 obligations for third-party processor management.

Questions practitioners ask.

What is a DPIA under GDPR?

A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes systematic profiling with legal effects, large-scale processing of special categories of data, and systematic monitoring of public areas. A DPIA must describe the processing, assess necessity and proportionality, identify risks, and define mitigating measures. If residual risk remains high after mitigation, the controller must consult the supervisory authority under Article 36. DPIA workflows are on the Acuna Data Protection module roadmap; currently, processing activities can be documented and linked to controls and assets to support DPIA preparation.

How does the Data Protection module work in Acuna?

The Data Protection module provides an operational privacy register built around processing activities (Article 30 ROPA). A 7-step wizard guides creation through purpose, legal basis, data subjects, data categories, retention, and transfers, with a four-state workflow (Draft → In Review → Approved → Needs Update). Activities link to assets via a data inventory with personal data grids, to third parties with DPA status and transfer country tracking, and to frameworks (GDPR and Swiss FADP pre-configured). An interactive data flow diagram visualizes how personal data moves across the organisation. A privacy dashboard surfaces PA status distribution, data inventory coverage, DPA completeness, and framework assignments. The module also supports structured migration from OneTrust.

Built for:CISOs→Compliance Leaders→MSSPs→

See how Acuna handles GDPR.

Get access and our team will walk you through the GDPR implementation in Acuna.

Get Access