Operational privacy register with data flows and third-party tracking
The Data Protection module connects processing activities, data inventories, data flows, and third-party privacy attributes in one operational register, so DPOs, legal teams, and auditors work from the same source of truth instead of disconnected spreadsheets. Multi-framework support covers GDPR and Swiss FADP out of the box, with framework-specific fields displayed conditionally. Migrating from OneTrust? A structured import path brings your existing ROPA, assets, and third-party data across.
Interactive demo
Capabilities
Create and manage processing activities through a guided 7-step wizard covering purpose, legal basis, data subjects, data categories, retention, and transfers. Each activity follows a four-state workflow: Draft, In Review, Approved, Needs Update, with full audit logging. Link activities to assets, third parties, and controls so every dependency is traceable. Multi-framework support means GDPR and Swiss FADP fields coexist on the same record, with framework-specific attributes shown conditionally.
Extend your asset inventory with privacy-specific attributes: data classification, personal data categories, data elements, and hosting relationships. A personal data grid shows which elements each asset processes, and linking assets to processing activities creates a bidirectional traceability chain from business purpose to technical system.
See how personal data moves across your organisation in an interactive diagram. Custom nodes represent processing activities, assets, and third parties; automatic graph layout arranges the diagram; and clicking any node navigates to its detail view. The visual makes it practical to explain data flows to regulators, auditors, and business stakeholders without drawing slides from scratch.
Track privacy-relevant attributes on every third party: DPA execution status, processing role (controller, processor, joint controller), data transfer countries, and applicable transfer safeguards. Third parties link back to the processing activities they support, so when a DPA expires or a transfer mechanism changes, affected activities surface immediately.
A purpose-built dashboard gives DPOs and compliance leads a live overview: processing activity status distribution (donut chart), data inventory coverage, third-party DPA status, and framework assignment completeness. Four compact KPI cards highlight what needs attention without opening individual records.
A structured 11-step import process brings your existing OneTrust data into Acuna: processing activities, assets, third parties, personal data mappings, and framework assignments. Dry-run mode validates the import before committing, and a post-import checklist confirms data integrity. The migration path is designed to eliminate the need for parallel systems during transition.
FAQ
The module ships with GDPR and Swiss FADP pre-configured. Each processing activity can be assigned to one or both frameworks, and framework-specific fields appear conditionally. Additional frameworks like UK-GDPR and LGPD can be added through compliance programme configuration.
Processing activities connect to primary assets (where data is collected), supporting assets (where data is stored or processed), and third parties (where data is sent). These relationships form a traceability chain: purpose, collection, storage, transfer. Each link is visible in both the activity detail view and the data flow diagram.
The data flow diagram renders processing activities, assets, and third parties as interactive nodes with directional edges showing data movement. Layout is automatic. You can click any node to navigate to its detail record. The diagram is useful for Article 30 documentation, regulator conversations, and internal data mapping exercises.
Yes. The OneTrust import follows an 11-step process covering lookups, assets, third parties, processing activities, personal data mappings, and framework assignments. A dry-run mode validates everything before committing. The import has been validated against production OneTrust exports with over 1,800 personal data rows.
Each third party carries privacy attributes: DPA status (not started, in progress, signed, expired), processing role, data transfer countries, and transfer safeguards. These attributes appear on the third-party detail view and link back to every processing activity the third party participates in.
Phase 2 will add Data Subject Access Requests (DSARs) with workflow and SLA tracking, Data Protection Impact Assessments (DPIAs) linked to processing activities, breach notification workflows with regulatory deadline tracking, consent management with purpose registers, and safeguard-to-control traceability for third parties.
Related answers
A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes systematic profiling with legal effects, large-scale processing of special categories of data, and systematic monitoring of public areas. A DPIA must describe the processing, assess necessity and proportionality, identify risks, and define mitigating measures. If residual risk remains high after mitigation, the controller must consult the supervisory authority under Article 36. DPIA workflows are on the Acuna Data Protection module roadmap; currently, processing activities can be documented and linked to controls and assets to support DPIA preparation.
The Data Protection module provides an operational privacy register built around processing activities (Article 30 ROPA). A 7-step wizard guides creation through purpose, legal basis, data subjects, data categories, retention, and transfers, with a four-state workflow (Draft → In Review → Approved → Needs Update). Activities link to assets via a data inventory with personal data grids, to third parties with DPA status and transfer country tracking, and to frameworks (GDPR and Swiss FADP pre-configured). An interactive data flow diagram visualizes how personal data moves across the organisation. A privacy dashboard surfaces PA status distribution, data inventory coverage, DPA completeness, and framework assignments. The module also supports structured migration from OneTrust.
OneTrust positions itself as a privacy-led enterprise platform, strongest for organizations where privacy (GDPR, CCPA) sits at the center of the GRC program. The best OneTrust alternatives for broader GRC depth are platforms that integrate privacy, security, quality, and audit programs in one operating rhythm rather than parallel silos. Acuna is built for compliance leaders running multi-framework programs where privacy is one obligation among many (ISO 27001, SOC 2, NIS2, ISO 9001, GDPR). Pricing is organization-based, not per-seat, and the architecture supports quality, privacy, and security in shared evidence.
Get access and our team will walk you through Data Protection and the full Acuna platform.
Get Access