EU Regulation 2016/679 — General Data Protection Regulation. OneComply helps teams manage privacy evidence, breach workflows, DSR tracking, and mapped controls alongside DORA operational-resilience work.
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection framework that governs how organisations collect, process, store, and transfer personal data of individuals in the European Union.
GDPR applies to any organisation worldwide that processes personal data of EU residents, regardless of where the organisation is based. It grants data subjects extensive rights including access, erasure, portability, and the right to object to processing.
Non-compliance can result in fines of up to €20 million or 4% of annual global turnover — whichever is higher — making it one of the most heavily enforced regulations globally.
43
Controls
99
Articles
9
Data Subject Rights
Example improvements when privacy evidence, DSRs, breach workflows, and mapped controls are managed in one workspace. Actual timelines depend on customer data quality and review process.
| Workflow | Manual Process | With OneComply | Time Saved |
|---|---|---|---|
| Data Processing Inventory (ROPA) | 2–4 weeks (spreadsheets + interviews) | 30 minutes (guided wizard + templates) | 96% |
| Consent Audit Trail | 1–2 weeks per audit | Instant (automated tracking) | 100% |
| Data Subject Request Handling | 5–10 days per request | 15 minutes (automated workflow) | 97% |
| Privacy Policy Drafting | 1–2 weeks (legal drafting) | Template-based draft for review | Faster first draft |
| Breach Notification | 8–24 hours (manual reporting) | 15 minutes (auto-generated report) | 95% |
| Consent Management Audit | 2–3 days per audit | Instant (automated tracking) | 100% |
| Cross-Border Transfer Assessment | 1–2 weeks (legal analysis) | 10 minutes (automated TIA) | 95% |
| Vendor DPA Review | 3–5 days per agreement | Assisted clause gap check | Faster review |
GDPR privacy and security evidence coverage with 43 mapped controls, ROPA/DSR/DPIA workflows, breach evidence tracking, and explicit legal-review boundaries.
10 mapped controls
9 mapped controls
8 mapped controls
6 mapped controls
7 mapped controls
8 mapped controls
GDPR has a two-tier penalty system. Understanding which tier applies helps prioritize compliance efforts.
Tier 1 — Higher Penalties
€20M / 4%
of annual global turnover (whichever is greater)
Applies to violations of: data processing principles (Art. 5), lawful basis (Art. 6), consent conditions (Art. 7), data subject rights (Art. 12-22), and international transfers (Art. 44-49).
Tier 2 — Standard Penalties
€10M / 2%
of annual global turnover (whichever is greater)
Applies to violations of: controller/processor obligations (Art. 25-39), certification body obligations (Art. 42-43), and monitoring body obligations (Art. 41).
Link GDPR privacy/security evidence to controls, vendors, incidents, and audit trail without overstating legal compliance.