GDPR-Specific Requirements
GDPR compliance goes beyond implementing security controls. It requires ongoing operational processes that demonstrate your organization’s commitment to data protection:ROPA
Records of Processing Activities — Maintain a register of every data processing activity, including purposes, legal bases, data categories, and retention periods.
DPIA
Data Protection Impact Assessments — Evaluate the privacy risks of high-risk processing activities before they begin.
DSR
Data Subject Requests — Track and respond to data subject rights requests (access, deletion, rectification, portability) within the required timeframes.
How the GDPR Module Fits In
The GDPR module works alongside LowerPlane’s core compliance engine:- Controls: 99 GDPR-specific controls covering Articles 5 through 49, mapped to overlapping ISO 27001, SOC 2, HIPAA, and PCI-DSS controls where applicable.
- Evidence: ROPA records, DPIA reports, and DSR response logs serve as evidence for GDPR controls.
- Tests: Automated and manual tests verify that GDPR-specific processes are operational and timely.
- Policies: GDPR-related policies (Privacy Policy, Data Retention Policy, Data Breach Response Policy) are managed in the Policy Center and linked to GDPR controls.
GDPR Control Coverage
LowerPlane maps GDPR requirements across several categories:| Category | Article Reference | Controls |
|---|---|---|
| Lawfulness & Transparency | Articles 5-6 | Legal basis documentation, consent management |
| Data Subject Rights | Articles 12-22 | Access, rectification, erasure, portability, objection |
| Data Protection by Design | Article 25 | Privacy by design, data minimization |
| Security of Processing | Article 32 | Encryption, access controls, incident response |
| Breach Notification | Articles 33-34 | 72-hour notification, documentation |
| Data Protection Officer | Articles 37-39 | DPO appointment, independence, responsibilities |
| International Transfers | Articles 44-49 | Transfer mechanisms, adequacy decisions, SCCs |
| Records of Processing | Article 30 | ROPA maintenance and documentation |
| Impact Assessments | Article 35 | DPIA for high-risk processing |
Overlap with Other Frameworks
Many GDPR controls overlap with other frameworks in LowerPlane. This means work done for one framework automatically contributes to GDPR compliance:| GDPR Requirement | Overlapping Controls |
|---|---|
| Encryption at rest and in transit | ISO 27001 A.10.1, SOC 2 CC6.7, PCI-DSS Req 3-4 |
| Access controls | ISO 27001 A.9, SOC 2 CC6.1-CC6.3, HIPAA 164.312 |
| Incident response | ISO 27001 A.16, SOC 2 CC7.3-CC7.5, HIPAA 164.308 |
| Risk assessment | ISO 27001 A.6, SOC 2 CC3.1-CC3.4, HIPAA 164.308(a)(1) |
| Personnel security | ISO 27001 A.7, SOC 2 CC1.4, HIPAA 164.308(a)(3) |
Getting Started with GDPR
Enable the GDPR framework
Go to Compliance > Frameworks and enable GDPR. This activates all 99 GDPR controls and associated tests.
Create your ROPA
Document every data processing activity in the ROPA module. Start with your most significant processing activities.
Conduct DPIAs for high-risk processing
Identify processing activities that pose high risk to data subjects and complete Data Protection Impact Assessments.
Set up DSR handling
Configure your DSR workflow so your team can track and respond to data subject requests within the 30-day deadline.
Key GDPR Metrics
The GDPR section of the compliance dashboard tracks:- ROPA completeness — Percentage of processing activities documented
- DPIA coverage — Number of high-risk activities with completed assessments
- DSR response time — Average days to respond to data subject requests
- Open DSRs — Count of pending requests with deadline tracking
- GDPR control pass rate — Percentage of GDPR controls with passing tests