Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness Program
General Data Protection Regulation (GDPR)
The EU's comprehensive data protection law — applying to any organization processing EU residents' personal data. Core modules available on the Community plan (free).
The EU data protection law
every business must follow
The General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — is the EU's primary data protection law, in force since 25 May 2018. It applies to any organisation, anywhere in the world, that processes the personal data of EU or EEA residents.
"Personal data" means any information relating to an identified or identifiable natural person — names, email addresses, IP addresses, location data, device identifiers, and much more. If your product has European users, GDPR applies to you.
GDPR gives individuals rights over their data and imposes structured obligations on the organisations that collect and use it. Violations can result in fines of up to €20M or 4% of global annual turnover — whichever is higher.
The GDPR articles that drive
your compliance programme
GDPR has 99 articles. These are the ones that require active compliance work from every data controller.
Data processing principles
Personal data must be processed lawfully, fairly, and transparently. Collected for specified, explicit, and legitimate purposes only. Data minimisation, accuracy, storage limitation, integrity, and accountability.
Lawful basis for processing
Every processing activity must have a lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Basis must be documented in your RoPA.
Transparency & privacy notices
Data subjects must be informed at collection time: identity of controller, purposes, legal basis, retention periods, rights, and whether data is shared with third parties.
Right to erasure
Data subjects can request deletion of their personal data. Controllers must respond within 30 days and cascade deletion requests to processors.
Privacy by design & default
Technical and organisational measures for data protection must be built in from the start of any system or process design, not added afterwards.
Data Processing Agreements
Every controller–processor relationship requires a written DPA specifying processing scope, security measures, sub-processor rules, and breach notification obligations.
Record of Processing Activities
Controllers (generally >250 employees, or processing sensitive data/high-risk) must maintain a written RoPA documenting every processing activity, its legal basis, and data flows.
Security of processing
Appropriate technical and organisational measures must protect personal data against unauthorised access, accidental loss, destruction, or damage. Risk-based approach required.
Breach notification
Personal data breaches must be reported to the supervisory authority within 72 hours. High-risk breaches must also be communicated directly to affected data subjects.
Data Protection Impact Assessment
DPIAs are mandatory for high-risk processing: systematic profiling, large-scale sensitive data, systematic monitoring. Must be completed before processing begins.
Data Protection Officer
DPO mandatory for public bodies, large-scale systematic monitoring, and large-scale processing of special categories of data. DPO must be independent and report to senior management.
International data transfers
Transfers outside the EU/EEA require a valid mechanism: adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or derogations. TIA required for SCCs post-Schrems II.
The 6 lawful bases for
processing personal data
Every processing activity in your RoPA must be linked to one of these six lawful bases. Choosing the right one matters — it determines which rights data subjects can exercise.
| Lawful basis | When it applies | Common use cases |
|---|---|---|
| Consent | Freely given, specific, informed, and unambiguous agreement. Must be as easy to withdraw as to give. | Marketing, optional analytics |
| Contract | Processing necessary for a contract with the data subject, or to take pre-contractual steps at their request. | Customer accounts, service delivery |
| Legal obligation | Processing required to comply with EU or member state law. | Tax records, AML compliance |
| Vital interests | Necessary to protect someone's life. Rarely applicable for commercial processing. | Emergency healthcare |
| Public task | Processing necessary for a task in the public interest or official authority. | Government agencies |
| Legitimate interests | Necessary for the controller's legitimate interests, balanced against the data subject's rights. Requires a Legitimate Interests Assessment (LIA). | Fraud prevention, direct marketing to existing customers |
GDPR fine tiers — what's at stake
Tier 1
Failure to maintain RoPA, inadequate security measures, non-cooperation with supervisory authority, failure to notify breach within 72 hours.
Tier 2
Violation of data processing principles (Art. 5), unlawful processing (Art. 6), violating data subject rights, international transfers without lawful mechanism.
How Unicis covers GDPR compliance
Unicis provides a complete open-source GDPR toolkit — RoPA, TIA, DPIA, data subject rights, and security awareness training. Core modules are on the free Community plan.
Who does GDPR apply to?
GDPR applies to any organisation — regardless of location — that processes the personal data of EU/EEA residents. This includes SaaS companies with European customers, US companies with EU offices, and any online business accessible to EU users.
Multi-Framework Support
11 Compliance Frameworks Supported
From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.
Start your GDPR compliance programme with Unicis
RoPA (Article 30), TIA (Chapter 5), and security controls are included in the free Community plan. No credit card required. Open-source and self-hostable.