Compliance PlaybookEU

EU GDPR Compliance

A practical program blueprint: owners, workflows, evidence, cadence.

Focus: build repeatable DSAR, breach, DPIA, vendor, and transfer controls.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

GDPR compliance is a live operating system for personal-data processing. The most resilient programs share a single evidence spine across scope, lawful basis, DSARs, breaches, DPIAs, vendors, RoPAs, and transfers, and they review changes through a repeatable cadence rather than a one-time remediation project. That is what keeps the program coherent when products, vendors, and regulatory expectations evolve.

Section 1

Program structure: 5 workstreams that must be connected

GDPR becomes manageable when responsibilities are explicit and artifacts are shared across teams.

Most compliance failures are interface bugs between these workstreams.

  • Inventory & scope: applicability memo, role mapping, processing inventory, RoPA fields and owners.
  • Legal model: lawful basis map, transparency record, consent model (where used), retention rules.
  • Operational workflows: DSAR intake/search/response, breach response, DPIA screening and review.
  • Vendors & transfers: Article 28 contracts, sub-processor governance, transfer map, SCC/TIA packs.
  • Assurance & evidence: validation checks, logs, versioning, and exportable evidence index.
Section 2

Delivery pipeline: how to turn requirements into shipped controls

Treat GDPR like product delivery: requirements -> acceptance criteria -> implementation -> tests -> evidence export.

This approach prevents policy drift and makes audits faster.

  • Define acceptance criteria for each workflow (DSAR, breach, DPIA, transfers).
  • Build automation where possible: DSAR tracking, breach evidence capture, transfer mapping.
  • Version key artifacts: notices, consent wording, DPIA templates, SCC packs, vendor DPAs.
Section 3

Operating cadence (minimum rhythm that works)

A governance rhythm prevents surprises and keeps evidence fresh.

Use cadence to enforce consistency across business units and vendors.

  • Weekly: DSAR queue review and escalations; active incident tracking.
  • Monthly: vendor and transfer changes review (new vendors, sub-processors, new destinations).
  • Quarterly: DPIA review and high-risk processing inventory refresh; notice and consent version audit.
  • Semi-annual: tabletop exercises (DSAR and breach) + evidence export drills (time-to-export SLA).
Section 4

Evidence index (what audit-ready means in practice)

Audit readiness is the ability to export coherent evidence quickly. Build an evidence index and keep it current.

Aim for a single index that links each requirement area to artifacts and owners.

  • Applicability memo + role mapping + processing inventory baseline.
  • Lawful basis decisions + notices + consent logs and withdrawal logs (if applicable).
  • DSAR logs + response packages + search playbooks and identity verification rules.
  • DPIA register + mitigations + residual risk approvals.
  • Breach response artifacts + awareness timestamps + notifications (if sent).
  • Vendor DPAs + sub-processor lists + security evidence + transfer packs.
Recommended next step

Turn EU GDPR Compliance into an operational assessment

Assessment Autopilot can take EU GDPR Compliance from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU GDPR Compliance

Start from EU GDPR Compliance and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR Compliance.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.