--- title: "EU GDPR Compliance Guide" canonical_url: "https://www.sorena.io/artifacts/eu/gdpr/compliance" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/compliance" author: "Sorena AI" description: "An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "GDPR compliance guide" - "GDPR compliance program" - "GDPR implementation guide" - "GDPR roadmap" - "GDPR operating model" - "GDPR evidence pack" - "GDPR compliance" - "operating model" - "DSAR" - "DPIA" - "breach response" - "transfers" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Compliance Guide An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports. *Compliance Playbook* *EU* ## EU GDPR Compliance A practical program blueprint: owners, workflows, evidence, cadence. Focus: build repeatable DSAR, breach, DPIA, vendor, and transfer controls. GDPR compliance is a live operating system for personal-data processing. The most resilient programs share a single evidence spine across scope, lawful basis, DSARs, breaches, DPIAs, vendors, RoPAs, and transfers, and they review changes through a repeatable cadence rather than a one-time remediation project. That is what keeps the program coherent when products, vendors, and regulatory expectations evolve. ## Program structure: 5 workstreams that must be connected GDPR becomes manageable when responsibilities are explicit and artifacts are shared across teams. Most compliance failures are interface bugs between these workstreams. - Inventory & scope: applicability memo, role mapping, processing inventory, RoPA fields and owners. - Legal model: lawful basis map, transparency record, consent model (where used), retention rules. - Operational workflows: DSAR intake/search/response, breach response, DPIA screening and review. - Vendors & transfers: Article 28 contracts, sub-processor governance, transfer map, SCC/TIA packs. - Assurance & evidence: validation checks, logs, versioning, and exportable evidence index. ## Delivery pipeline: how to turn requirements into shipped controls Treat GDPR like product delivery: requirements -> acceptance criteria -> implementation -> tests -> evidence export. This approach prevents policy drift and makes audits faster. - Define acceptance criteria for each workflow (DSAR, breach, DPIA, transfers). - Build automation where possible: DSAR tracking, breach evidence capture, transfer mapping. - Version key artifacts: notices, consent wording, DPIA templates, SCC packs, vendor DPAs. ## Operating cadence (minimum rhythm that works) A governance rhythm prevents surprises and keeps evidence fresh. Use cadence to enforce consistency across business units and vendors. - Weekly: DSAR queue review and escalations; active incident tracking. - Monthly: vendor and transfer changes review (new vendors, sub-processors, new destinations). - Quarterly: DPIA review and high-risk processing inventory refresh; notice and consent version audit. - Semi-annual: tabletop exercises (DSAR and breach) + evidence export drills (time-to-export SLA). ## Evidence index (what audit-ready means in practice) Audit readiness is the ability to export coherent evidence quickly. Build an evidence index and keep it current. Aim for a single index that links each requirement area to artifacts and owners. - Applicability memo + role mapping + processing inventory baseline. - Lawful basis decisions + notices + consent logs and withdrawal logs (if applicable). - DSAR logs + response packages + search playbooks and identity verification rules. - DPIA register + mitigations + residual risk approvals. - Breach response artifacts + awareness timestamps + notifications (if sent). - Vendor DPAs + sub-processor lists + security evidence + transfer packs. *Recommended next step* *Placement: after the compliance steps* ## Turn EU GDPR Compliance into an operational assessment Assessment Autopilot can take EU GDPR Compliance from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU GDPR Compliance](/solutions/assessment.md): Start from EU GDPR Compliance and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU GDPR](/contact.md): Review your current process, evidence gaps, and next steps for EU GDPR Compliance. ## Primary sources - [GDPR full text - Regulation (EU) 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the overall operating model. - [ENISA Handbook on the security of personal data processing](https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing?ref=sorena.io) - Useful official guidance for operational security controls. - [Irish DPC guidance on Records of Processing under Article 30](https://www.dataprotection.ie/en/dpc-guidance/records-of-processing-article-30-guidance?ref=sorena.io) - Useful accountability guidance for keeping the evidence spine current. ## Related Topic Guides - [EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls](/artifacts/eu/general-data-protection-regulation/checklist.md): An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures. - [EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts](/artifacts/eu/general-data-protection-regulation/faq.md): Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data. - [EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index](/artifacts/eu/general-data-protection-regulation/requirements.md): A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14). - [GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting. - [GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines. - [GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope. - [GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul. - [GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms. - [GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs). - [GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky. - [GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift. - [GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles. - [GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields. - [GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models. - [GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/compliance