GDPR Overview
This guide is part of the documentation available in SecBoard. It explains what the General Data Protection Regulation (GDPR) is, its main principles and obligations, and how SecBoard modules help you implement and demonstrate compliance. Use SecBoard GDPR (app_gdpr) for processing activities, consent, data subject requests, breach management, retention policies, and DPIA; use Framework Compliance to map GDPR controls and evidence; and use Document Register, Incident Register, TPRM, and other modules to support policies, breach response, and processor management.
What is the GDPR?
The General Data Protection Regulation (GDPR) (EU 2016/679) is the EU regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It applies to organizations that process personal data of individuals in the EU/EEA—whether the organization is established in the EU or not—when the processing relates to offering goods or services or monitoring behaviour. The GDPR sets principles (lawfulness, purpose limitation, minimisation, accuracy, storage limitation, integrity and confidentiality, accountability), data subject rights, obligations for controllers and processors, breach notification (72 hours where there is risk to rights and freedoms), data protection impact assessments (DPIA), records of processing, and (where applicable) a data protection officer (DPO). National laws may add specifics (e.g. UK GDPR, member-state derogations).
GDPR at a glance
Lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability. Document how you meet them (e.g. records of processing, policies).
Access, rectification, erasure (“right to be forgotten”), restriction, portability, object, and rights related to automated decision-making. You must respond within one month; document requests and outcomes.
Lawful basis; records of processing (Art. 30); breach notification to supervisory authority (Art. 33) and to data subjects when high risk (Art. 34); DPIA for high-risk processing (Art. 35); DPO where required (Art. 37–39); processor agreements (Art. 28).
Main GDPR areas
| Area | Requirements (summary) |
|---|---|
| Lawful basis | Have a valid legal basis for each processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). Document and communicate (e.g. privacy notice). |
| Records of processing (Art. 30) | Maintain records of processing activities: purposes, categories of data and data subjects, recipients, retention, security measures, transfers, etc. |
| Data subject rights | Process requests (access, rectification, erasure, restriction, portability, object) within one month; document requests and responses; identity verification where needed. |
| Consent | Where consent is the basis: freely given, specific, informed, unambiguous; easy to withdraw; documented. Separate from other terms. |
| Breach (Art. 33, 34) | Notify supervisory authority without undue delay and, where feasible, within 72 hours of awareness if risk to rights and freedoms. Notify data subjects when high risk. Document breaches and response. |
| DPIA (Art. 35) | Carry out a DPIA for processing likely to result in high risk to rights and freedoms; consult supervisory authority where residual high risk; document and review. |
| Retention | Keep personal data only as long as necessary; define and document retention periods; secure deletion or anonymisation when no longer needed. |
| Processors (Art. 28) | Use only processors that provide sufficient guarantees; have a contract (or other act) with required processor clauses; monitor and manage sub-processors. |
How SecBoard modules support GDPR
SecBoard helps you document processing, manage rights and breaches, and evidence compliance. Use the modules below in line with your role (controller/processor) and applicable law.
| SecBoard module | GDPR area | How it helps |
|---|---|---|
| GDPR | Core GDPR operations | Data Processing Activities for records of processing (Art. 30); Consent Management for consent records; Data Subject Requests (DSR) for access, rectification, erasure, etc.; Data Breach Management for breach log and 72h notification support; Data Retention Policy for retention rules; DPIA for impact assessments. Access controlled by GDPRAccess. GDPR Guide resources and content available. |
| Framework Compliance | Controls, evidence | Create a GDPR framework (framework_type = GDPR). Map control categories and controls to GDPR articles (principles, rights, breach, DPIA, records, processors). Attach evidence from GDPR app, Document Register, Incident Register. Dashboard and Cabinet traffic light show status. |
| Document Register | Policies, procedures | Store privacy policy, retention schedules, breach procedure, DPO procedures, processor agreements (or references). Link to Framework Compliance evidence. Legislative docs for GDPR text and national laws. |
| Incident Register | Breach, security events | Record security and personal-data incidents; coordinate with GDPR Data Breach Management for Art. 33/34. Use for incident response and cross-module evidence. Link to Framework Compliance. |
| TPRM | Processors (Art. 28) | Manage vendors and processors: contracts, assessments, questionnaires. Use for processor list and due diligence. Link evidence to Framework Compliance for Art. 28. |
| Cabinet | DPO, roles | Document DPO and privacy roles in org structure; assign access to GDPR app via groups. Cabinet Users Guide and Org Structure Guide support governance. |
| Risk Assessment | DPIA, risk | Support risk-based approach for DPIA and prioritisation. Document risks to rights and freedoms; link to DPIA in app_gdpr. Evidence for Framework Compliance. |
| Configuration | Scope by entity | Define companies (e.g. controller entities). Use to scope processing and compliance by entity. Align Framework Compliance instances. |
Quick mapping: GDPR requirement → SecBoard
| GDPR requirement | SecBoard modules to use |
|---|---|
| Records of processing (Art. 30) | GDPR (Data Processing Activities), Framework Compliance, Document Register. |
| Data subject rights | GDPR (DSR Management, Data Subjects), Framework Compliance, Document Register (procedures). |
| Consent | GDPR (Consent Management), Document Register (privacy notice), Framework Compliance. |
| Breach (Art. 33, 34) | GDPR (Data Breach Management), Incident Register, Document Register (breach procedure), Framework Compliance. |
| DPIA (Art. 35) | GDPR (DPIA), Risk Assessment, Framework Compliance, Document Register. |
| Retention | GDPR (Data Retention Policy), Document Register, Framework Compliance. |
| Processors (Art. 28) | TPRM, Document Register (contracts), GDPR (processing activities), Framework Compliance. |
Getting started with GDPR in SecBoard
- Records of processing: Use SecBoard GDPR Data Processing Activities to build and maintain your Art. 30 records. Assign responsible person and company. Link to Framework Compliance controls.
- Rights and consent: Use GDPR Data Subject Requests for DSR workflow and Data Subjects/Consent for consent records. Store procedures and privacy notices in Document Register.
- Breach: Use GDPR Data Breach Management for breach log and notification tracking; use Incident Register for security incidents that may involve personal data. Document breach procedure in Document Register.
- DPIA and retention: Use GDPR DPIA for high-risk processing; use Data Retention Policy for retention rules. Link to Risk Assessment and Document Register where relevant.
- Processors and evidence: Use TPRM for processor list and contracts; use Framework Compliance (GDPR framework) to map controls and attach evidence from GDPR app, Document Register, and TPRM.
GDPR and SecBoard
This guide is part of the documentation available in SecBoard. Use SecBoard GDPR (app_gdpr) for processing activities, consent, data subject requests, breach management, retention policies, and DPIA; use Framework Compliance to map GDPR controls and evidence; use Document Register, Incident Register, and TPRM for policies, breach response, and processors. The GDPR module and Framework Compliance dashboard help you demonstrate accountability and readiness for supervisory authority requests.
Document your processing, manage rights and breaches, and keep evidence up to date for audits and regulatory inquiries.
Frequently asked questions
What is the GDPR? — The EU General Data Protection Regulation (EU 2016/679) on protection of personal data. It sets principles, data subject rights, and obligations for controllers and processors (records, breach notification, DPIA, DPO, processor contracts, etc.). It applies when processing relates to individuals in the EU/EEA in the relevant contexts.
Where do I manage processing activities in SecBoard? — In SecBoard GDPR (app_gdpr), use Data Processing Activities to maintain records of processing (Art. 30). Add activities per purpose/processing; assign company and responsible person. Link to Framework Compliance for evidence.
How do I handle data subject requests? — Use GDPR Data Subject Requests (DSR) to log and process access, rectification, erasure, restriction, portability, and objection requests. Document procedures in Document Register. Respond within one month; document outcomes.
How do I handle a personal data breach? — Log the breach in GDPR Data Breach Management; use Incident Register if it is also a security incident. Notify the supervisory authority within 72 hours where there is risk to rights and freedoms; notify data subjects when high risk. Store breach procedure in Document Register.
How does Framework Compliance work with GDPR? — Create a framework with type GDPR in Framework Compliance. Add control categories and controls aligned to GDPR (e.g. Art. 5, 30, 33, 34, 35, rights, processors). Attach evidence from the GDPR app, Document Register, TPRM, and Incident Register. Use the dashboard to track status.