The General Data Protection Regulation is the most impactful privacy regulation ever enacted. It governs how any organization handles personal data of individuals in the EU and EEA, regardless of where the organization is based.
Article 5 defines the six principles that every processing activity must satisfy:
Lawfulness, fairness, and transparency — You must have a lawful basis for processing, process data in ways people reasonably expect, and clearly communicate what you do.
Purpose limitation — Collect data for specified, explicit, and legitimate purposes. Don't repurpose data in ways people didn't consent to.
Data minimization — Collect only what you actually need. If a feature works with a username and email, don't also collect their phone number.
Accuracy — Keep personal data accurate and up to date. Provide mechanisms for individuals to correct errors.
Storage limitation — Delete data when you no longer need it. Retention periods must be justified and enforced.
Integrity and confidentiality — Secure personal data against unauthorized access, loss, or damage.
Understanding this distinction is critical. The controller decides why and how personal data is processed. The processor acts on the controller's behalf. Most SaaS companies are controllers for their customer data and processors for data their customers upload.
Individuals have eight rights under the GDPR:
1. Right to be informed (Articles 13-14)
2. Right of access (Article 15)
3. Right to rectification (Article 16)
4. Right to erasure (Article 17)
5. Right to restrict processing (Article 18)
6. Right to data portability (Article 20)
7. Right to object (Article 21)
8. Rights related to automated decision-making (Article 22)
Each right has specific timelines, exceptions, and procedural requirements. The DSAR procedure in Chapter 4 covers how to handle them.
You cannot protect what you haven't mapped. Data mapping is the foundation of every GDPR compliance program — it feeds the RoPA, DSAR procedures, retention schedule, and DPIA process.
Start by identifying every system, database, and third-party service that touches personal data. For each data flow, document:
What data — List every field containing personal data (name, email, IP address, device ID, etc.)
Where it comes from — User input, imported data, third-party APIs, inferred/correlated data
Where it goes — Databases, analytics services, CRM systems, backup storage, data processors
Why it's collected — The specific business purpose tied to a lawful basis
How long it's kept — Retention period and the trigger for deletion or anonymization
Article 30 requires controllers and processors to maintain a record of processing activities. This is not optional — the RoPA must be available to the supervisory authority on request.
The controller RoPA (Article 30(1)) must include:
Start with the data map, then group related processing activities. Each activity gets a unique Activity ID that links to the retention schedule, DPIA register, and data map. Keep the RoPA as a living document — update it whenever you add a new data source, processor, or processing purpose.
Get the full GDPR Privacy Toolkit and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.