Contents

Chapter 1

GDPR Fundamentals

The General Data Protection Regulation is the most impactful privacy regulation ever enacted. It governs how any organization handles personal data of individuals in the EU and EEA, regardless of where the organization is based.

Core Principles

Article 5 defines the six principles that every processing activity must satisfy:

Lawfulness, fairness, and transparency — You must have a lawful basis for processing, process data in ways people reasonably expect, and clearly communicate what you do.

Purpose limitation — Collect data for specified, explicit, and legitimate purposes. Don't repurpose data in ways people didn't consent to.

Data minimization — Collect only what you actually need. If a feature works with a username and email, don't also collect their phone number.

Accuracy — Keep personal data accurate and up to date. Provide mechanisms for individuals to correct errors.

Storage limitation — Delete data when you no longer need it. Retention periods must be justified and enforced.

Integrity and confidentiality — Secure personal data against unauthorized access, loss, or damage.

Controller vs Processor

Understanding this distinction is critical. The controller decides why and how personal data is processed. The processor acts on the controller's behalf. Most SaaS companies are controllers for their customer data and processors for data their customers upload.

Data Subject Rights

Individuals have eight rights under the GDPR:

1. Right to be informed (Articles 13-14)

2. Right of access (Article 15)

3. Right to rectification (Article 16)

4. Right to erasure (Article 17)

5. Right to restrict processing (Article 18)

6. Right to data portability (Article 20)

7. Right to object (Article 21)

8. Rights related to automated decision-making (Article 22)

Each right has specific timelines, exceptions, and procedural requirements. The DSAR procedure in Chapter 4 covers how to handle them.

Chapter 2

Data Mapping & Records of Processing

You cannot protect what you haven't mapped. Data mapping is the foundation of every GDPR compliance program — it feeds the RoPA, DSAR procedures, retention schedule, and DPIA process.

The Data Mapping Process

Start by identifying every system, database, and third-party service that touches personal data. For each data flow, document:

What data — List every field containing personal data (name, email, IP address, device ID, etc.)

Where it comes from — User input, imported data, third-party APIs, inferred/correlated data

Where it goes — Databases, analytics services, CRM systems, backup storage, data processors

Why it's collected — The specific business purpose tied to a lawful basis

How long it's kept — Retention period and the trigger for deletion or anonymization

Records of Processing Activities (RoPA)

Article 30 requires controllers and processors to maintain a record of processing activities. This is not optional — the RoPA must be available to the supervisory authority on request.

The controller RoPA (Article 30(1)) must include:

  • Name and contact details of the controller and DPO
  • Purposes of the processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Transfers to third countries
  • Retention periods
  • Technical and organizational security measures

Building Your RoPA

Start with the data map, then group related processing activities. Each activity gets a unique Activity ID that links to the retention schedule, DPIA register, and data map. Keep the RoPA as a living document — update it whenever you add a new data source, processor, or processing purpose.

Chapter 3
🔒 Available in full product

DPIA & Risk Assessment

Chapter 4
🔒 Available in full product

DSAR & Breach Notification

Chapter 5
🔒 Available in full product

Building a Privacy Program

You’ve reached the end of the free preview

Get the full GDPR Privacy Toolkit and unlock everything.

All Chapters

Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.

Full Tool Suite

Access all interactive tools with complete data, all workload profiles, and the full scenario library.

Source Files

Downloadable source code, configuration files, and working examples from every chapter.

Lifetime Updates

Free updates for life. Every new chapter, tool, and improvement included.

Buy Now — $39 →
📦 Free sample included — download another copy for the full product.
GDPR Privacy Toolkit v1.0.0 — Free Preview