Build with GDPR in Mind
Your Privacy remains Yours. In every step.
ISOPlanner™ includes a GDPR framework with controls mapped to the regulation's key obligations. You do not translate the law into tasks manually. Controls are structured, categorized, and ready to assign.
The AI Assistant reads your active GDPR controls and generates specific tasks for responsible team members. Processing activity documentation, consent review, and DPA management become tracked work items, not informal to-do lists.
Maintain your ROPA in SharePoint, structured to GDPR requirements. Accessible to your DPO and to supervisory authorities without last-minute preparation.
Store consent records, DPIAs, DPAs, and breach logs in SharePoint with a full audit trail. Evidence is organized by control and available to auditors or regulators without manual export.
Document and track data breach assessments and notifications within ISOPlanner™. The audit trail covers detection date, assessment, decision rationale, and notification timeline — all requirements under GDPR Articles 33 and 34.
GDPR compliance documentation, processing records, and evidence all live in your Microsoft 365 environment:
• SharePoint - ROPA, DPIAs, DPAs, consent records, breach logs
• Outlook - task assignments and completion notifications
• Teams - alerts and compliance collaboration
• Power BI - compliance status dashboards for management reporting
No third-party system holds your compliance data. No exports are needed at audit time.
01.
What is a Data Processing Agreement and when is it required?
A Data Processing Agreement (DPA) is a legally binding contract required under GDPR Article 28 between a data controller and any third-party data processor. Any organisation that processes personal data on your behalf must have a signed DPA in place. ISOPlanner™ includes a DPA template and a processor register to track every active agreement.
02.
What are the six lawful bases for processing personal data under GDPR?
GDPR Article 6 requires that every processing activity is tied to one of six lawful bases: Consent, Contract, Legal obligation, Vital interests, Public task, or Legitimate interests. Processing without a documented lawful basis is unlawful. ISOPlanner™ maps each processing activity in your ROPA to its lawful basis so you can demonstrate compliance at any time.
03.
What is a DPIA and when must one be carried out?
A Data Protection Impact Assessment (DPIA) is a structured risk assessment required under GDPR Article 35 before starting any processing likely to result in a high risk to individuals, such as systematic profiling, large-scale sensitive data processing, or public monitoring. ISOPlanner™ includes a DPIA template that guides you through the assessment and links findings to your risk register.
04.
What individual rights does GDPR grant, and how must organisations respond?
GDPR grants eight individual rights: access (Article 15), rectification (16), erasure (17), restriction (18), data portability (20), objection (21), and rights related to automated decision-making (22). Organisations must respond to Data Subject Access Requests within one month. ISOPlanner™ provides a DSAR log to track every request, deadline, and response.
05.
What is the GDPR breach notification requirement?
Under GDPR Article 33, personal data breaches likely to result in a risk to individuals must be reported to the supervisory authority within 72 hours of discovery. If the breach poses a high risk, affected individuals must also be notified directly. ISOPlanner™ includes a breach response workflow that tracks incidents, assesses risk, and generates the notification record.
06.
How does GDPR relate to ISO 27001?
ISO 27001 and GDPR are highly complementary. Article 32 of the GDPR requires appropriate technical and organisational security measures, which align closely with ISO 27001 Annex A controls. A certified ISO 27001 management system provides strong evidence of GDPR security compliance. ISOPlanner™ cross-maps GDPR obligations to ISO 27001 controls so both frameworks share the same evidence base.
07.
What records must be maintained under GDPR Article 30?
Article 30 requires organisations with more than 250 employees, or any organisation conducting high-risk processing, to maintain a Record of Processing Activities (ROPA). Each entry must document the purpose of processing, categories of data and data subjects, recipients, third-country transfers, retention periods, and security measures. ISOPlanner™ provides a structured ROPA register that keeps every entry complete and audit-ready.
Log in to your ISOPlanner™ workspace, or start a free trial.
Log in Start your free trial
