What is GDPR compliance software?

GDPR compliance software unifies EU GDPR (Regulation 2016/679), UK GDPR + Data Protection Act 2018, the EU Data Act + Data Governance Act, ePrivacy Directive, EU AI Act 2024, EDPB Guidelines, ISO 27701:2019 PIMS, ISO 31700-1:2023 Privacy by Design, NIST Privacy Framework 1.0, APEC CBPR, EU SCCs 2021, and the EU-US Data Privacy Framework on a single survey-based platform. It replaces parallel ROPA tools, DSAR engines, cookie consent platforms, and SCC spreadsheets with one supervisor-ready evidence trail.

How does the Article 30 ROPA work in RiskWatch?

Article 30 Records of Processing Activities are captured as a living document with field-level change history, not a frozen spreadsheet that becomes stale six months after creation. Each ROPA record tracks controllers, processors, sub-processor cascade, purposes, data categories, recipients, retention, cross-border transfers, and the EDPB DPIA threshold trigger. Changes tie to source events (product launch, vendor change, retention update) so the audit trail explains what changed and why.

Does RiskWatch handle SCCs 2021 + Schrems II Transfer Impact Assessments?

Yes. SCCs 2021 (4 modules: C2C, C2P, P2P, P2C), supplementary measures, and the Schrems II Transfer Impact Assessment workflow are built into the library. Per-processor SCC module selection, supplementary-measures evidence, TIA documentation, and the EU-US DPF certification cross-reference run from the same vault. UK IDTA tracked separately for UK transfers.

How does RiskWatch handle the EU AI Act 2024?

The EU AI Act 2024 (in force August 2024) is built into the library as a GDPR overlay. Risk-tier classification (Prohibited, High-Risk, Limited, Minimal), model + training-data lineage, AI conformity assessments, GPAI model evidence, and the prohibited-practices effective-Feb-2025 deadline are tracked. AI Act + GDPR Article 22 automated-decision-making + DPIA evidence are shared.

Does RiskWatch handle UK GDPR divergence?

Yes. UK GDPR + Data Protection Act 2018 + the UK Data Bill 2024–25 are tracked as a separate jurisdiction overlay. Where UK and EU GDPR converge, evidence is shared. Where they diverge (UK Data Bill provisions on automated decisions, scientific research, etc.), per-jurisdiction posture is captured separately. Multi-jurisdiction controllers get per-jurisdiction dashboards alongside the consolidated DPO view.

How does the DSAR queue work?

DSAR operations under Articles 12–22 (access, rectification, erasure, restriction, portability, objection, automated-decision objection) run from a unified queue with identity-verification, scope-of-search, response-templating, the 1-month default SLA, and the 2-month extension under Article 12(3). Erasure cascade across processors + sub-processors managed via the supplier portal. Articles 13/14 transparency notices generated from the same source.

Does RiskWatch handle the Article 33/34 breach playbook?

Yes. The Article 33 controller-to-supervisory-authority 72-hour notification timeline + the Article 34 controller-to-data-subject high-risk notification + the Article 33(2) processor-to-controller "undue delay" notification are all built into the breach playbook. Cross-border breaches affecting multiple supervisory authorities trigger the lead-DPA + one-stop-shop coordination workflow.

Does RiskWatch fit alongside OneTrust, TrustArc, or Securiti?

RiskWatch sits as an alternative to or above OneTrust + TrustArc + Securiti, not under them. Privacy management platforms cover ROPA + DSAR but typically miss the EU AI Act 2024 cross-mapping, the SCC 2021 module-by-module evidence per processor, and the multi-framework cross-walk to ISO 27701 + NIST Privacy Framework + APEC CBPR. RiskWatch handles all of it from one platform with one evidence vault.

How long does GDPR implementation typically take?

Most multinational controllers go live in 30 days for the platform itself. Pre-built libraries for GDPR Articles, EDPB Guidelines, SCCs 2021, the EU AI Act 2024, ISO 27701:2019, NIST Privacy Framework, plus white-glove implementation handle the heavy lift. Multi-jurisdiction, multi-entity, and processor-heavy deployments add 2–4 weeks for scoping. ROPA migration from OneTrust or spreadsheets typically takes 3–6 weeks depending on processing-activity volume.

For DPOs + Privacy Counsel + US-EU Multinational Controllers

One platform for GDPR Articles, ROPA + DPIA at scale, and DSAR operations across every EU jurisdiction.

US-EU multinational controllers face the world's most prescriptive data-protection stack: EU GDPR (2016/679), UK GDPR + DPA 2018, the new EU Data Act + Data Governance Act, the EU AI Act 2024, EDPB Guidelines, the Article 30 ROPA, the Article 35 DPIA threshold, DSAR operations under Articles 12–22, and the cross-border transfer toolkit (SCCs 2021, EU-US DPF, UK IDTA). RiskWatch handles all of it as one survey-based assessment platform sized for DPOs running 380+ active processing activities across 18 EU countries.

Start 30-day free trial Download the GDPR Articles + ROPA pack

Risk

Cross-border · Vendor · Breach

Compliance

Articles · ROPA · DPIA

Rights

DSAR · Erasure · Portability

One Score

94 / 100

Supervisor-ready posture

DPA-ready

Articles · ROPA · DPIA-readyLive

Trusted by DPOs, Privacy Counsel, and US-EU multinational controllers managing GDPR Articles, ROPA at scale, the EDPB DPIA threshold, DSAR operations, cross-border transfers under SCCs 2021, the EU-US DPF, and the new EU AI Act obligations across multi-jurisdiction processing activities.

4.8G2 Crowd·138+

4.7Capterra·94+

4.8Gartner Peer Insights·Voice of Customer

Why DPOs + Privacy Counsel Pick RiskWatch

RiskWatch turns Articles, ROPA, DPIA, DSAR, and AI Act into one program.

RiskWatch runs the EU GDPR Articles, UK GDPR + DPA 2018, the Article 30 ROPA, the Article 35 DPIA threshold, DSAR operations under Articles 12–22, cross-border transfers under SCCs 2021, the EU-US DPF, the EU AI Act 2024, ISO 27701:2019 PIMS, NIST Privacy Framework 1.0, and the broader cross-mapped frameworks as one program on one platform, scored against the same controls library, and tracked through a single supervisor-ready evidence trail. Built for DPOs + Privacy Counsel where one team covers every EU jurisdiction, every processing activity, and every supervisory-authority cycle, without enterprise-bank GRC overhead.

Living ROPA + EDPB DPIA threshold engine in one library

Article 30 ROPA captured as a living document with field-level change history. EDPB 9-criteria DPIA threshold auto-trigger removes the judgment call. ROPA + DPIA + DSAR + breach share evidence, no parallel spreadsheets.

Cross-border + UK + AI Act built in

SCCs 2021 modules + supplementary measures + EU-US DPF certification + UK IDTA + Schrems II Transfer Impact Assessments tracked end-to-end. EU AI Act 2024 risk-tier classification cross-mapped to DPIA evidence.

Multi-jurisdiction + 18 EU countries built in

US-EU multinational controllers run per-jurisdiction posture with rollup to the consolidated DPO dashboard. Lead supervisory authority + one-stop-shop coordination tracked. White-glove implementation in 30 days.

The GDPR + EU Privacy Landscape

GDPR enforcement keeps escalating. The numbers prove it.

Total EU GDPR fines exceeded €4.5B 2018–2024, with Meta's €1.2B fine for SCC violations the largest single penalty. The EU AI Act 2024 (in force August 2024) added the world's first comprehensive AI regulation, with prohibited practices effective February 2025 and high-risk AI obligations rolling through 2026. The EU Data Act (effective September 2025) and Data Governance Act add new obligations for data sharing + access. The EU-US DPF replaced Privacy Shield in July 2023, but Schrems III is already in motion. UK GDPR is diverging from EU GDPR (UK Data Bill 2024–25). Each jurisdiction wants its own evidence package.

€4.5B+

Total EU GDPR fines 2018–2024, Meta's €1.2B SCC fine the single largest

EDPB enforcement data

Aug 2024

EU AI Act 2024 in force, prohibited practices effective Feb 2025

EU AI Act

Article 35

DPIA threshold, EDPB 9-criteria test, two criteria met = DPIA required

EDPB DPIA Guidelines

SCCs 2021

EU Standard Contractual Clauses, 4 modules, supplementary measures + TIA

European Commission SCCs

Three Domains, One Platform

GDPR risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single ROPA entry satisfies Article 30, the corresponding Article 35 DPIA threshold, the SCC 2021 module obligations, and the EU AI Act risk-tier classification simultaneously.

Risk

Cross-border + Vendor + Breach Risk

Survey-based risk assessment across cross-border data transfers, vendor processor + sub-processor relationships, and Article 33/34 breach posture.

SCCs 2021 + TIA tracked
Sub-processor cascade live
72-hour breach playbook

Explore Risk Management

Compliance

Articles + ROPA + DPIA

EU GDPR Articles 5–99, UK GDPR + DPA 2018, Article 30 living ROPA, Article 35 DPIA threshold engine, EU AI Act 2024 cross-mapping.

Articles 5–99 mapped
Living ROPA per Art. 30
EDPB DPIA threshold engine

Explore Compliance Management

Rights

DSAR + Erasure + Portability

DSAR operations under Articles 12–22, erasure + rectification + restriction + portability + objection workflows tracked end-to-end.

DSAR SLA tracked
Erasure cascade managed
Portability format ready

Explore Cybersecurity

Article 35 · DPIA Threshold Spotlight

Two EDPB criteria met = DPIA required. No judgment call.

The EDPB Article 35 DPIA Guidelines define 9 criteria, evaluation/scoring, automated decisions, systematic monitoring, sensitive data, large-scale processing, dataset matching, vulnerable subjects, innovative tech, and rights-blocking processing. Two criteria met = DPIA required. The DPIA threshold engine auto-triggers from the ROPA so processing activities never slip past the threshold without a DPIA opening on the workflow.

Article 35 · DPIA threshold engine

EDPB 9-criteria test. Two hits = DPIA required.

Evaluating: ROPA-247-B · customer support transcripts + screen recordings

C1Evaluation or scoring

incl. profiling, predictive analytics

Hit

C2Automated decision with legal/significant effect

Article 22 territory

Clear

C3Systematic monitoring

incl. public-area surveillance, employee monitoring

Hit

C4Sensitive data or highly personal

Art. 9 special categories, Art. 10 criminal

Clear

C5Data processed on a large scale

by volume, range, duration, geographic scope

Hit

C6Matching or combining datasets

from different processing operations

Clear

C7Data concerning vulnerable subjects

children, employees, asylum seekers, patients

Clear

C8Innovative use or new technology

AI/ML, biometrics, IoT at scale

Hit

C9Prevents subject from exercising rights

or accessing a service or contract

Clear

4 of 9 criteria hit · threshold ≥ 2

DPIA required · auto-routed to DPO

EDPB WP248 rev.01 methodologyNo more judgment-call DPIAs.

Article 30 ROPA · live record

Living document. Field-level change history. Source-linked.

ROPA-247-B

Customer support, chat transcripts + screen recordings

Live

Controller

Acme EU SAS

Retention

24 months · pseudonymized at 12

Recipients · processors

Zendesk · processorGong · processorFullStory · processor

Chapter V transfers

USA, SCC + supplementary measures

Field-level change history

Q4 2026·Product launch trigger

Added FullStory as recipient (session replay)

→ DPIA re-triggered · Schrems II TIA refreshed

Q3 2026·DPO field update

Retention shortened: 36mo → 24mo (12mo pseudonym)

→ Article 5(1)(e) storage limitation aligned

Q3 2026·Vendor onboarding

Gong added as sub-processor of Zendesk

→ Sub-processor cascade · DPA chain updated

Q2 2026·Article 30 baseline

Record created from product catalog import

→ Initial controller record per Art. 30(1)

Updated daily · supervisory-authority readySpreadsheets can't do this.

Article 30 · Living ROPA Spotlight

ROPA isn't a frozen spreadsheet. It's a living document.

Most controllers maintain Article 30 records as a spreadsheet that stops reflecting reality six months after creation. The Living ROPA captures field-level change history tied to source events: product launches, vendor changes, retention updates, sub-processor cascade. Each change explains what changed and why, so the audit trail is supervisory-authority-ready continuously rather than reassembled annually.

The Coverage Gap

Most GDPR software covers one obligation

Privacy management platforms handle ROPA. DSAR specialty tools handle rights. Cookie consent vendors handle ePrivacy. Each does one job. DPOs still operate four parallel programs across articles, processing activities, and EU jurisdictions.

Platform Category	Articles	ROPA	DPIA	DSAR	Cross-border	Multi-jurisdiction
Privacy Management PlatformsOneTrust, TrustArc, Securiti	Yes	Yes	Partial	Yes	Partial	Partial
DSAR SpecialtyTranscend, DataGrail	Partial	·	·	Yes	·	Partial
Cookie Consent + ePrivacyOneTrust CMP, Cookiebot	·	·	·	·	·	Partial
Generic GRCServiceNow GRC, Archer	Partial	Partial	Partial	Partial	Partial	Partial
Vendor Risk ToolsOneTrust VRM, ProcessUnity	·	·	·	·	Yes	·
Spreadsheets & Email	·	·	·	·	·	·
RiskWatchThe unified DPA-ready platform	Yes	Yes	Yes	Yes	Yes	Yes

RiskWatch is the only platform covering all six GDPR compliance domains: Articles 5–99, ROPA at scale, the EDPB DPIA threshold engine, DSAR operations, cross-border transfer toolkit, and multi-jurisdiction coordination. Privacy management platforms cover ROPA. DSAR tools cover rights. Cookie consent vendors handle ePrivacy. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Continuous compliance across every article + jurisdiction.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture Article-level posture, processing activities, DPIA outcomes, DSAR operations, and cross-border transfers in a consistent format, then scored against every framework you align to.

For GDPR, that workflow runs continuously across Articles 5–99, the Article 30 living ROPA, the Article 35 DPIA threshold, DSAR operations under Articles 12–22, cross-border transfers under SCCs 2021, the EU-US DPF, the UK GDPR + DPA 2018, the EU AI Act 2024, and ISO 27701:2019 PIMS. A single ROPA entry scores against Article 30, triggers the EDPB DPIA threshold engine, references the SCC 2021 module obligations, and surfaces the AI Act risk-tier classification simultaneously.

The same platform runs all of it, surfaces gaps before supervisory-authority arrival, assigns remediation owners, and tracks completion. Replace the OneTrust ROPA, the Transcend DSAR engine, the cookie consent platform, and the SCC spreadsheet between them.

The Workflow

01
Inventory
Living ROPA captured per Article 30. Processing activities, controllers + processors, sub-processor cascade, retention, and cross-border flows mapped per jurisdiction.
02
Assess
Responses score against Articles 5–99, the EDPB 9-criteria DPIA threshold (auto-trigger), SCC 2021 module obligations, EU AI Act risk tiers, and ISO 27701:2019 PIMS.
03
Operate
DSAR queue live with Articles 12–22 SLA tracking. Erasure cascade managed across processors + sub-processors. Article 33/34 breach playbook armed for 72-hour notification.
04
Demonstrate
Evidence trails export to supervisory-authority-ready packages, lead-DPA + one-stop-shop coordination artifacts, EU AI Act conformity assessments, and DPF certification renewals. DPA-ready in minutes.

ArticlesROPADPIADSARCross-border

Built For Your Role

Who uses RiskWatch in a US-EU multinational controller

Data Protection Officer (DPO)

Owns the GDPR program end-to-end, supervisory-authority relationships, the Article 30 ROPA, and the lead-DPA + one-stop-shop coordination across 18 EU countries.

Living ROPA continuous. DPIA threshold automated. Lead-DPA correspondence tracked. EU AI Act conformity surfaced.

Privacy Counsel

Owns the legal strategy, contract + DPA negotiation, SCC 2021 module selection + supplementary measures, EU AI Act 2024 + UK GDPR divergence tracking.

DPA register live. SCC 2021 + TIA evidence captured. UK divergence tracked. AI Act conformity assessment workflow ready.

DSAR Operations Lead

Owns the DSAR queue under Articles 12–22, identity verification, response templating, and the 1-month + 2-month extension SLA.

DSAR queue live. SLA tracked per Article 12. Response templates per jurisdiction. Erasure cascade managed across processors.

Vendor + Processor Risk Lead

Owns the Article 28 processor register, the SCC 2021 module-by-module mapping per processor, sub-processor cascade, and the audit-right + cooperation evidence.

Processor register live. Sub-processor cascade tracked. SCC 2021 modules mapped per processor. Article 28(3) audit evidence captured.

Information Security / CISO

Owns the technical Article 32 controls, encryption, pseudonymization, and the Article 33/34 breach detection + 72-hour notification posture.

Article 32 controls scored. Encryption + pseudonymization evidence captured. Breach playbook armed. ISO 27001 + 27701 cross-walked.

AI / Data Governance Lead

Owns the EU AI Act 2024 risk-tier classification, model + training-data lineage, and the GDPR Article 22 automated-decision-making interplay with AI use cases.

EU AI Act risk tiers classified. Model + training-data lineage captured. Article 22 evidence integrated. AI conformity assessments tracked.

Built For Your Segment

GDPR segments we serve

US-EU Multinational Controllers

US-headquartered multinationals running EU GDPR + UK GDPR + state US privacy laws across 18 EU countries with lead-DPA + one-stop-shop coordination.

B2B SaaS Serving EU Customers

B2B SaaS handling EU resident data under GDPR Articles 24–28 (controller + processor obligations) plus SCCs 2021 + EU-US DPF for transfers.

AI-Native + ML Companies

AI companies running GDPR + EU AI Act 2024 in parallel, with model-governance, automated-decision-making (Article 22), and AI conformity assessment in scope.

Healthcare + Pharma

Healthcare + pharma running GDPR alongside HIPAA + national health-data laws (German BDSG, French CNIL, Italian Garante) across multi-country trials.

Financial Services + Insurance

Banks, insurers, fintech running GDPR alongside DORA, NIS2, EU Banking regulators with cross-border transfers + automated decision-making in scope.

Adtech + Marketing Operations

Adtech + marketing running GDPR + ePrivacy Directive + planned ePrivacy Regulation, with cookie consent, behavioral targeting, and cross-border ad-tech in scope.

Frameworks We Cover

GDPR frameworks built into the library

RiskWatch ships with pre-built libraries for every major EU + UK regulation + EDPB guideline + cross-mapped framework. Map controls once. Score against the framework that matters this supervisory-authority cycle.

Regulatory Frameworks

EU GDPR (2016/679): Regulation (EU) 2016/679, General Data Protection Regulation, Articles 5–99, the EU privacy baseline.
UK GDPR + DPA 2018: UK General Data Protection Regulation + Data Protection Act 2018, diverging from EU GDPR via UK Data Bill 2024–25.
EU Data Act + DGA: EU Data Act (effective Sept 2025) + Data Governance Act, new data-sharing + access obligations alongside GDPR.
ePrivacy Directive: Directive 2002/58/EC on Privacy and Electronic Communications, cookies, marketing, electronic communications. Pending ePrivacy Regulation.
EU AI Act 2024: Regulation on Artificial Intelligence (in force August 2024), prohibited practices effective Feb 2025, high-risk obligations through 2026.
EDPB Guidelines: European Data Protection Board guidelines, Article 35 DPIA, Article 6 lawful basis, Article 49 transfers, and 50+ topical guidelines.

Industry + Cross-Mapped Frameworks

ISO 27701:2019: Privacy Information Management System (PIMS) extension to ISO 27001, controller + processor controls cross-walked to GDPR Articles.
ISO 31700-1:2023: Privacy by Design for consumer products and services, operationalizing GDPR Article 25 obligations.
NIST Privacy Framework 1.0: NIST Privacy Framework, outcome-based mapping of GDPR Articles to Identify-P / Govern-P / Control-P / Communicate-P / Protect-P functions.
APEC CBPR: Asia-Pacific Economic Cooperation Cross-Border Privacy Rules, for multinationals with APAC processing alongside GDPR.
EU SCCs 2021: Standard Contractual Clauses for international transfers, 4 modules + supplementary measures + Transfer Impact Assessment.
EU-US Data Privacy Framework: EU-US DPF (effective July 2023, replaced Privacy Shield), self-certification for US-headquartered controllers receiving EU data.

Trusted by 1,500+ risk and compliance teams

We were running ROPA in OneTrust, DSAR in Transcend, cookie consent in a third tool, and SCCs 2021 in a Word document with 47 versions. Now it's one platform. Living ROPA, the EDPB DPIA threshold engine, the DSAR queue, the SCC 2021 module mapping per processor, and the EU AI Act risk-tier classification all run from the same evidence vault. Our last CNIL inquiry closed with two recommendations instead of seven, and we cut DPIA-decision time from 6 weeks to 4 days.

F. Aleksandersen

Data Protection Officer + EU Privacy Counsel, US-multinational manufacturer · 22,000 employees · 18 EU countries · 380 active processing activities

4 → 1tools consolidated to one platform

7 → 2CNIL inquiry recommendations on most recent review

6 wks → 4 daysDPIA-decision time reduced

Resources

Practical playbooks for DPOs + Privacy Counsel

Checklist

Frequently asked questions

Articles · ROPA · DPIA · DSAR-ready

See RiskWatch run a GDPR + EU AI Act + ROPA cycle live

30-minute walkthrough of the GDPR library, your processing-activity + jurisdiction inputs, and the supervisor-ready evidence-trail output. No slideware, no consulting upsell.

Book a 30-minute walkthrough Talk to a GDPR specialist

Or call US: +1 941-500-4525

One platform for GDPR Articles, ROPA + DPIA at scale, and DSAR operations across every EU jurisdiction.

RiskWatch turns Articles, ROPA, DPIA, DSAR, and AI Act into one program.

GDPR enforcement keeps escalating. The numbers prove it.