Privacy Program Management

Building a Robust GDPR Framework

The EU General Data Protection Regulation (GDPR) is the most important change to European data privacy regulations in over 20 years. Replacing the outdated Data Protection Directive

95/46/EC (DPD), GDPR aims to simplify and harmonise data privacy laws across Europe – giving data subjects back control of their personal data. A critical aspect of GDPR compliance is that companies can quickly and easily demonstrate the steps they have taken towards meeting GDPR requirements across all their functions and daily processes. They need to be able to provide this information and supporting documentation to auditors if required. In practice this means that organisations need to initiate a GDPR program and allocate resources to it. Within such a program organisations typically need to:


  • Build up-to-date inventories of all the personal data that organisation currently has, including all the computer systems, data registries, document collections, databases and paper archives.
  • Identify the processes and daily activities where personal data is collected and processed.
  • Identify and qualify all suppliers and vendors who are involved in the processing of Personal data.
  • Build or update the procedures, policies and work instructions around personal data handling.
  • Ensure these essential procedures and policies are not just ‘stored somewhere’ but are acknowledged and trained to staff.
  • Ensure that after the initial GPPR project crunch there are continuous processes in place for personal data processing and protection.



Many organisations attempt to manage GDPR manually with spreadsheets, and communicate tasks and activities with email. There are Excel spreadsheets for data systems, registries, audits, findings, tasks, risks, data requests etc. Items in these spreadsheets refer to items in other spreadsheets or documents in network folders/drives. Many spreadsheet items represent pending tasks or assignments. Eventually the matrix of items in spreadsheets grows overly complex, the amount of manual work grows, and there’s no transparency or awareness of what’s going on. Like with all complex processes, using spreadsheets might seems like an easy and affordable way to manage complex information, but information management experts know that eventually such systems fail and prove chaotic over time.


Another approach is to maintain a façade of compliance. This may involve creating convincing public statements about GDPR compliance on the organisation’s website, accompanied with credible-looking GDPR project plans and policies. Behind this façade, however, everything tends to continue as usual. This risky approach eventually backfires since organisations regularly undergo audits, or their non-compliance in personal data processing can be revealed through requests of external data subjects.

DPOhq – Privacy Program Management Solution

Data Protection Officers (DPOs) need to ensure that their organisations are well-prepared to meet their GDPR compliance obligations with the help of a robust GDPR framework. DPOhq simplifies GDPR compliance by helping organisations manage data processing activities, data processor information, policies and processes, and provides exceptional audit and DPIA capabilities.

DPOhq for Data Protection, Compliance and Legal Functions

DPOhq, built on the M-Files platform, is a proven, high performing tool for regulatory requirement management – and it fits perfectly to governing and managing GDPR requirements. Assess your systems, processes, contracts and manage audits, risk assessments, Privacy Impact Assessments (PIAs) and other information relating to third-party data processors through DPOhq. This gives a single viewpoint to this critical information, in a way that is easy to find, analyse, control and audit.

Risk management is dynamic. Risks identified anywhere related to any item (system, review or other task missing or in delay, finding from an audit for example) can be easily followed and controlled.

DPOhq for Processors

If an organisation is storing or processing personal data on behalf of a data controller, that organisation will also be required to demonstrate GDPR compliance. With DPOhq, a processor can demonstrate that they are compliant with the applicable regulatory requirements and those defined by a client.

DPOhq for Auditors and Consultants

DPOhq is the perfect solution to assist your customers with achieving GDPR compliance and ensure effective implementation of the criteria you outline for them to follow in order to achieve compliance.

GDPR requires ongoing compliance and thus any change may trigger a need to seek validation of a change. Often adherence commences with implementing a specific measure or task, which is easy to follow. All actions are duly recorded enabling live validation services keeping a client compliant effectively at all times.

DPOhq - A simple, process based approach to GDPR compliance

Request a Demo

We look forward to discussing how DPOhq can help your organisation.