The EU's General Data Protection Regulation — the global gravity well of privacy law since 2018.
Any organisation processing personal data of individuals in the EEA, regardless of where the controller or processor is located.
Up to 4% of global annual turnover or €20M, whichever is higher (Tier 2 infringements).
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Lawful basis for every processing activity (Art. 6) plus special-category conditions (Art. 9).
Data subject rights: access, rectification, erasure, restriction, portability, object, automated-decision objection.
DPIAs for processing likely to result in high risk (Art. 35).
72-hour breach notification to the supervisory authority (Art. 33).
International transfer mechanism (adequacy decision, SCCs with Transfer Impact Assessment, or BCRs).
Records of Processing Activities (RoPA) per Art. 30.
Data Protection Officer where required (Art. 37).
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
RoPA template with continuous lineage from data inventory.
DSAR (data subject access request) workflow with 30-day clock and verification gates.
Breach detection feeding a 72-hour-aware incident timer with regulator notification draft.
Sub-processor registry with TIAs and SCC version tracking.
DPIA library with templates for high-risk processing (AI/ML, profiling, biometrics).
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Article 30 RoPA — exportable in supervisory-authority format.
DPIA records linked to the processing activity they cover.
Sub-processor list with country, purpose, and transfer mechanism.
Breach register with timeline and notification status.
Lawful basis register per processing purpose.
These frameworks share substantial control overlap with GDPR. Customers running one assessment typically satisfy the others with the same evidence base.
United Kingdom
The UK's post-Brexit data protection regulation — substantially aligned with EU GDPR with diverging guidance.
European Union
The expanded EU network and information security directive, covering essential and important entities across 18 sectors.
European Union
The EU Digital Operational Resilience Act — applies directly to financial entities and designates critical ICT third-party providers as supervised.
European Union
The world's first comprehensive AI regulation — risk-based, with phased prohibitions, transparency duties, and obligations for high-risk and general-purpose AI.
Latin America & Africa
Brazil's General Data Protection Law — broadly aligned with GDPR with Brazil-specific enforcement and DPO regime.
India
India's first omnibus personal data protection law — phased rollout underway, with sectoral overlays from RBI, SEBI, and CERT-In.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.