Docs

Appearance

Operationalizing in Modulos

GDPR work becomes manageable when you treat it as governance execution: clear requirements, repeatable controls, and evidence collected as a byproduct of doing the work.

Most organizations use:

  • One organization project to coordinate org-wide privacy work and shared artifacts (policies, templates, vendor due diligence patterns, DSAR process).
  • AI system projects for product/deployment work where GDPR obligations become system-specific (data flows, DPIAs, notices, retention settings, vendor usage).

Most organizations only need one organization project to coordinate their organization-wide work. Multiple organization projects are mainly useful for multinational or multi-entity groups that need separate governance boundaries.

Where in Modulos

  • Project → Requirements for structured privacy obligations
  • Project → Controls for implementing and reviewing privacy measures
  • Project → Evidence for shared artifacts like DPIAs and records
  • Vendors for supplier documentation and review cycles when relevant

Minimum viable GDPR pack (per AI system)

For most AI systems, the minimum defensible set is:

  • data flow map (where personal data appears across the lifecycle)
  • lawful basis + purpose statement (split by purpose)
  • retention and deletion rules (including logs and backups)
  • privacy notice content + version history
  • DPIA (when applicable) + approval record
  • RoPA entry (or link to the RoPA system of record)
  • vendor/subprocessor list + DPAs + security review outputs
  • transfer mechanism decision(s) (when applicable)
  • DSAR procedure + test run evidence (at least once)

A sequence that works

1

Scope data flows

Map where personal data appears (training, inference, logs, vendors, outputs)

2

Define requirements

Translate GDPR obligations into a project requirement set (not a checklist)

3

Execute controls

Implement controls and attach evidence (DPIA, RoPA, notices, retention, DSAR)

4

Review and approve

Capture accountability: who accepted risk, who approved, and when

5

Export an audit package

Generate stable snapshots for internal audit and external stakeholders

Evidence and exports (diagram)

You want exports to be easy to generate and defensible as point-in-time snapshots.

Operational cadence (keep it alive)

Privacy governance fails when artifacts drift away from reality. A lightweight cadence that works:

  • review the AI system data map and retention rules on meaningful changes
  • re-run DPIA reviews when purpose, vendors, or risk level changes
  • periodically revalidate DSAR operational ability (tabletop or test request)
  • refresh vendor reviews on a schedule aligned to your supplier risk model

Integrated Management System (IMS): ISO/IEC 27701 + ISO/IEC 27001

Many organizations operationalize GDPR through an Integrated Management System:

  • ISO/IEC 27701 provides privacy management system structure and audit discipline.
  • ISO/IEC 27001 provides the security baseline and supplier governance backbone.

This creates reuse: one control execution (and evidence) supports multiple frameworks.

See: ISO/IEC 27701 and ISO/IEC 27001.

Key principles and obligations

The practical GDPR decisions and artifacts for AI systems

Evidence

Evidence objects, linking, and reuse across controls

Vendors

Supplier records, documents, and review cadence

ISO/IEC 27701

Use a privacy management system structure for GDPR programs

Disclaimer

This page is for general informational purposes and does not constitute legal advice.