Appearance
Integration with GDPR
GDPR sets the legal obligations; ISO 27701 helps you operationalize privacy work with a management system structure.
How Modulos enables reuse
Use one set of controls and evidence across frameworks:
- GDPR obligations mapped to privacy controls
- ISO 27701 governance requirements mapped to the same controls
- evidence linked once and reused where applicable
Framework mapping
Four layers, one reusable spine.
Frameworks
EU AI Act
ISO 42001
Requirements
Art. 9.1Risk management
Art. 10.2Data governance
6.1.1Risk assessment
Components
Risk identification
Impact analysis
Evidence
Risk register
Test results
Controls
The reusable spine
One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.
Risk assessment process
Data validation checks
Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.
Example: reuse evidence across GDPR and ISO 27701
The most valuable integration pattern is evidence reuse. Instead of duplicating artifacts:
- create one privacy artifact (for example a DPIA, RoPA entry link, or a privacy notice version)
- link it as evidence to the relevant GDPR controls and the relevant ISO 27701 controls
- keep approvals and residual risk decisions reviewable (so auditors can follow the thread)
Evidence linking
One evidence file, attached to component-level claims, reused across two controls.
model_validation.pdf
CTRL-001 group
Component A
Component B
Component C
CTRL-002 group
Component D
Component E
CTRL-001Model validation
CTRL-002Data quality
1 evidence · 3 linked components · 2 controlsAttach evidence to the smallest meaningful claim — the same file then satisfies parts of every control whose components it covers.
Related pages
GDPR overview
Key GDPR principles and how they intersect with AI systems
Evidence
How evidence is linked to controls and preserved for review
Disclaimer
This page is for general informational purposes and does not constitute legal advice.