Framework · GDPR

Give your privacy programme
an operational backbone.

01GRC isn't a DPO tool — it's where the processes that underpin GDPR live and stay current: your records of processing, your data map, retention, processor relationships, security of processing, and the evidence that ties it all together. Your DPO sets the direction, 01GRC keeps the operational record honest and audit-ready.

Request a demo Back to platform

Article 30 register · Article 32 security of processing · built by GRC practitioners

app.01grc.com/frameworks/gdpr

91% ▲ 4.0% this quarter

Records of processing · Art. 30 94%

Security of processing · Art. 32 89%

Processor oversight · Art. 28 90%

Accountability · Art. 5(2) 92%

Article 30 register generated from the live data map

2 processor reviews due against criticality this quarter

Why 01GRC for GDPR

The operational record, kept honest.

Every claim here maps to a shipped feature. 01GRC facilitates the processes that support GDPR compliance — it does not replace your DPO, your privacy counsel, or a dedicated data-subject-rights platform.

One living data map

Records of processing, retention and transfers are produced from the same processing map your teams keep current — not a separate spreadsheet that drifts.

Article 30 on demand

Generate a Records of Processing Activities register as PDF or XLSX, built directly from your data-flow inventory.

Security of processing, proven

An information-security backbone with control testing, asset classification and immutable evidence supports your Article 32 measures.

Accountability built in

Activity logging on every entity, versioned policies and notices, and immutable sign-offs make the record of what you did and when defensible.

Honest about the boundary

We are explicit about what the platform does and does not do — because your DPO and your regulator will be.

Where 01GRC helps

The operational processes that support GDPR.

Where GDPR asks for a maintained record or a repeatable process, 01GRC gives you a working feature — each one mapped to its article.

GDPR obligation

What 01GRC delivers

Records of Processing Activities Art. 30

Generate an Article 30 register as PDF or XLSX directly from your data-flow inventory — processing flows, assets involved, recipients and third parties, data categories (with personal and special-category flags), international transfers and retention.

Data mapping & inventory Art. 30 & 5

Data flows tie a business process to its source and destination assets, the third party involved, and whether it is an international transfer. Catalogue data elements grouped into categories, each flagged for personal and special-category data (Article 9).

Storage limitation & retention Art. 5(1)(e)

Set retention periods and a retention basis at the data-element and category level, with per-flow overrides and review-cycle scheduling — retention becomes a documented, reviewable attribute of each data type.

International transfers Chapter V

Flag cross-border transfers on the data flows where they occur and surface them in the Article 30 register, so the processing that needs a transfer mechanism is visible rather than buried.

Processor & sub-processor oversight Art. 28

A processor register with derived criticality, due-diligence questionnaires with evidence, and subcontractor mapping (data-access level and materiality). Data flows link to the third parties that receive data, connecting your processing map to your processor inventory.

Security of processing Art. 32

A control framework with effectiveness testing, asset classification and CIA values, role-based access control, encryption of stored evidence, malware-scanned uploads and immutable activity logging — you manage and prove appropriate technical and organisational measures.

Personal-data breach handling supports Art. 33

An incident module with a state-machine lifecycle, activity timeline, asset and data-element linkage, and evidence — so a suspected breach is triaged, recorded and investigated consistently. (Statutory notification is made through your regulator's channels.)

Accountability Art. 5(2)

Activity logging on every entity, controlled policy and notice documents with versioning and approval, immutable management-review sign-offs, and evidence attached throughout.

Awareness & training

Assign, deliver and evidence data-protection awareness and training through the built-in Learning module — courses, quizzes, schedules and completion tracking — plus policy-acknowledgement campaigns.

Privacy & governance reviews

Schedule recurring privacy and governance reviews against your business processes, with reminders, so your processing record and its controls are revisited on a cadence rather than left to decay.

Self-assessment against GDPR

A seeded GDPR criteria set lets you run a gap analysis and compliance reviews against the regulation's key articles — capturing findings, corrective actions and evidence, and tracking your posture over time.

Privacy risk documentation

Record and treat data-protection risks in the risk module — threats, affected assets and processes, inherent and residual scoring, and treatment plans. (General risk documentation, not a structured DPIA workflow.)

Honest scope

What 01GRC is — and is not.

We are explicit about the boundary, because your DPO and your regulator will be.

01GRC does

01GRC does not

Maintain an Article 30 record of processing, data map, retention and transfer register

Run data-subject-rights / DSAR workflows (access, erasure, portability, objection)

Manage processors, security of processing, breaches (internally) and accountability evidence

Provide consent management or capture / track lawful basis per processing operation

Provide GDPR self-assessment, training, and privacy / governance review cadences

Provide a structured DPIA workflow (Article 35)

Hold the evidence that supports your reporting obligations

File breach notifications to a supervisory authority or notify data subjects

01GRC is the operational system of record that supports your privacy programme. It does not replace your DPO, your privacy counsel, or a dedicated data-subject-rights platform.

Platform

Strengths that make GDPR easier.

Business-first model

Department → Process → Asset → Data Flow → Vendor, with dependency mapping and derived process/vendor criticality, so a breach's blast radius is visible.

Immutable evidence

Activity logs, snapshotted sign-offs, encrypted and virus-scanned attachments, soft deletes by default.

Role-based access & multi-tenancy

Granular permissions, organisation-scoped data, MFA, session controls, IP blocklisting.

Deploy anywhere

Self-contained with no external dependencies — deploy on-premises, in your private cloud, or fully air-gapped.

Who it helps

One record, every privacy stakeholder.

DPO / Privacy lead

A maintained Article 30 register, data map and processor inventory, plus the evidence trail to demonstrate accountability.

Security / IT

Security of processing (Article 32) managed and tested alongside the rest of the ISMS.

Risk & Compliance

GDPR gap analysis, privacy / governance reviews, and corrective actions in one place.

01GRC facilitates the operational processes that support GDPR compliance — records of processing (Article 30), data mapping, retention, international-transfer visibility, processor oversight (Article 28), security of processing (Article 32), breach handling, training and accountability evidence. It is not a dedicated DPO console and does not provide data-subject-rights automation, consent management, DPIA workflows, or statutory breach notification. Responsibility for GDPR compliance, and for the legal assessments it requires, remains with your organisation and its DPO.

More frameworks

One platform, every standard you answer to.

GDPR is one of several frameworks built in — and you can add your own. More framework guides are on the way.

See your privacy programme
the way it should look.

Book a personalised walkthrough — we'll demo your records of processing, data map, processor oversight and security of processing on data shaped like yours.

Request a demo