GDPR · Regulation (EU) 2016/679

Data protection, done right: GDPR compliance

GDPR sets the global benchmark for privacy. Normado generates your privacy policy, data processing register, and DPA templates, maps all 27 key GDPR requirements, and tracks your data subject requests — so privacy is a process, not a panic.

First 100 customers get all Enterprise features at €49/mo for year one.

You're on the list! We'll be in touch soon.

Example GDPR dashboard

app.normado.io/gap-analysis
GDPR · Live Compliance
GDPR requirements covered25 / 27
Privacy policies approved6 / 6
Data subject requests handled14
Records of processing activities31

What GDPR actually requires

Three pillars, plain language

GDPR applies to any organization processing personal data of people in the EU — regardless of where the organization is based. The core is simple: have a lawful basis, be transparent, protect the data, and give people control.

1

Lawful basis & transparency

Every processing activity needs a documented lawful basis (Article 6) and a privacy notice explaining what you do and why (Articles 13-14). No lawful basis = no processing.

2

Records of Processing Activities (RoPA)

Under Article 30, most organizations must maintain a documented inventory of processing activities — categories of data, purposes, retention, recipients, cross-border transfers.

3

Data subject rights & breach response

People have rights (access, rectification, erasure, portability, objection) with 30-day response windows. Breaches must be reported to the supervisory authority within 72 hours of awareness.

Want the full breakdown? Read our GDPR security policies checklist.

How Normado covers it

Built end-to-end for GDPR

  • Privacy notice & internal policy generationPrivacy notice for your website, plus internal data protection policy, incident response, and retention schedule — all grounded in your actual data flows.
  • Records of Processing Activities (RoPA)Article 30 register structured exactly as supervisory authorities expect — processing purposes, categories, recipients, international transfers, retention periods.
  • Data Processing Agreement (DPA) templatesArticle 28-compliant DPA templates for your processors, including SCC mappings for third-country transfers post-Schrems II.
  • Data subject request workflowsStructured intake for access, rectification, erasure, and portability requests with automatic 30-day timers and audit trail.
  • 72-hour breach response playbookPre-wired notification templates for your supervisory authority and data subjects, aligned to Articles 33-34 timelines.
Example org compliance
93%GDPR
Policies25 / 25
Controls23 / 25
Risks22 / 25
Evidence23 / 25

A living platform, not a one-off project

What ongoing compliance looks like

Consultants deliver a snapshot in time — then you maintain it yourself, re-engage every year, and answer auditor questions from static Word docs. Normado is the living system underneath: always current, always auditable, owned by your team.

Consultant engagement

€15,000 – €50,000
6 – 12 months per cycle
  • Tailored through months of interviews and workshops
  • Static deliverables you maintain yourself afterward
  • Evidence collection, version control, audit prep on you
  • Re-engage every year for refreshes and new frameworks
  • Expertise leaves when the engagement ends

Normado platform

€49 – €299 / month
Audit-ready in weeks
  • AI-generated policies tailored to your org in minutes
  • Gap analysis, risk register, and controls all in one place
  • Evidence management with expiry tracking built in
  • Always current — new frameworks and requirements rolled out automatically
  • Your team owns the system, always audit-ready

Frequently asked

GDPR questions we hear most

Does GDPR apply to my company?
GDPR applies if you (a) are established in the EU and process personal data, or (b) are outside the EU but offer goods/services to EU residents or monitor their behavior (Article 3). Most SaaS companies with any EU users are in scope.
Do I need a Data Protection Officer (DPO)?
A DPO is mandatory if you are a public authority, your core activities require large-scale systematic monitoring (e.g. behavioral advertising, health platforms), or you process special categories at large scale (Article 37). Most SMBs do not need a DPO but must still designate someone responsible for GDPR.
What counts as a "personal data breach"?
A breach is any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data (Article 4(12)). Not every incident qualifies — a phishing attempt that failed is not a breach; a successful credential theft typically is.
What is the fine exposure?
Tiered fines: up to €10 million or 2% of global turnover for administrative failures, and up to €20 million or 4% of global turnover for core principle violations (whichever is higher). Most real-world fines land well below these caps, but the reputational impact often exceeds the monetary one.
Does Schrems II still matter?
Yes. Transfers of personal data to countries without adequacy decisions still require Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment (TIA). The EU-US Data Privacy Framework (2023) restored adequacy for the US, but only for organizations self-certified under it — and ongoing legal challenges mean the situation remains fluid.
Does Normado also cover ISO 27001, DORA, NIS2, SOC 2?
Yes — all five frameworks are supported in Professional and Enterprise tiers. GDPR technical measures (Article 32) overlap strongly with ISO 27001 Annex A. See our ISO 27001, DORA, NIS2, and SOC 2 pages.

Make GDPR a process, not a panic

Join the waitlist and be the first to get access. First 100 customers get all Enterprise features at €49/mo for year one.

No credit card required. Cancel anytime.

You're on the list! We'll be in touch soon.