Navigating GDPR Compliance with Eramba

Articles
1

Introduction

The General Data Protection Regulation (GDPR) is the European Union’s data privacy law, in effect since May 2018. It reshaped how organizations collect, store, and process personal data, introducing strict requirements around transparency, accountability, and individual rights.

Why does it matter? Because GDPR doesn’t just warn—it enforces. Think fines of up to €20 million or 4% of global turnover, whichever’s higher. Beyond fines, GDPR has become a measure of trust, customers and partners increasingly expect organizations to take privacy seriously.

Who does it apply to?

  • Public and private organizations that process personal data of EU residents.

  • Controllers (who determine how and why personal data is processed) and processors (who process data on behalf of controllers).

Enforcement landscape

Each EU member state has its own supervisory authority, such as the CNIL in France or the ICO in the UK. These bodies oversee compliance, investigate complaints, and issue penalties. While GDPR is an EU-wide regulation, it leaves room for national laws to fill in the details—so exact requirements can vary slightly from country to country. To navigate this landscape effectively, organizations should keep a few things in mind:

  • Identify your lead authority: If you operate across multiple EU countries, you’ll usually work with a single “lead” authority—the one where your main EU establishment is located.

  • Check local variations: Some areas are left to member states’ discretion (e.g. minimum age for children’s consent). Always confirm the specific requirements where you operate.

  • Leverage regulator guidance: Supervisory authorities don’t just enforce, they publish helpful guidance, templates, and FAQs.

  • When in doubt, document: Regulators value evidence of effort. If you face uncertainty, record your interpretations and decisions.

Starting the GDPR journey: Key Considerations

Starting your GDPR journey can feel overwhelming, but breaking it into clear steps makes it manageable. Here are some key considerations and questions to guide you:

  • Data inventory: What personal data do you collect, and where is it stored?

  • Purpose and legal basis: Why do you process this data, and what lawful ground supports it?

  • Third-party relationships: Which vendors or partners process data for you? Do you have proper agreements in place?

  • Privacy notices: Are your policies clear, transparent, and accessible to individuals?

  • Data Subject Rights: How do we handle requests from individuals?

  • Risk assessment: Have you identified high-risk processing activities that may require a Data Protection Impact Assessment (DPIA)?

  • Incident response: Can you detect and respond to breaches quickly, and do you have a plan for notification?

  • Governance: Who is responsible for data protection within the organization (e.g., a Data Protection Officer)?

How Eramba Supports GDPR Compliance

Eramba wasn’t built around GDPR—or any single regulation. Instead, it’s a flexible GRC platform designed to adapt to many frameworks. That flexibility is its strength: you can structure GDPR activities directly within Eramba and keep them tightly integrated with your broader compliance and risk program.

Records of Processing Activities (ROPA)

Under Article 30 of the GDPR, organizations must maintain detailed records of their processing activities. In Eramba, this is supported through the Data Flows module, which lets you map how personal data is collected, transmitted, stored, or discarded across your organization. Alongside each flow, you can capture related risks, controls, and third parties—giving you a holistic view of data handling. Here’s how it works:

  • Start with Data Assets

In the Assets module, create entries for the personal data you process (e.g., invoices, employee records, credit card data). Only assets tagged as “Data Asset” will appear in the Data Flow module.

  • Create Data Flows

Each data asset can have multiple flows, describing different points in its lifecycle (collection, storage, transmission, deletion, etc.). For every flow, Eramba provides a form with the following tabs:

  • General: Describe the flow in plain terms.

  • Risk Management: Link to risks that affect the flow.

  • Mitigating Controls: Link with compensating controls, policies and projects.

  • GDPR: Capture the mandatory attributes required under the regulation. Helpful extracts from the GDPR text are included to guide you on what’s expected.

Data Protection Impact Assessments (DPIA)

Under GDPR, a Data Protection Impact Assessment (DPIA) is mandatory when data processing could pose a high risk to individuals’ rights and freedoms. At first glance, a DPIA may look like a standard enterprise risk assessment, but the two are not the same:

  • Enterprise risk assessments focus on risks to the organization—such as financial loss, business disruption, or reputational damage. The perspective is inward: How do these risks affect us?

  • DPIAs focus on risks to individuals. The perspective is outward: How might our processing harm people’s privacy, freedoms, or rights?

Eramba doesn’t have a “DPIA module” out of the box. Instead, you can perform DPIAs using the Risk Management module. The module is flexible enough to support DPIAs because it already allows you to:

  • Define a processing activity as a risk.

  • Assess its likelihood and potential impact (this time focusing on individuals rather than the organization).

  • Record the mitigation measures you’ll take, from internal controls to organizational policies.

  • Assign owners and ask for reviews.

A few words of caution here: if you choose to use Eramba’s Risk Management module for DPIAs, keep in mind:

  • It won’t hand you a DPIA template. You’ll need to adapt the module to frame risks from the perspective of individuals’ rights.

  • Terminology may differ. Eramba speaks in terms of “risks” and “controls,” while GDPR talks about “processing,” “impacts,” and “measures.” Be prepared to translate between the two.

  • It requires discipline. Because Eramba is highly flexible, the quality of your DPIA depends on how consistently you set up, document, and follow through on your assessments.

In other words: Eramba gives you the infrastructure to run DPIAs, but it won’t do the interpretation for you. That flexibility is powerful, but it means your team must have a clear understanding of GDPR’s DPIA requirements to use the tool effectively.

3 Likes