Who is subject to GDPR?

GDPR applies to any organization processing personal data of individuals in the EU/EEA, regardless of where the organization is located. Most SaaS companies with any EU customers or users fall in scope.

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of a controller. SaaS companies are typically processors for their customers' data and controllers for their own employee, marketing, and account data.

When is a DPIA required?

A Data Protection Impact Assessment is required when processing is likely to result in a high risk to individuals — for example, large-scale processing of special-category data, systematic monitoring, or use of new technologies. Many DPOs run DPIAs more broadly as good practice.

How quickly must we report a breach?

Controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. High-risk breaches also require notifying affected individuals without undue delay.

GDPR without the spreadsheet

Run your GDPR program in one workspace

Records of processing, DPIAs, lawful-basis tracking, data-subject requests, breach timers — wired together so your DPO and your engineers can move at the same speed.

Start free trial Book a demo

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's comprehensive data-protection law. It applies extraterritorially: any organization processing personal data of individuals in the EU/EEA is in scope, regardless of where the organization is located.

GDPR replaces the patchwork of pre-2018 national laws with a single set of obligations and individual rights. It introduces formal records of processing, mandatory breach notification, a 72-hour clock on serious incidents, fines up to 4% of global annual turnover, and a structured set of rights for data subjects (access, rectification, erasure, portability, objection, restriction, automated-decision review).

Who needs to comply

If your organization offers goods or services to people in the EU/EEA, monitors their behavior, or processes their personal data in any capacity, GDPR applies to you. Most B2B SaaS companies fall in scope because their customers' employees or end users live in the EU. UK businesses are subject to a near-identical UK GDPR, and Switzerland's revised FADP follows similar principles.

How episki helps

The platform treats GDPR not as a one-time project but as a continuous program. Article 30 records, DPIAs, DSARs, breach response, sub-processor management, and lawful-basis assessments live in the same workspace as the rest of your security program — so when a control changes, the privacy artifact changes with it.

GDPR outcomes with episki

Quantify the impact security and compliance brings to your business.

Article 30

Records of processing for controllers and processors, kept current as systems change.

72-hour

Breach notification timers and templated regulator/data-subject comms.

0 spreadsheets

Lawful basis, retention, and cross-border transfers live in the platform.

Why teams choose episki for GDPR

Framework-specific automation, collaboration, and reporting in one workspace.

Records of Processing (Art. 30)

Keep a live inventory of every processing activity with lawful basis, categories of data, retention, and transfers.

Controller and processor records side by side
Versioned changes auditors and DPAs can review
Cross-link to vendors (Art. 28 processors) via TPRM

DPIA workflows (Art. 35)

Run Data Protection Impact Assessments where they belong — next to the processing activity they assess.

DPIA templates aligned to EDPB guidance
Risk treatment plans linked to controls
Stakeholder consultation captured in-platform

Data-subject rights (Arts. 12–22)

Intake, identity-verify, fulfill, and track DSARs without leaving the workspace.

DSAR intake form on your trust center
SLA timers per right type
Audit trail of every response

GDPR readiness checklist inside episki

Everything the EDPB expects, available in your trial.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Article 30 records for every processing activity
✓ Standard Contractual Clauses for international transfers
✓ DPIA templates with risk treatment workflows
✓ DSAR intake portal with SLA tracking
✓ Breach notification runbook with 72-hour timers
✓ Lawful basis assessments per processing activity

GDPR accelerators

GDPR program accelerators

Move from "we should do this" to a running program in weeks, not quarters.

Records of Processing template

Pre-filled rows for common SaaS processing activities, ready to adapt.

Sub-processor list publisher

Publish your Article 28 sub-processors to your trust center with diff notifications.

Breach playbook

Step-by-step runbook for the first 72 hours of a notifiable breach.

GDPR frequently asked questions

Other compliance frameworks

CCPA / CPRA CMMC FedRAMP HIPAA HITRUST CSF ISO 27001 ISO 27701 ISO 42001 NIST 800-171 NIST 800-53 NIST CSF PCI DSS SOC 1 Type I/II SOC 2 Type I/II SOX

Stand up GDPR in days, not quarters

Start the free trial to bring your records, DPIAs, and DSAR queue into one workspace.

Start free trial Book a walkthrough