Privacy management is the workflow for handling your privacy obligations under GDPR and ISO 27701 — the record of processing activities, data subject requests, DPIAs, balance tests, and the privacy notices you publish.
🆕 What's new: Privacy management brings together what used to be spread across themed lists. Your existing data sources, DPIAs, and processing records are all here, exactly as they were — just on one focused page.
When this workflow appears
Privacy management is visible when you have GDPR or ISO 27701 active among your frameworks. Activate either and the workflow appears in the Workflows list on the Dashboard. Deactivate both and it returns to the framework-specific catalogue, where you can re-enable it any time.
Setting it up
Privacy management is a framework-specific workflow — there's no separate guided setup. The workflow is available directly; configuration (owner, privacy documentation, related tasks) is handled inline on the page when relevant.
What's on the page
Main metrics
A single trend line: your ISO 27701 / GDPR compliance score over time, sourced directly from the compliance view. This is the one metric the workflow optimises against — there are no separate operational counters for privacy management.
Documentation
The documentation that backs your privacy practice, organised into two groups:
Assets
- Data stores — where personal data lives
- Data sets — the specific collections you handle
Records
- DPIAs — Data Protection Impact Assessments
- Balance tests — legitimate-interest assessments
- Consent assessments — records of consent obtained
Each documentation row shows the total item count, items still to work on, the related ISMS theme, and the responsible owner.
Tasks
Below the documentation, the workflow page lists the operational tasks tied to privacy — DPO appointment, processing-activity listing, data-protection partner oversight, breach-handling routines. Each task shows its theme, status (Untreated / Partly done / Mostly done / Fully done), owner, priority (Low / Normal / High / Critical), and due date.
Reports
The audit-ready outputs Privacy management produces:
- Records of Processing Activities — the GDPR Article 30 register
- Privacy Notices — the notices published to data subjects
- Data Protection Impact Assessments — completed DPIAs with outcomes
- Data Processing Partners & Agreements — processors and their contracts
Reports refresh from your live data, so they're always current.
How it connects to other workflows
Data stores and data sets surface in Asset inventory. Data processors are simultaneously suppliers in Supplier management — when GDPR is active, your processors show up in both workflows. Privacy risks (e.g. a high-risk processing activity flagged by a DPIA) often become entries in Risk management.
