Solutions · GDPR

Prove GDPR compliance to any regulator, without it consuming your team.

GDPR is an accountability regime: it is not enough to comply, you have to show it, on demand, while your processing keeps changing underneath you. Acuna runs GDPR as a live programme. Your records of processing stay current, your DPIAs and processor checks come from one connected record, data subject requests are handled on time, and the evidence a regulator asks for already exists. Hosted in Switzerland.

Swiss-hosted privacy dataGDPR, Swiss FADP, and UK GDPR on one record50+ frameworks on one core

HOW ACUNA HELPS WITH GDPR

Acuna is GDPR compliance software built into a wider GRC platform. It keeps your records of processing activities (ROPA) current, runs data protection impact assessments, processor assessments, and transfer assessments from one shared record, handles data subject requests through a dedicated intake, and lets you scope a breach inside the 72-hour window. Because it maps to 50+ frameworks on one core, the same processing activity can carry GDPR, Swiss FADP, and UK GDPR with independent legal bases, and privacy connects to the controls, risk register, and vendor records the rest of your programme already uses. Privacy data is hosted in Switzerland.

Stop running GDPR as an annual scramble.

For most teams, GDPR lives in spreadsheets and a privacy tool that talks to nothing else. The ROPA is current the day it is approved and stale by the next meeting. DPIAs, processor agreements, and transfer assessments are filled in separately each time. Data subject requests arrive in a shared inbox. And when a regulator or an auditor asks, the evidence gets reconstructed by hand. The cost is not just time; it is the risk of an answer you cannot defend. Acuna closes the gap between what you have documented and what is actually true, and keeps it closed.

The four core panes, plus the two extensions GDPR needs.

Each component below does a specific GDPR job. The detail lives on its own page; this is the GDPR-specific path through each one.

Map GDPR's requirements, including the Article 32 security obligations, to your controls once, and see them reflected across every other framework you operate, so you are not maintaining a separate GDPR crosswalk by hand.

Attach owners and evidence to your GDPR controls and records, so the Article 30 records, the Article 28 processor agreements, and the Article 32 measures are not just written down but owned, evidenced, and current.

Run review cycles on processing activities, recurring assessment reviews, and breach readiness on a cadence, so your programme stays current between audits instead of drifting.

Pull the Article 30 export, the DPIA records, the breach log, and the evidence of accountability as a report, not a reconstruction, when the supervisory authority or an auditor asks.

Framework-specific extension
Data PrivacyExtension

The privacy operations module: processing activities recorded with their data subjects, assets, processors, and legal bases together; DPIA, processor, and transfer assessments drawn from that shared context; data subject requests handled through a dedicated intake; and breach impact traced across the connected records.

GDPR makes you responsible for the processors you use. Score and assess them, monitor their security continuously, and keep the documented due diligence Article 28 expects, on the same vendor record your security programme already uses.

What a live programme unlocks, and what the scramble costs.

What a live GDPR programme unlocks vs What the scramble costs
What a live GDPR programme unlocksWhat the scramble costs
Accountability you can show: records, owners, evidence, and history on one connected system, so the regulator pack already exists when asked.A ROPA that is out of date the moment a new processing activity starts.
A ROPA that reflects today's processing, not the state it was in at the last annual review.Evidence reconstructed by hand each time a regulator, auditor, or enterprise buyer asks.
GDPR, Swiss FADP, and UK GDPR governed on one record with independent legal bases, rather than duplicate workspaces that drift apart.Data subject requests that miss the one-month deadline when the inbox is a shared mailbox.
Breach readiness: scope and notify inside 72 hours because the connected records show which systems, individuals, and processors are affected.A 72-hour breach window that is too tight to scope without connected records.

We will not quote you an invented ROI figure. The real calculation is the regulator or auditor request that arrives next quarter, and whether the answer is a report you already have or a reconstruction that takes a week.

Run your own numbers.

GDPR Art. 83 sets the fine ceiling at the higher of a fixed floor or a percentage of global annual turnover. Use your own revenue below to see your exposure, anchored against real enforcement decisions.

Your organisation

Annual global revenue

EUR / CHF approximately at parity for Swiss organisations

€ 50M

€1M€5B

Your maximum fine exposure

Art. 83(5) — serious violations

Basic principles · lawful basis · data subject rights · international transfers

€20M

max(€20M, 4% of global annual turnover)

Art. 83(4) — procedural violations

Processor obligations · DPO requirements · data protection by design

€10M

For scale — real Art. 83(5) enforcement decisions

H&M

Hamburg DPA · 2020 · Inadequate legal basis for processing employee data

€35M

WhatsApp / Meta

Ireland DPC · 2021 · Transparency and information obligations (ROPA)

€225M

Meta

Ireland DPC · 2023 · Unlawful data transfers to the US (SCCs)

€1.2B

Acuna starts from

CHF 5'388 / year — connected privacy, risk, and compliance

3.7K×

your Tier 2 cap

These are the legal maximums under Art. 83 GDPR, not predictions. Actual fines depend on severity, duration, cooperation, previous violations, categories of personal data, and supervisory authority discretion. Fine amounts are in EUR as defined in GDPR Art. 83. Reference fines are publicly documented (GDPR Enforcement Tracker). Use this to frame the board conversation, not to quantify your specific exposure.

Swiss-hosted, connected, and built by operators.

Privacy data is hosted in Switzerland, which matters when data residency is part of the compliance question rather than an afterthought. The processors in your ROPA are the same vendors your third-party risk programme assesses. Your DPIA risks belong in the same risk register as everything else. GDPR that connects to the rest of your programme is GDPR you can keep current and defend, rather than a separate tool to reconcile at audit time.

  1. Swiss-hosted privacy data. Data residency is part of the compliance answer, not a side note.

  2. Connected, not a silo. Vendors, controls, and risk records are shared across your whole programme.

  3. GDPR, Swiss FADP, and UK GDPR on one record with independent legal bases and review cycles.

  4. Built for DPOs, compliance leaders, and CISOs by practitioners who have operated privacy programmes.

  5. 50+ frameworks on one core. One organisation price, no per-seat fees.

GDPR: common questions.

GET STARTED

See GDPR run as a live programme.

Bring a real processing activity, a real processor chain, or a real audit scenario, and we will show how Acuna handles it.