What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All calendars

GDPR · 15 RECURRING ACTIVITIES

GDPR Compliance Calendar — Articles 30, 32, 35 in operating mode

GDPR is not a one-and-done program — Articles 24, 30, 32, 33, 35 all imply continuous obligations. This calendar maps every recurring GDPR activity, including the rule that breaks most teams: 72-hour breach notification.

Cadence mix:2× Monthly3× Quarterly1× Every 6 months6× Annually3× Event-triggered

Who this is for

Controllers + processors handling EU/UK personal data
Data Protection Officers (mandatory or voluntary)
SaaS companies with EU customers — subject to GDPR via Article 3(2)

Typical effort

Plan a designated DPO or Privacy Lead. Major efforts: annual RoPA refresh + any DPIA-triggering change.

The calendar

Monthly (2)

DSAR queue + SLA monitoring

DSAR

Track all access / erasure / portability / restriction / objection requests. Default deadline 1 month from receipt.

Reference

Art. 12, 15–22

Owner

DPO + Privacy ops

Effort

Variable

Evidence

DSAR ticket log

Sub-processor change watch

Sub-processor

Track changes in sub-processor list per Art. 28(2). If contract requires advance notice (typ. 30d), trigger customer notification.

Reference

Art. 28

Owner

DPO + Procurement

Effort

1–2 hrs

Evidence

Sub-processor register + notice log

Quarterly (3)

Article 30 RoPA spot-update

Records

Refresh records for any new processing activities, retention changes, recipient changes, transfer changes.

Reference

Art. 30

Owner

DPO

Effort

4 hrs

Evidence

Updated RoPA

Tier-1 processor reassessment

Vendor

Refresh DPA, SCCs / TIA, security attestation for high-risk processors.

Reference

Art. 28, 32

Owner

DPO + Security

Effort

4–6 hrs

Evidence

Updated processor file

Consent / cookie banner audit

Cookies / Consent

Verify banner reflects current trackers, default-off non-essential, granular controls, withdraw-as-easy-as-give.

Reference

Art. 4(11), 6(1)(a), 7; ePrivacy

Owner

Marketing + DPO

Effort

2–3 hrs

Evidence

Banner audit log

Every 6 months (1)

Article 32 controls testing

Resilience

Validate state-of-the-art technical + organisational measures: encryption at rest/transit, access, backup integrity, restoration test.

Reference

Art. 32

Owner

Security

Effort

8–16 hrs

Evidence

Controls test report

Annually (6)

Article 30 RoPA full refresh

Records

Both controller (30(1)) and processor (30(2)) records reviewed end-to-end with each business unit. Auditable on request from supervisory authority.

Reference

Art. 30

Owner

DPO + Business owners

Effort

16–32 hrs

Evidence

Refreshed RoPA

DPIA inventory review

Risk / DPIA

Review all completed DPIAs; refresh those with changed processing; trigger new DPIAs for high-risk new processing.

Reference

Art. 35

Owner

DPO

Effort

8–16 hrs

Evidence

DPIA register

Privacy notice / Article 13–14 disclosures review

Privacy Notice

Refresh purposes, lawful bases, retention, recipients, transfers, rights. Re-publish.

Reference

Art. 13, 14

Owner

DPO + Legal

Effort

4–8 hrs

Evidence

Updated privacy notice

GDPR awareness training

Training

All staff with access to personal data — content covers DSARs, breach reporting, lawful bases, sub-processor onboarding.

Reference

Art. 39(1)(b)

Owner

DPO + HR

Effort

4 hrs admin

Evidence

Training records

Transfer impact assessment refresh (Schrems II)

Transfers

For each non-adequacy transfer, refresh TIA: laws of recipient country, technical safeguards, supplementary measures.

Reference

Art. 46, EDPB Recommendations 01/2020

Owner

DPO + Legal

Effort

8–16 hrs/transfer

Evidence

TIA + SCCs

Breach notification tabletop

Breach

Drill the 72-hour clock: detect → contain → assess → notify SA → notify data subjects (if high risk).

Reference

Art. 33, 34

Owner

DPO + Security

Effort

4 hrs

Evidence

Tabletop after-action report

Event-triggered (3)

Personal data breach — notify within 72h

Breach

Notify supervisory authority within 72h of awareness; data subjects without undue delay if high risk.

Reference

Art. 33, 34

Owner

DPO + Incident lead

Effort

Variable

Evidence

Breach record + notifications

New high-risk processing — DPIA before launch

DPIA

Required when: large-scale special category, public-area systematic monitoring, automated decisions with legal effects, etc.

Reference

Art. 35

Owner

DPO + Project lead

Effort

16–32 hrs

Evidence

DPIA

New sub-processor onboarding

Sub-processor

DPA in place, security review, customer notice per controller contract.

Reference

Art. 28

Owner

DPO + Procurement

Effort

4–8 hrs

Evidence

DPA + due diligence

Pitfalls — where teams actually fail

Article 30 records exist but are never refreshed — a regulator request will expose stale RoPA fast.
DSAR clock measured from when ticket reaches DPO, not from receipt — the 1-month clock starts on receipt.
Cookie banner deployed once and never reviewed; new analytics + AI tools added without consent updates.
Sub-processors added without customer notice when DPA requires advance notification — material breach.
Breach notification clock missed because internal escalation took 4 days — the 72-hour clock is from awareness, not from confirmed breach.
TIA never refreshed after a transfer mechanism change — Schrems II requires ongoing review.

Want this calendar mapped to YOUR controls?

Drop your existing GDPR policy or upload a draft — ComplianceIQ scores it against the framework and produces a 0–100 audit, gap-by-gap with the cadence work you're missing.

Run free GDPR audit See readiness checklist

What happens when the cadence slips — real GDPR actions

€1.2B

Meta Platforms · 2023

€746M

Amazon Europe Core · 2021

€345M

TikTok · 2023

FAQ

Do we need a DPO under GDPR?

Required by Art. 37 if you are a public authority, your core activities involve large-scale systematic monitoring, or large-scale processing of special-category data. Many SMBs designate a Privacy Lead voluntarily — same calendar applies.

Is annual RoPA refresh formally required?

Article 30 doesn't set a frequency, but supervisory authorities expect records to be 'kept up to date.' Annual full refresh + quarterly spot-update is the working norm.

How does this calendar overlap with the UK GDPR / DPA 2018?

Almost identical. UK GDPR + DPA 2018 mirror the EU framework; this calendar applies. Differences are mainly around regulator (ICO vs SAs) and minor age-of-consent / law enforcement rules.

What changes under EU AI Act / Data Act for ongoing GDPR cadence?

Both add new obligations on top of GDPR (e.g. AI Act Art. 26 deployer obligations, FRIA for some high-risk uses). Privacy programs increasingly fold AI inventory + DPIA-FRIA hybrid into this same calendar.

GDPR Compliance Calendar — Articles 30, 32, 35 in operating mode

The calendar

Monthly (2)

Quarterly (3)

Every 6 months (1)

Annually (6)

Event-triggered (3)

Pitfalls — where teams actually fail

What happens when the cadence slips — real GDPR actions

FAQ

Other calendars