Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Create a new companyCompliance settings overviewGeneral compliance settingsCompliance notificationsBrowse companiesEdit a companyBrowse audiencesCreate an audienceEdit an audienceBrowse organizational unitsCreate an organizational unitEdit an organizational unitTags overviewEdit tagsCompliance sharing settingsApplicable laws and regulationsfilerskeepers integrationTime machine settingsCompany widget settingsIGDTA compliance settings
Identity and access management
IT Settings
Risk Settings

Applicable laws and regulations

Select which laws and regulations apply to your organization.

Applicable Laws and Regulations

The Applicable Laws and Regulations screen is the place where you tell DPMS which data protection frameworks your organisation must comply with. Think of it as your compliance baseline: once you declare that, say, the GDPR, Brazil's LGPD, and the UK GDPR all apply to you, every other part of the platform — from your Records of Processing Activities to your compliance gap assessments — knows which legal obligations are in scope. This screen is typically managed by the Data Protection Officer (DPO), compliance officers, or risk managers, and it is one of the first things you should configure in a fresh DPMS instance.

How to open it

Navigate to Main menu → Settings → General Settings → Applicable Laws in the left-hand sidebar. The screen lives at the top of the General Settings navigation panel, immediately below the General item, which reflects just how foundational this configuration is.

You need the Compliance Settings – Applicable Laws (read) permission to view the screen. To make changes, you also need the Compliance Settings – Applicable Laws (edit) permission. If you do not hold the read permission at all, you will see a "403 Forbidden" page instead of the screen content.

What you see

When you arrive at the screen, you see the standard DPMS two-column layout. On the left, a narrow sidebar labelled General Settings lists all the items in the Compliance Settings area — including General, Applicable Laws, Attributes, Status, Departments, Organisational Units, and more — with Applicable Laws highlighted as the active item.

The main content area on the right holds a clean white card. At the top of that card, the heading Applicable Laws appears in bold, with a small pencil (edit) icon to its right. Below the heading, each configured law appears on its own row: the country name on the left (preceded by a filled blue circle with a checkmark) and the name of the specific regulation on the right, rendered as a clickable link.

Just above the content card, a breadcrumb trail reads General Settings › Applicable Laws, and chevron arrows let you step forward and back through adjacent settings screens without returning to the menu.

If no laws have been configured yet, the card body is simply empty — there is no placeholder message in the read-only view.

Working with this screen

Setting up your applicable laws for the first time

If your organisation has just deployed DPMS, the list will be empty. Before you document any processing activities or run assessments, you should populate this screen.

  • Click the pencil icon to the right of the "Applicable Laws" heading. This takes you to the edit form.
  • On the edit form, you will see a multi-select dropdown labelled Select the countries and their applicable laws. The dropdown is pre-populated with whatever is already saved — nothing, in this case.
  • Click into the dropdown and start typing a country name (for example, "Germany" or "United States"). The list filters as you type. Click the entry you want to select it; it will appear as a tag inside the input field. Repeat this for every country and regulation that applies to your organisation.
  • Once you have added all the relevant laws, click Save in the top-right corner of the form. DPMS sends your selection to the backend, and on success you are returned to the read-only view, where your newly configured laws appear as a list with blue checkmark icons and clickable links.

From this point forward, every part of DPMS that needs to know your legal framework — ROPA records, compliance assessments, DPIA workflows — has a reference point to work from.

Adding a law after expanding into a new jurisdiction

Your organisation has opened a new office in Switzerland and now has UK customers. You need to add Switzerland's new Federal Act on Data Protection (nFADP) and the UK GDPR.

  • Navigate to General Settings → Applicable Laws and click the pencil icon.
  • The edit form opens with your existing laws already shown as tags in the dropdown — for example, a "Germany – GDPR" tag.
  • Click into the dropdown, type "Switzerland", and select the Swiss entry when it appears. Then type "United Kingdom" and select the UK GDPR entry.
  • Click Save. The index view now shows your original law plus the two new ones — five rows instead of three, each with the blue checkmark and a clickable link to the official regulation text.
Tip: The dropdown is searchable in your current interface language. If you cannot find a law by the English name, try the local language equivalent — for example, "Datenschutzgesetz" for Swiss German.

Removing a law that no longer applies

Your organisation has wound down its operations in a particular country and is no longer subject to that country's data protection framework.

  • Click the pencil icon to open the edit form.
  • In the multi-select dropdown, locate the tag for the law you want to remove. Click the × on that tag to deselect it.
  • Click Save. The PUT request is sent with the reduced set of law IDs. The index view now shows one fewer entry.
Heads up: There is no confirmation dialogue before saving an empty or reduced list. If you accidentally remove all laws and click Save, all applicable laws will be cleared from your configuration. The only way to recover is to re-open the edit form and re-select the appropriate laws. Take care, especially if you are removing multiple entries at once.

Reviewing the current list (read-only access)

A junior compliance team member or an internal auditor wants to verify which frameworks are in scope before drafting a report — but they do not need to make any changes.

  • Navigate to General Settings → Applicable Laws. The read-only view loads, showing all currently configured laws.
  • For each entry, the law name appears as a clickable link. Click any law name to open the official text or reference page for that regulation in a new browser tab — useful for verifying the exact scope of an article or checking the current status of a framework.
  • The pencil icon is visible but greyed out. Hovering over it shows a tooltip explaining that you do not have edit permission. This is expected behaviour — it signals that editing is possible in principle, just not for your current role. The screen is perfectly usable for review and documentation purposes in this state.

Field reference

The edit form has a single main input:

  • Select the countries and their applicable laws — A multi-select, searchable dropdown. Click into it and type a country name or a law name to filter the available options. Select one or more entries; each selected entry appears as a removable tag. The options list is drawn from the full DPMS catalogue of laws, which covers over 170 country codes including all EU member states, the UK, USA, Brazil, Argentina, Canada, South Africa, Japan, Australia, Singapore, and many others. This field is not technically required — you can save an empty selection — but leaving it empty means DPMS has no legal reference frame for your organisation. The dropdown labels appear in your current interface language; if a translation is not available for a particular law, the system falls back to the default language.

How this connects to the rest of DPMS

The applicable laws you configure here act as a foundation for several other areas of the platform:

  • Records of Processing Activities (ROPA): When you document a processing activity and select the legal basis, DPMS references your applicable laws to determine which frameworks and obligations are relevant. Without this configured, you are working without a legal reference frame.
  • Compliance gap assessments: Any automated or semi-automated gap analysis in DPMS measures your organisation's posture against the laws you have declared in scope here. A missing law means a missing assessment dimension.
  • Data Protection Impact Assessments (DPIAs): DPIA workflows can reference applicable frameworks to ensure the right obligations are captured. The correct laws configured here prompt the system to surface the right requirements.
  • Audit documentation exports: When DPMS generates documentation packages for regulators or internal audits, the list of applicable laws is included as a foundational declaration of scope — "here are the frameworks this organisation operates under."
  • The MCP AI agent: The DPMS AI features can query the applicable laws settings to understand which regulatory frameworks are active for your organisation, enabling more accurate automated guidance.

After finishing this screen, we recommend moving to the General Settings item (just above Applicable Laws in the sidebar) to review your overall compliance configuration, and then to Attributes, Status, and Organisational Units to complete your baseline setup before you start creating ROPA records or running assessments.

Tips & common pitfalls

Heads up: Saving an empty selection removes all configured laws with no undo prompt. Always double-check your tags before clicking Save, particularly if you have been editing a long list.
Tip: The edit button is visible but greyed out for users who only have read permission. If colleagues report that the button appears "broken" or "inactive", this is almost always a permissions question — they can view but not edit. Check their role assignment rather than the configuration itself.
  • Law names are locale-aware. Two users with different interface languages may see slightly different labels for the same law in the dropdown. This is normal — they are selecting the same underlying law record, just with a translated label. The saved result is identical regardless of interface language.
  • The full law catalogue loads on every visit to the edit form. If your DPMS instance has a large catalogue of supported laws, the first load of the edit form may take a moment longer than other settings screens. This is expected behaviour; there is no lazy loading or pagination.
  • Unsaved changes may persist within the same browser session. If you open the edit form, make changes, then navigate away without saving, and return to the edit form in the same session, the dropdown may still show your unsaved changes rather than the database state. To reset to the saved state, perform a hard reload of the edit page (typically Ctrl+Shift+R or Cmd+Shift+R).
  • Only law IDs are stored, not display labels. When you save, DPMS stores a list of law identifiers. The names you see in the read-only view are looked up fresh from the law catalogue each time the page loads. If the catalogue is updated centrally (for example, a regulation is renamed), your read-only view will automatically reflect the new name without any action on your part.
  • The law hyperlinks may occasionally be inert. If a law in the catalogue does not have an official URL on record, clicking its name in the read-only list will do nothing. Both linked and unlinked laws appear identically as styled text — there is no visual difference between the two.


Was this article helpful?

English
Powered by Product Fruits