Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Create a new companyCompliance settings overviewGeneral compliance settingsCompliance notificationsBrowse companiesEdit a companyBrowse audiencesCreate an audienceEdit an audienceBrowse organizational unitsCreate an organizational unitEdit an organizational unitTags overviewEdit tagsCompliance sharing settingsApplicable laws and regulationsfilerskeepers integrationTime machine settingsCompany widget settingsIGDTA compliance settings
Identity and access management
IT Settings
Risk Settings

Compliance settings overview

Find all compliance configuration screens in one place.

Compliance Settings Overview

The Compliance Settings area is the configuration backbone of DPMS. Everything from which data protection laws your organisation tracks, to how your teams are structured, to who can access individual records — all of it starts here. Data Protection Officers, compliance managers, IT administrators, and risk managers visit this area regularly to keep the platform's foundational parameters accurate and up to date. Without properly configured compliance settings, many features across DPMS — from ROPA records to DPIAs to audience-based access control — will be incomplete or unavailable.

How to open it

Navigate to the main sidebar and choose Settings, then select Compliance Settings (labelled General Settings inside the left-hand panel). The platform loads the General sub-screen by default.

Each sub-screen requires its own access permission. If you do not have read access to a particular section, that menu item will either be hidden from the navigation list or will display an access-denied page if you navigate there directly. Contact your system administrator if you need access to a section that isn't visible to you.

What you see

The screen is divided into two zones. On the left is a vertical navigation panel headed General Settings, listing every available sub-section as a clickable text link. The currently active section is highlighted. A few items — Standards, for example — have child entries that expand beneath them when you click the parent. The menu only shows items you have permission to access.

On the right is the content area. At the top of this area a breadcrumb bar shows your location: General Settings (clickable, returns you to the default view) → a right-pointing arrow → the name of the current sub-screen in blue. Below the breadcrumb, the content card displays either a read-only summary of the current configuration or an editable form, depending on whether you have clicked the edit button.

Read-only views show labelled fields with their current values and a pencil icon in the top-right corner to open the edit form. Edit forms show the same fields as interactive inputs, a thin blue vertical line on the left edge to indicate unsaved changes, and a Save button at the bottom.

Working with this screen

Setting up your organisation's legal information for the first time

When you first open DPMS, the General sub-screen will show mostly empty fields. Click General in the left-hand menu. You will see the read-only view with placeholder dashes where values should be.

Click the pencil icon in the top-right corner of the card to open the edit form. In the Data Protection Officer section, select yourself (or your DPO) from the DPO dropdown — this is the only required field on the form. Fill in Contact Email, Contact Phone, and the DPO's address fields as appropriate. Then scroll to the Data Controller section and enter your organisation's legal name in Company, its registered address, the CEO name, and the URLs for your Imprint Link and Privacy Policy Link.

When you are finished, click Save. DPMS sends the data to the server and immediately updates the company name displayed in the top navigation bar. These details may appear in exported compliance reports and privacy notices generated by the platform, so keeping them accurate matters beyond just this screen.

If you do not have edit permission, the pencil icon will be disabled and will show a tooltip explaining the missing permission.

Adding or removing applicable laws

The Applicable Laws sub-screen controls which data protection regulations DPMS actively tracks for your organisation. These laws appear as reference context in ROPA records and DPIA reports, and they inform which regulations your organisation claims to comply with.

Click Applicable Laws in the left-hand menu. The read-only view lists each currently selected law with a blue check-circle icon, the country name, and a clickable link to the law's official text.

To make changes, click the pencil icon. You will see a single multi-select dropdown listing all available country/law combinations. The current selection is already loaded. Search for a country by typing in the search field, then click to add or remove laws. When you are done, click Save.

Heads up: The selection you save completely replaces the previous list. If you accidentally remove a law and save, it will disappear from your tracked regulations immediately with no confirmation step. Double-check your selection before saving.

Configuring the IGDTA for a multi-entity group

If your organisation operates as a group of legal entities, the IGDTA Configuration section lets you set up an Intra-Group Data Transfer Agreement. This configuration determines which company acts as the group representative, which subsidiaries are covered, who administers the agreement, and how many days' notice is required to terminate it.

Navigate to IGDTA Configuration in the left-hand menu. If IGDTA has not yet been set up, you will see a small "uncompleted" indicator next to the menu item. Click the pencil icon to open the edit form.

Click Set as Group Representative to designate the current company as the IGDTA administrator. The button's appearance changes (black background, white text) to confirm the designation. Next, find the list of group companies and toggle the IGDTA Eligible switch for each subsidiary you want to include in the agreement — the label turns blue when enabled. If you are the group representative, you will also see a multi-person selector for Group Representative Administrator (pre-filled with your own account). Finally, review the Termination Notice Period field — it defaults to 30 days, but you can change it to any whole number of 1 or more.

Click Save when ready. DPMS posts the configuration to the server; on success, the "uncompleted" indicator in the menu disappears and the read view shows all your configured values.

Heads up: The edit button is only available to users in the company that is designated as the group representative. If your company is a subsidiary in the group, you will see the IGDTA configuration in read-only mode. To make changes, contact the group representative's administrator.

Creating an audience group for granular record access

Audiences (also called permission groups) are how DPMS restricts access to individual records. Every ROPA entry, DPIA, document, asset, and project can be restricted to one or more named audiences. If no audiences exist, the "Manage Access" option on records cannot limit visibility to specific user groups.

Navigate to Audience Management in the left-hand menu. Click Create Audience in the top-right corner of the screen.

On the General tab, type a name for the audience (for example, "HR Team") and optionally add a description. Click Save — this creates the audience record and unlocks the remaining tabs.

On the Add Companies tab, select the company or companies this audience should apply to, then save. On the Add Users tab, search for and select the employees who should belong to this audience, then save.

Finally, open the Add Permissions tab. Select a company from the Assigned Companies dropdown at the top, then use the permissions matrix to tick the access levels you want: Read Access and/or Write Access for each module (ROPA, TOMs, Assets, DPIAs, Assessments, Documents, Projects, Incidents, Data Subject Requests, Legitimate Interest). Click Save.

Tip: If your audience covers more than one company, you must select each company separately in the Assigned Companies dropdown and configure the permissions matrix for each one before saving. It is easy to configure permissions for one company and forget the others, leaving them with no access at all.

Once the audience is saved, it becomes available in the "Manage Access" option on individual records throughout DPMS.

Enabling the Filerskeepers integration

Filerskeepers is a compliance filing-deadline tracking service. When enabled and configured with jurisdictions, it surfaces regulatory filing deadlines across the platform.

Click Filerskeepers in the left-hand menu (this item may appear under a separate Group Settings area depending on your setup). In the read-only view you will see the current Status (Active or Inactive) and the selected Countries/Jurisdictions.

Click the pencil icon to edit. Toggle the Enable switch on. If the integration is already connected to the Filerskeepers service, a blue check-circle with the label "Connected" will appear. Use the Jurisdictions multi-select dropdown to choose the countries whose filing requirements you want to monitor. Click Save. DPMS updates the integration state immediately. If the integration shows "Disconnected", the jurisdictions selector will be greyed out — contact your IT administrator to complete the service connection first.

Setting up a consulting company relationship

If your organisation works with an external DPO consultancy, or if a parent company needs to access a subsidiary's data in DPMS, you can configure a consulting relationship in the Companies sub-section (accessible via the Group Settings area).

Find the company you want to configure (or click Create to add a new one). In the company edit form, fill in the Name and Country (both required). To establish the consulting relationship, use the Consulting Companies multi-select dropdown to link the relevant partner companies.

Heads up: As soon as you add at least one consulting company, a yellow warning banner appears explaining the bidirectional relationship. This relationship grants users of the consulting company access to this company's records in DPMS. Removing the relationship later requires editing both company records, and previously shared data is not automatically hidden.

Click Save to apply. The relationship takes effect immediately and the consulting company will appear in "Companies Consulted" dropdowns throughout the platform.

Field reference

General sub-screen — Data Protection Officer section

  • DPO — The DPMS user designated as your organisation's Data Protection Officer. Required. Defaults to the currently logged-in user on a new form.
  • Deputy DPO — An optional backup DPO user.
  • Contact Person — A free-text contact name for DPO correspondence.
  • Contact Email — The DPO's email address. Must be a valid email format, maximum 255 characters.
  • Contact Phone — Free-text phone number.
  • Street, Postal Code, City, Country — The DPO's office address. All optional.

General sub-screen — Data Controller section

  • Company — Your organisation's legal name as data controller.
  • Company Description — Optional description of the organisation.
  • Street, Postal Code, City, Country — The data controller's registered address.
  • CEO — Name of the chief executive.
  • Imprint Link — URL to your organisation's legal imprint page.
  • Privacy Policy Link — URL to your published privacy policy.

IGDTA edit form

  • Set / Revoke as Group Representative — Toggle button. Designates or removes the current company as the IGDTA group representative. Must be set before other IGDTA fields have any meaning.
  • IGDTA Eligible (per company) — Toggle switches, one per group company. Enable for each company covered by the agreement.
  • Group Representative Administrator — Multi-person selector. Only shown when the current company is the group representative. Defaults to the logged-in user.
  • Termination Notice Period — Number of calendar days' advance notice required to terminate the IGDTA. Must be a whole number of at least 1. Defaults to 30. The form will not save if this value is below 1.

How this connects to the rest of DPMS

The Compliance Settings area is upstream of almost everything else in the platform. Changes you make here have immediate, platform-wide effects:

  • Applicable Laws feed directly into ROPA records and DPIA reports, providing the regulatory context for every processing activity your organisation documents.
  • Audiences created in Audience Management power the entire record-level access control system. Every ROPA entry, DPIA, document, asset, and project in DPMS can be restricted to one or more audiences. Without audiences, "Manage Access" on those records cannot limit visibility to named user groups.
  • General (DPO/Data Controller details) may appear on exported compliance reports and privacy notices generated by or linked from DPMS.
  • Consulting Companies appear in the "Companies Consulted" dropdown throughout the platform, enabling cross-company visibility for external DPO consultancies or parent entities.
  • IGDTA configuration affects which group companies appear as eligible intra-group transfer recipients in data transfer-related records.
  • Filerskeepers (when enabled with jurisdictions) activates the filing deadline tracking feature across the platform. Without enabled jurisdictions, no deadlines are surfaced.
  • Attributes (Tags) and Statuses created in their respective sub-screens populate every classification dropdown across DPMS — personal data types, processing purposes, asset types, vendor types, document statuses, and more. Without these, classification fields on ROPA records, assets, and vendors are empty.
  • Organisational Units and Departments are used as assignment targets on tasks, projects, ROPA records, and user profiles throughout the platform.
  • Risk-related items (Standards, Control Sets, Risk Scenarios, Maturity Model, Deadlines and Urgency, Questionnaires) appear in this same navigation menu and link to the Risk Settings module. Changes there affect risk assessments across DPMS.

After configuring Compliance Settings, your next steps will typically be to verify that your ROPA records reference the correct applicable laws, that audiences have been assigned to sensitive records via "Manage Access", and that any custom tags and statuses are in place before your team begins creating records.

Tips & common pitfalls

Tip: Complete the General sub-screen first. The DPO name and Data Controller details are referenced in exported reports and privacy notices. An empty General screen means those documents will contain blank fields.
Heads up: The Applicable Laws edit form pre-loads the current selection. Removing a law and saving immediately removes it from all ROPA and DPIA records that reference it — there is no undo and no confirmation dialog. Always review the selection carefully before clicking Save.
  • IGDTA edit access is restricted to the group representative. If your company is a subsidiary and the parent company has already been set as the group representative, you will see the IGDTA configuration as read-only with no edit button. Only users at the group representative company can make changes.
  • Audience permissions must be configured per company. On the Add Permissions tab, the permissions matrix only applies to the company currently selected in the Assigned Companies dropdown. If the audience spans three companies, you must select each company in turn and save the permissions separately.
  • The IGDTA Termination Notice Period must be at least 1 day. Entering zero or a negative number will cause the Save button to appear to do nothing — the form validates this silently without showing a toast message. If your save attempt has no effect, check this field first.
Heads up: The Standards, Control Sets, Risk Scenarios, Maturity Model, Deadlines and Urgency, and Questionnaires items in this navigation menu belong to the Risk Settings domain. Navigating to them takes you to risk configuration screens. Changes there affect the risk module, not your core compliance records.
  • Clicking "General Settings" in the breadcrumb does not open an overview dashboard. It navigates to the General sub-screen (your DPO and data controller details). There is no single landing page that summarises all sub-sections.

Glossary

Applicable Law — A specific data protection regulation (for example, GDPR for Germany, PIPA for South Korea) that your organisation has declared it must comply with. Selecting it here registers it as a tracked regulation throughout DPMS.

Audience — A named group of users and/or consulting companies used to grant read or write access to specific records at a granular level. Configured here and then assigned to individual records via "Manage Access".

Consulting / Consulted Company — Two companies that have entered a consulting relationship in DPMS. The consulting company can access the consulted company's data, enabling an external DPO consultancy or a parent entity to work within a client or subsidiary's environment.

IGDTA (Intra-Group Data Transfer Agreement) — A legal framework agreement governing how personal data may be transferred between entities within a corporate group. One company is the "group representative" and manages the agreement; other group companies can be marked as eligible parties.

Filerskeeper — An integration that, when enabled and configured with jurisdictions, tracks regulatory filing deadlines across those countries within the platform.

Termination Notice Period — In the IGDTA context, the number of calendar days' advance written notice required before any party can formally exit the agreement. Defaults to 30 days.

Was this article helpful?

English
Powered by Product Fruits