Skip to contentAbout Fig Group

Privacy & Data Protection

ROPA, DPIA, DSAR, consent management, breach notification, and Privacy by Design.

Request a demoAll solutions

The challenge

Does this sound familiar?

Privacy compliance lives in spreadsheets and shared drives. DSAR responses miss statutory deadlines. Processing activities are undocumented. Breach notifications are assembled under pressure with incomplete data.

How Fig helps

Privacy & Data Protection with Fig

ROPA and Data Mapping

Article 30 compliant Record of Processing Activities with controller and processor registers. Legal basis, retention periods, and cross-border transfer documentation. Data flow mapping across systems.

DPIA and DSAR

Structured Data Protection Impact Assessment workflow integrated with change management. Data Subject Access Request intake with statutory timeline tracking and automated response workflows.

Consent and Breach

Consent lifecycle management with withdrawal processing and lawful basis tracking. Personal data breach notification with GDPR 72-hour deadline calculation, separate from general incident management.

Privacy by Design

Project-level privacy assessments for new systems and changes. Data deletion and portability controllers. Legal hold management with retention exceptions. Personal data inventory linked to the asset register.

Core Capability

Fig provides native GDPR tooling including DSAR handling with 30-day SLA enforcement, DPIA lifecycle management, RoPA, consent tracking with automatic expiry, privacy-by-design verification, and breach notification with 72-hour clock enforcement.

Audit-ready workflow

How Privacy & Data Protection becomes evidence

Privacy & Data Protection should not be treated as a standalone tool surface. In Fig it is part of a governed workflow: a signal is captured, an owner is assigned, a control or risk is updated, and evidence is retained so the organisation can prove what happened later.

Lifecycle

Where it sits in the operating model

The Prove phase is where this capability sits in the wider Fig operating model. Privacy compliance lives in spreadsheets and shared drives. DSAR responses miss statutory deadlines. Processing activities are undocumented. Breach notifications are assembled under pressure with incomplete data. Fig turns that problem into a repeatable lifecycle so MSPs, risk teams, and auditors are not relying on static spreadsheets or ad hoc screenshots when a buyer asks for proof.

Evidence captured

What auditors and buyers see

For privacy & data protection, useful evidence normally includes the triggering record, the affected asset or supplier, the control requirement, the assigned owner, the decision made, the timestamp, and the outcome. That evidence is mapped back to frameworks such as Cyber Essentials, ISO 27001, NIS2, DORA, GDPR, CMMC, and internal policy requirements where relevant.

Implementation checks

Four steps to roll this out

  • 01Define who owns privacy & data protection and what events should trigger review.
  • 02Connect the relevant source systems so evidence is collected continuously.
  • 03Map outputs to the frameworks and policies that matter to the organisation.
  • 04Review exceptions, accepted risks, and overdue actions before audit or renewal.

Useful references

Independent sources buyers and auditors recognise

The exact evidence required still depends on your scope, risk profile, sector, and framework obligations.

External source
NCSC guidance for organisations
External source
NCSC Cyber Essentials overview
External source
ICO accountability framework
Fig Group
Fig platform overview
Fig Group
All Fig solutions
Fig Group
Discuss your framework scope

Built for you

Who uses this?

MSPs & MSSPs

Deliver privacy compliance as a managed service. Multi-tenant ROPA, DSAR management, and breach notification across client portfolios.

Learn more

Security & risk teams

Privacy management connected to your compliance engine, supplier risk monitoring, and incident management. A data breach triggers the incident workflow, calculates the 72-hour notification deadline, and identifies affected data subjects automatically.

Learn more

Compliance & audit

Complete evidence chain from processing activity registers through impact assessments, consent records, breach notifications, and deletion logs for GDPR, UK GDPR, and DORA compliance.

Learn more

Prove

Related solutions

Compliance Automation

Map controls to 65+ frameworks. Collect evidence automatically. Stay audit-ready.

Policy Management

Automate policy lifecycle from drafting through approval, distribution, and attestation.

Audit Management

Plan, execute, and report on audits with structured evidence packs and findings tracking.

Common questions

Frequently asked questions

Does this replace OneTrust?

For most organisations, yes. Fig provides ROPA, DPIA, DSAR, consent management, breach notification, and Privacy by Design in one platform connected to your compliance engine. Organisations with very complex cookie consent or vendor management requirements may use both.

How does breach notification work?

When an incident involves personal data, Fig automatically calculates the GDPR 72-hour notification deadline, links to the affected processing activity in the ROPA, identifies impacted data subjects from the consent register, and pre-populates the regulatory notification template.

Can we manage DSARs through Fig?

Yes. Subject access requests are tracked from intake through to response with statutory deadline monitoring. Response workflows include data gathering, review, redaction, and delivery with full audit trails.

How does Privacy by Design integrate with change management?

Changes flagged as affecting personal data processing automatically trigger a DPIA within the change workflow. Privacy assessments are completed before the change is approved, ensuring compliance is built in from the start.

Does this cover UK GDPR as well as EU GDPR?

Yes. Fig supports both UK GDPR and EU GDPR requirements, including the differences in supervisory authority notification, data transfer mechanisms, and lawful basis documentation.

Next step

See Privacy & Data Protection in action.

Book a walkthrough tailored to your frameworks and tooling.

Request a demoAll solutions