DPO Quickstart¶

This guide walks you through configuring Dxtra as your compliance management platform. You'll review AI-generated assessments, configure processing activities and legal basis, set up breach reporting workflows, and manage data subject rights — all from a single dashboard.

What you'll accomplish¶

1. Review AI-generated Data Protection Impact Assessments
2. Configure processing purposes and legal basis
3. Set up breach and incident reporting
4. Configure data subject rights management
5. Grant auditor and regulator access
6. Generate compliance reports

Step 1: Review your assessments¶

Sign in to app.dxtra.ai and go to Assessments in the left sidebar. Dxtra's AI generates several types of assessments based on your organization's profile and processing activities:

• Data Protection Impact Assessments (DPIAs) — Required under GDPR Article 35 for high-risk processing
• Transfer Impact Assessments (TIAs) — For international data transfers
• Legitimate Interest Assessments (LIAs) — When legitimate interest is your legal basis
• Algorithmic Impact Assessments — For AI/ML processing activities
• Vendor Risk Assessments — For third-party data processors

Each assessment includes an activity description, risk level rating, identified data categories, specific risks and vulnerabilities, and recommended safeguards.

Review and approve an assessment¶

1. Click on any assessment to open the detail view
2. Review each section — the AI populates these based on your questionnaire answers and industry context
3. Click Edit to update any section that doesn't accurately reflect your processing
4. Add notes about safeguards you've already implemented
5. Click Save, then Approve when satisfied

Step 2: Configure processing purposes and legal basis¶

Go to Purposes in the left sidebar. This is the core of your Article 30 compliance record. The AI has generated your initial processing purposes based on your industry context and questionnaire answers.

Review generated purposes¶

The Purposes page organizes your data into three views:

Tracked Data

Data automatically observed, inferred, or generated through user behavior or system activity (analytics data, browsing patterns, device identifiers, etc.)

Received Data

Data explicitly provided by users during account setup, service usage, or customer interactions (names, email addresses, payment details, etc.)

Legal Basis

The legal justification for each processing activity across all applicable jurisdictions

Configure a processing purpose¶

Each purpose includes an expandable detail section. Click on any purpose to view and edit:

• Purpose name — A clear description of the processing activity (e.g., "E-Commerce and Online Retail", "Marketing (Non-Targeted)")
• AI-generated description — A detailed narrative of how and why you process data for this purpose. The AI generates this from your industry context — review for accuracy and edit as needed
• Data categories — The types of personal data involved (identifiers, contact details, financial data, behavioral data, etc.)
• Legal basis — Select the applicable basis for each jurisdiction:
  • Consent
  • Contract
  • Legal Obligation
  • Vital Interests
  • Public Task
  • Legitimate Interests (with linked LI Assessment)
• Retention period — How long data is kept for this purpose
• Recipients — Third parties who receive data for this purpose
• International transfers — Whether data crosses jurisdictional boundaries

Click Save after making changes to any purpose.

Add a new processing purpose¶

If the AI missed a processing activity or you've added a new one:

1. Click Add Purpose
2. Fill in the purpose details
3. Select the applicable legal basis for each jurisdiction
4. Click Create

Step 3: Set up breach and incident reporting¶

Go to Breach & Incident Reporting in the left sidebar. Dxtra provides a structured workflow for handling data breaches from detection through resolution.

Configure your breach response plan¶

The AI generates a breach response procedure based on your jurisdictions. Review and customize:

1. Detection and notification chain — Who gets notified first when a breach is detected (security team, DPO, legal, leadership) and through what channel
2. Assessment criteria — How severity is determined (data categories compromised, number of data subjects affected, likelihood of harm)
3. Authority notification — Which supervisory authorities to notify, auto-populated based on your operating regions
4. Data subject notification — When and how to notify affected individuals

Report an incident¶

When a breach occurs:

1. Go to Breach & Incident Reporting → Report Incident
2. Fill in the incident details:
   • Date and time of discovery
   • Data categories affected
   • Estimated number of data subjects involved
   • Description of the incident
   • Steps already taken
3. Dxtra calculates which authorities require notification based on your jurisdictions
4. The system generates a pre-populated breach report
5. Review, finalize, and submit the report
6. Dxtra tracks notification deadlines and sends reminders

Step 4: Configure data subject rights management¶

Go to Rights Management in the left sidebar. Dxtra supports all major data subject rights and provides a structured workflow for each.

Available rights¶

The Rights Management page shows which rights are enabled:

Dxtra also detects Global Privacy Control (GPC) signals, allowing data subjects to opt out of data sales and sharing automatically.

Configure the rights request form¶

Dxtra generates a Data Subject Rights Request form that appears on your Transparency Center. The form includes:

• A dropdown for selecting the request type (access, erasure, rectification, portability, objection, opt-out)
• Identity verification fields
• A free-text field for additional context

You can embed this form on your website or link to it from your Transparency Center. Go to the form configuration section and choose Link (for a direct URL) or Embed / Preview (for an embeddable code snippet).

Handle incoming requests¶

When a data subject submits a request:

1. You receive a notification in the dashboard and via email
2. The request appears in Rights Management → Requests with its type, submission date, and deadline
3. Verify the requester's identity using the configured verification method
4. Process the request (retrieve data, delete records, correct information, etc.)
5. Respond to the data subject within the applicable deadline
6. Mark the request as resolved

Dxtra tracks deadlines automatically: one month for GDPR (extendable to three months for complex requests) and 45 days for CCPA (extendable to 90 days).

Step 5: Grant auditor and regulator access¶

Go to Settings → Team to manage access for external auditors.

1. Click Invite Member
2. Enter the auditor's email address
3. Assign the Auditor role — this provides read-only access to:
   • Processing activity records
   • Assessment documentation
   • Breach logs and resolution records
   • Consent records (aggregated)
   • Data retention schedules
   • Rights request logs
4. Set an access expiry date
5. Click Invite

The auditor receives a secure login link. They can view compliance documentation without editing it, and you can revoke access at any time.

Step 6: Generate compliance reports¶

Go to Assurance in the left sidebar to access Dxtra's reporting and compliance dashboard. Available reports include:

Processing Activities Inventory

A complete Article 30 record of all data processing activities, exportable as PDF

Assessment Summary

All DPIAs, TIAs, LIAs, and vendor risk assessments with their status and findings

Breach Log

A chronological record of all reported incidents, actions taken, and resolutions

Data Subject Requests Log

All rights requests received, their type, response time, and outcome

Consent Records

Aggregated consent statistics across consent categories, with grant/withdrawal trends

Processor Compliance Status

All data processors, their agreement status, and compliance posture

Each report can be filtered by date range and exported as PDF for submission to regulators or auditors.

What you just did¶

• Reviewed AI-generated Data Protection Impact Assessments and other compliance assessments
• Configured processing purposes, data categories, and legal basis for each jurisdiction
• Set up breach and incident reporting with deadline tracking
• Configured data subject rights management with an embeddable request form
• Granted read-only access for auditors and regulators
• Generated compliance reports for audit readiness

Next steps¶

Onboard your data processors

Review and configure agreements with every third party that processes personal data on your behalf. See Processor Management.

Set up consent management

Configure consent forms and banners for your digital properties. See Consent Management.

Enable PII scanning

Discover personal data across your connected systems and file storage. See PII Scanning.

Invite your team

Add legal, security, and support team members with appropriate role-based access. Go to Settings → Team → Invite Members.

Schedule regular reviews

Set a recurring calendar reminder to review processing activities, update assessments when practices change, check breach logs, and verify consent compliance. Monthly is recommended.

Key compliance deadlines¶

Dxtra tracks all applicable deadlines and sends reminders as they approach.