Updated: Jan 2, 2019
By the time you pour yourself a cup of coffee and read through this article, you can have a pretty solid understanding of the criteria you need in order to legitimately comply with the European Union General Data Protection Regulation (GDPR).
With GDPR, there is an expectation that your organization can demonstrate two things, which essentially govern GDPR compliance efforts:
(1) Your organization is aligned with a cybersecurity framework to ensure appropriate technical, administrative and physical controls in place; and
(2) Your organization is aligned with a privacy framework to ensure appropriate privacy controls are in place.
The image below covers this process in greater detail and from there, the alignment with your frameworks essentially provides a “paint by numbers” approach to complying with GDPR, since GDPR is leveraging work you should already have done through your existing cybersecurity and privacy program. For the most part, GDPR is nothing new - it is just enforcing reasonably-expected practices and punishing non-compliance with significant penalties.
GDPR is process-related, as compared to a simple control checklist, such as PCI DSS. With a focus on process, this requires good documentation in order to demonstrate how people, processes and technology are managed to ensure that both cybersecurity and privacy principles are implemented consistently.
To help in managing GDPR requirements and to show how the GDPR articles map into common cybersecurity and privacy frameworks, the below spreadsheet is the EU GDPR Compliance Criteria (EGCC), which is a free reference from the Secure Controls Framework (SCF) (https://www.securecontrolsframework.com).
The EGCC maps GDPR articles to the following:
- Secure Controls Framework (SCF) controls, including the focus (e.g., management, technical users or all users).
- Cybersecurity frameworks (e.g., NIST 800-53, ISO 27002 & NIST Cybersecurity Framework).
- Privacy frameworks (e.g., SOC2, GAPP).
- A RACI-style diagram that shows the most common parties involved in managing certain controls.
If you have any questions about this, please feel free to contact us at firstname.lastname@example.org.