EU GDPR Compliance Criteria (EGCC)

Updated: Jan 2, 2019

By the time you pour yourself a cup of coffee and read through this article, you can have a pretty solid understanding of the criteria you need in order to legitimately comply with the European Union General Data Protection Regulation (GDPR).

With GDPR, there is an expectation that your organization can demonstrate two things, which essentially govern GDPR compliance efforts:

(1) Your organization is aligned with a cybersecurity framework to ensure appropriate technical, administrative and physical controls in place; and

(2) Your organization is aligned with a privacy framework to ensure appropriate privacy controls are in place.

The image below covers this process in greater detail and from there, the alignment with your frameworks essentially provides a “paint by numbers” approach to complying with GDPR, since GDPR is leveraging work you should already have done through your existing cybersecurity and privacy program. For the most part, GDPR is nothing new - it is just enforcing reasonably-expected practices and punishing non-compliance with significant penalties.


GDPR is process-related, as compared to a simple control checklist, such as PCI DSS. With a focus on process, this requires good documentation in order to demonstrate how people, processes and technology are managed to ensure that both cybersecurity and privacy principles are implemented consistently.

To help in managing GDPR requirements and to show how the GDPR articles map into common cybersecurity and privacy frameworks, the below spreadsheet is the EU GDPR Compliance Criteria (EGCC), which is a free reference from the Secure Controls Framework (SCF) (


The EGCC maps GDPR articles to the following:

- Secure Controls Framework (SCF) controls, including the focus (e.g., management, technical users or all users).

- Cybersecurity frameworks (e.g., NIST 800-53, ISO 27002 & NIST Cybersecurity Framework).

- Privacy frameworks (e.g., SOC2, GAPP).

- A RACI-style diagram that shows the most common parties involved in managing certain controls.

If you have any questions about this, please feel free to contact us at

1 comment

Recent Posts

See All

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2021. Secure Controls Framework Council, LLC


  • White LinkedIn Icon