ControlMap

GDPR

The General Data Protection Regulation (EU 2016/679) is the European Union's comprehensive data protection law governing the processing of personal data. While primarily a privacy regulation, Articles 5, 24-25, 28, 30, 32-35, and 37-39 establish specific security requirements including data protection by design, security of processing, breach notification, and data protection impact assessments.

96%
Coverage
47
Controls Covered
2
Gaps
49
Total Controls

Covered Controls

Controls that have explicit mappings to GDPR requirements.

Govern (6 controls)

Gp Governance Policy
Art.5(2), Art.24(1), Art.24(2)
 Rm Risk Management
Art.24(1), Art.32(1)
 Sc Supply Chain Risk
Art.28(1), Art.28(2)
 Rr Roles & Responsibilities
Art.37(1), Art.38(1), Art.39(1)
 Cm Compliance
Art.5(2), Art.58(1), Art.83(1)
 Vr Vendor Risk Mgmt
Art.28(1), Art.28(2), Art.28(3)

Identify (5 controls)

Am Asset Management
Art.30(1)
 Ra Risk Assessment
Art.35(1), Art.35(7)
 Be Business Environment
Art.35(7)(b)
 Da Data Classification
Art.9(1), Art.5(1)(c)
 Vn Vulnerability Mgmt
Art.32(1)(d)

Protect (20 controls)

Aw Awareness & Training
Art.39(1)(b), Art.47(2)(n)
 Ac Access Control
Art.32(1)(b), Art.25(2)
 Mf Multi-Factor Auth
Art.32(1)(b)
 En Encryption
Art.32(1)(a), Art.34(3)(a)
 Dp Data Protection
Art.5(1)(f), Art.32(1)
 Bk Backup & Recovery
Art.32(1)(c)
 Pa Privileged Access
Art.32(1)(b), Art.29
 Fw Firewall / Net Seg
Art.32(1)(b)
 Ep Endpoint Protection
Art.32(1)(b)
 Pm Patch Management
Art.32(1)(d)
 Cf Secure Config
Art.25(1), Art.32(1)
 Sd Secure Development
Art.25(1), Art.25(2)
 Ml Email Security
Art.32(1)(b)
 Ws Web Security
Art.32(1)(b)
 Zt Zero Trust
Art.32(1)(b), Art.25(1)
 Mb Mobile Security
Art.32(1)(b)
 Cl Cloud Security
Art.28(1), Art.32(1)
 Wf WAF
Art.32(1)(b)
 Dl DLP
Art.5(1)(f), Art.32(1)(b)
 Ap API Security
Art.25(1), Art.32(1)(b)

Detect (6 controls)

Sm Cont. Monitoring
Art.32(1)(d)
 Lg Logging & Audit
Art.5(2), Art.30(1)
 Id Intrusion Detection
Art.32(1)(d), Art.33(1)
 An Anomaly Detection
Art.32(1)(d)
 Sg SIEM / SOC
Art.32(1)(d)
 It Insider Threat
Art.29, Art.32(1)(b), Art.32(4)

Respond (5 controls)

Ir Incident Response
Art.33(1), Art.33(2)
 Fn Forensics
Art.33(3)
 Co Communication
Art.33(1), Art.34(1)
 Mt Mitigation
Art.33(3)(d), Art.34(2)
 Rp Reporting
Art.33(1), Art.34(1)

Recover (5 controls)

Rc Recovery Planning
Art.32(1)(c)
 Bc Business Continuity
Art.32(1)(b), Art.32(1)(c)
 Ll Lessons Learned
Art.32(1)(d), Art.24(1)
 Cr Comms & Restore
Art.34(1), Art.32(1)(c)
 Dr Disaster Recovery
Art.32(1)(c)

Not Covered by GDPR (2 controls)

These controls are tracked by ControlMap but do not have explicit GDPR mappings. Organizations relying on GDPR should consider supplementing with additional frameworks to address these gaps.

Ti Threat Intelligence
Covered by: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53
 Ds DNS Security
Covered by: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53

GDPR vs Other Frameworks

GDPR provides 96% coverage of the 49 cybersecurity controls tracked by ControlMap. NIST CSF 2.0 covers 100%, ISO 27001 covers 100%, CIS v8 covers 90%, SOC 2 covers 100%, PCI DSS covers 100%, CMMC covers 94%, 800-53 covers 100%, HIPAA covers 94%. For maximum coverage, organizations often combine GDPR with complementary frameworks to address gaps in areas like threat intelligence, dns security.

Other Frameworks

NIST CSF 2.0 ISO 27001 CIS v8 SOC 2 PCI DSS CMMC 800-53 HIPAA
View GDPR in Interactive Dashboard