How to Comply with GDPR
The General Data Protection Regulation (EU 2016/679) is the European Union's comprehensive data protection law governing the processing of personal data. While primarily a privacy regulation, Articles 5, 24-25, 28, 30, 32-35, and 37-39 establish specific security requirements including data protection by design, security of processing, breach notification, and data protection impact assessments.
96%
Coverage
47
Controls Required
2
Not Applicable
Why GDPR Compliance Matters
GDPR compliance is required for any organization processing personal data of EU residents, regardless of where the organization is based. Penalties can reach up to 4% of annual global turnover or €20 million, whichever is higher. Beyond the legal requirements, GDPR compliance has become a competitive advantage as consumers and business partners increasingly prioritize data protection.
Compliance Checklist by Domain
The 47 controls below are mapped to GDPR requirements. Work through each domain to build your compliance program.
Govern (6 controls)
| Control | GDPR References | Also In |
|---|---|---|
| Governance Policy | Art.5(2) Art.24(1) Art.24(2) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Risk Management | Art.24(1) Art.32(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Supply Chain Risk | Art.28(1) Art.28(2) | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA |
| Roles & Responsibilities | Art.37(1) Art.38(1) Art.39(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Compliance | Art.5(2) Art.58(1) Art.83(1) | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Vendor Risk Mgmt | Art.28(1) Art.28(2) Art.28(3) | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA |
Identify (5 controls)
| Control | GDPR References | Also In |
|---|---|---|
| Asset Management | Art.30(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Risk Assessment | Art.35(1) Art.35(7) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Business Environment | Art.35(7)(b) | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA |
| Data Classification | Art.9(1) Art.5(1)(c) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Vulnerability Mgmt | Art.32(1)(d) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
Protect (20 controls)
| Control | GDPR References | Also In |
|---|---|---|
| Awareness & Training | Art.39(1)(b) Art.47(2)(n) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Access Control | Art.32(1)(b) Art.25(2) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Multi-Factor Auth | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Encryption | Art.32(1)(a) Art.34(3)(a) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Data Protection | Art.5(1)(f) Art.32(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Backup & Recovery | Art.32(1)(c) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Privileged Access | Art.32(1)(b) Art.29 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Firewall / Net Seg | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Endpoint Protection | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Patch Management | Art.32(1)(d) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Secure Config | Art.25(1) Art.32(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Secure Development | Art.25(1) Art.25(2) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53 |
| Email Security | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Web Security | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Zero Trust | Art.32(1)(b) Art.25(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Mobile Security | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Cloud Security | Art.28(1) Art.32(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| WAF | Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| DLP | Art.5(1)(f) Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| API Security | Art.25(1) Art.32(1)(b) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
Detect (6 controls)
| Control | GDPR References | Also In |
|---|---|---|
| Cont. Monitoring | Art.32(1)(d) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Logging & Audit | Art.5(2) Art.30(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Intrusion Detection | Art.32(1)(d) Art.33(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Anomaly Detection | Art.32(1)(d) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| SIEM / SOC | Art.32(1)(d) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Insider Threat | Art.29 Art.32(1)(b) Art.32(4) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
Respond (5 controls)
| Control | GDPR References | Also In |
|---|---|---|
| Incident Response | Art.33(1) Art.33(2) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Forensics | Art.33(3) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Communication | Art.33(1) Art.34(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Mitigation | Art.33(3)(d) Art.34(2) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Reporting | Art.33(1) Art.34(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
Recover (5 controls)
| Control | GDPR References | Also In |
|---|---|---|
| Recovery Planning | Art.32(1)(c) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Business Continuity | Art.32(1)(b) Art.32(1)(c) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Lessons Learned | Art.32(1)(d) Art.24(1) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Comms & Restore | Art.34(1) Art.32(1)(c) | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
| Disaster Recovery | Art.32(1)(c) | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA |
Controls Not Required by GDPR
These 2 controls are not directly addressed by GDPR but may still be relevant to your security program.
How GDPR Compares
See how GDPR coverage overlaps with other frameworks: