EU General Data Protection Regulation (EU GDPR) Compliance

EU GDPR compliance policies standards procedures

Our EU GDPR-specific compliance documentation can provide your organization with the ability to obtain the evidence of both due care and due diligence in getting and staying compliant with the EU GDPR. At the heart of it, if your organization does one or more of the following activities, it must comply with the EU GDPR: 

  1. Markets its products or services to the EU market.
  2. Maintains business operations in the EU.
  3. Performs "data processor" functions for a "data controller" that is in-scope for GDPR.

Our solutions are applicable for both processors and controllers! We focus on leading industry practices to build documentation that will steer your organization towards building both secure and compliant systems, applications and processes.

Ready To Operationalize Privacy & Cybersecurity Principles To Meet Compliance Needs? We are. 

Specific to the EU GDPR, there are four (4) very specific requirements that necessitate significant coordination between privacy and cybersecurity teams to accomplish:

eu gdpr requirements

EU GDPR Compliance - Where Do I Start?

By the time you pour yourself a cup of coffee and read through this article, you can have a pretty solid understanding of the criteria you need in order to legitimately comply with the European Union General Data Protection Regulation (GDPR).
 
With GDPR, there is an expectation that your organization can demonstrate two things, which essentially govern GDPR compliance efforts:
 
(1) Your organization is aligned with a cybersecurity framework to ensure appropriate technical, administrative and physical controls in place; and
(2) Your organization is aligned with a privacy framework to ensure appropriate privacy controls are in place.
 
To help in managing GDPR requirements and to show how the GDPR articles map into common cybersecurity and privacy frameworks, the below spreadsheet is the EU GDPR Compliance Criteria (EGCC), which is a free reference from the Secure Controls Framework (SCF) (https://www.securecontrolsframework.com).
 
SCF download
The EGCC maps GDPR articles to the following:
  • Secure Controls Framework (SCF) controls, including the focus (e.g., management, technical users or all users).
  • Cybersecurity frameworks (e.g., NIST 800-53, ISO 27002 & NIST Cybersecurity Framework).
  • Privacy frameworks (e.g., SOC2, GAPP).
  • A RACI-style diagram that shows the most common parties involved in managing certain controls.

How Do We Operationalize Both Security & Privacy Principles?

Within the European Union Regulation 2016/279 (General Data Protection Regulation (EU GDPR)), Articles 5, 25 and 35 have shared responsibilities between cybersecurity and privacy teams. Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:

Understanding "Security By Design" As It Pertains To EU GDPR 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:

The following sections are the key articles from the EU GDPR that pertain to cybersecurity:

Understanding "Privacy By Design" As It Pertains To EU GDPR 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the two most common sources for "privacy principles" that a company should leverage:

The following sections are the key articles from the EU GDPR that pertain to privacy:

ComplianceForge teamed up with the Secure Controls Framework (SCF) to create the EU GDPR Compliance Criteria (EGCC), which is a free resource to help companies understand and manage their GDPR-related controls. What is unique about the EGCC is that is maps to the existing frameworks that many companies use for their existing cybersecurity programs (e.g., ISO 27002, NIST 800-53, GAPP, etc.). This mapping to ISO and NIST frameworks, as well as our Digital Security Program (DSP) makes your compliance requirements easy to manage.

At ComplianceForge, we are here to provide businesses with the documentation they need to comply with the EU GDPR and other requirements that demand companies "bake in" both cybersecurity and privacy principles into their day-to-day operations and project development processes. We refer to it as Cybersecurity for Privacy by Design (C4P). Privacy and secure engineering are just one component of building an audit-ready cybersecurity and privacy program!

2020.1-complianceforge-products-data-protection-privacy-engineering.jpg

Cybersecurity for Privacy by Design (C4P) Model

ComplianceForge offers a very unique set of solutions, beyond just cybersecurity policies and standards. Our comprehensive documentation addresses common cybersecurity and privacy frameworks that enables companies to obtain quality documentation to prove evidence of due care and due diligence for how cybersecurity and privacy principles are implemented. The European Union General Data Protection Regulation (EU GDPR) is more than a checklist of requirements - it is about processes. When processes are audited, it requires documentation to prove their existence. Therefore, documentation is king!

Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes and Technology.

data privacy documentation - privacy by design

 

A focus on C4P allows an organization to:
    • Enable privacy principles through an integrated approach with security;
    • Preset security configuration settings so that it is secure by default;
    • “Bake in” security mechanisms, as compared to “bolting on” protections as an afterthought;
    • Keeping things simple to save resources and avoid negatively affecting users;
    • Integrate throughout the lifecycle of projects / applications / systems;
    • Support a common method to “trust but verify” for projects / applications / systems; and
    • Position security to be seen as an enabler through educating users, managing expectations, and supporting change.

EU GDPR Compliance - Where Do We Start?

Within the European Union Regulation 2016/279 (General Data Protection Regulation (EU GDPR)), Articles 5, 25, 30 and 35 have shared responsibilities between cybersecurity and privacy teams. Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:

Understanding "Security By Design" As It Pertains To EU GDPR 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:

Operationalize Security by Design (SbD) & Privacy by Design (SbD)

Most companies have requirements to document security and privacy processes, but lack the knowledge and experience to undertake such documentation efforts. That means organizations are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant. In either situation, it is not a good place to be.

The good news is that ComplianceForge developed a comprehensive, yet realistic, security & privacy by design product. The Security & Privacy By Design (SPBD) is made up of both an editable Microsoft Word document & Microsoft Excel checklists that are based on NIST 800-160, NIST 800-37, the Generally Accepted Privacy Principles (GAPP), and the OASIS Privacy Management Reference Model and Methodology (PMRM).  This constitutes the "gold standard" for both secure engineering and privacy frameworks. Additionally, this documentation is capable of scaling for any sized company!

operationalize privacy by design

Please keep in mind that security & privacy engineering principles are not just limited to EU GDPR:

 

 

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00
    Choose Options
  • ISO 27001 27002 policies & standards

    ISO 27001 / 27002 Policy Template

    ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates

    ISO 27001 & 27002 Policy Template   UPDATED FOR ISO 27001:2022 & 27002:2022   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...

    $1,800.00
    Choose Options

Learn More About Cybersecurity & Data Privacy