EU General Data Protection Regulation (EU GDPR) Compliance
Our EU GDPR-specific compliance documentation can provide your organization with the ability to obtain the evidence of both due care and due diligence in getting and staying compliant with the EU GDPR. At the heart of it, if your organization does one or more of the following activities, it must comply with the EU GDPR:
Markets its products or services to the EU market.
Maintains business operations in the EU.
Performs "data processor" functions for a "data controller" that is in-scope for GDPR.
Our solutions are applicable for both processors and controllers! We focus on leading industry practices to build documentation that will steer your organization towards building both secure and compliant systems, applications and processes.
Ready To Operationalize Privacy & Cybersecurity Principles To Meet Compliance Needs? We are.
Specific to the EU GDPR, there are four (4) very specific requirements that necessitate significant coordination between privacy and cybersecurity teams to accomplish:
EU GDPR Compliance - Where Do I Start?
By the time you pour yourself a cup of coffee and read through this article, you can have a pretty solid understanding of the criteria you need in order to legitimately comply with the European Union General Data Protection Regulation (GDPR).
With GDPR, there is an expectation that your organization can demonstrate two things, which essentially govern GDPR compliance efforts:
(1) Your organization is aligned with a cybersecurity framework to ensure appropriate technical, administrative and physical controls in place; and
(2) Your organization is aligned with a privacy framework to ensure appropriate privacy controls are in place.
To help in managing GDPR requirements and to show how the GDPR articles map into common cybersecurity and privacy frameworks, the below spreadsheet is the EU GDPR Compliance Criteria (EGCC), which is a free reference from the Secure Controls Framework (SCF) (https://www.securecontrolsframework.com).
The EGCC maps GDPR articles to the following:
Secure Controls Framework (SCF) controls, including the focus (e.g., management, technical users or all users).
A RACI-style diagram that shows the most common parties involved in managing certain controls.
How Do We Operationalize Both Security & Privacy Principles?
Within the European Union Regulation 2016/279 (General Data Protection Regulation (EU GDPR)), Articles 5, 25 and 35 have shared responsibilities between cybersecurity and privacy teams. Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:
Step 1 - Make sure your company's policies and standards are "audit ready" for GDPR. This means that they are aligned with an industry-recognized leading framework, which shows that you are aligned with reasonable expectations for your industry.
Step 2 - Eliminate "tribal knowledge" by documenting how processes actually work and ensure that key stakeholders are aware of what "right" looks like. If you have written processes, audit them to make sure what is published is actually what is being done.
Step 3 - Establish governance / oversight of processes to ensure your company's processes are actually working as they are supposed to. If not, make fixes and keep verifying.
Understanding "Security By Design" As It Pertains To EU GDPR
In terms of the EU GDPR, the regulation is expecting your company to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:
International Organization for Standardization (ISO) 27000-series guidance;
National Institute of Standards and Technology (NIST) 800-series guidance;
NIST Cybersecurity Framework;
Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS);
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); and
Center for Internet Security (CIS).
The following sections are the key articles from the EU GDPR that pertain to cybersecurity:
Article 5 - Principles relating to processing of personal data.
Your company must protect personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Article 25 – Data protection by design and by default.
Your company must implement "appropriate technical and organizational measures" to implement data-protection principles and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Article 28 - Processor.
Your company must only use processors providing sufficient guarantees to implement appropriate technical and organizational security and privacy measures.
Article 32 - Security of processing.
Your company must implement “appropriate technical and organizational measures” to ensure a level of security appropriate to the risk of data being processed.
Article 33 - Notification of a personal data breach to the supervisory authority.
Without undue delay and, where feasible, not later than 72 hours after having become aware of it, Your company must notify the personal data breach to the supervisory authority
Article 35 - Data protection impact assessment.
In an effort to assess the impact of envisioned processing operations, Your company must perform a Data Protection Impact Assessment (DPIA) prior to the processing of data.
Article 45 - Transfers on the basis of an adequacy decision.
Your company must limit the transfer of personal data to third countries or international organizations that the Commission has decided ensures an adequate level of protection.
Article 46 - Transfers subject to appropriate safeguards.
A legally binding and enforceable instrument between public authorities or bodies;
Binding corporate rules in accordance with Article 47;
Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
In the absence of a decision for Article 45, Your company must have at least one (1) of the following in place:
Understanding "Privacy By Design" As It Pertains To EU GDPR
In terms of the EU GDPR, the regulation is expecting your company to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the two most common sources for "privacy principles" that a company should leverage:
Generally Accepted Privacy Principles (GAPP); and
Fair Information Practice Principles (FIPP).
The following sections are the key articles from the EU GDPR that pertain to privacy:
Article 5 - Principles relating to processing of personal data.
Your company must protect personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Article 6: Lawfulness of processing.
Your company must ensure the processing of personal data is for lawful purposes.
Article 9: Processing of special categories of personal data.
Your company is prohibited from processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Article 10: Processing of personal data relating to criminal convictions and offences.
Similar to Article 9, Your company is prohibited from processing personal data relating to criminal convictions and offences.
Article 17: Right to erasure.
This is the “right to be forgotten” requirement.
Without undue delay, Your company must erase personal data of a data subject, upon notification by the data subject.
Article 20: Right to data portability.
This is the “data portability” requirement.
Your company must be capable of providing a data subject with personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from your company.
Article 25 – Data protection by design and by default.
Your company must implement "appropriate technical and organizational measures" to implement data-protection principles and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Article 35 - Data protection impact assessment.
Your company must perform a Data Protection Impact Assessment (DPIA) prior to the processing of data, in an effort to assess the impact of proposed processing operations.
Article 46 - Transfers subject to appropriate safeguards.
A legally binding and enforceable instrument between public authorities or bodies;
Binding corporate rules in accordance with Article 47;
Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
In the absence of a decision for Article 45, Your company must have at least one (1) of the following in place:
Article 49: Derogations for specific situations.
Your company may transfer personal data to a third country or an international organization only if the Your company or its or vendors have provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
ComplianceForge teamed up with the Secure Controls Framework (SCF) to create the EU GDPR Compliance Criteria (EGCC), which is a free resource to help companies understand and manage their GDPR-related controls. What is unique about the EGCC is that is maps to the existing frameworks that many companies use for their existing cybersecurity programs (e.g., ISO 27002, NIST 800-53, GAPP, etc.). This mapping to ISO and NIST frameworks, as well as our Digital Security Program (DSP) makes your compliance requirements easy to manage.
At ComplianceForge, we are here to provide businesses with the documentation they need to comply with the EU GDPR and other requirements that demand companies "bake in" both cybersecurity and privacy principles into their day-to-day operations and project development processes. We refer to it as Cybersecurity for Privacy by Design (C4P). Privacy and secure engineering are just one component of building an audit-ready cybersecurity and privacy program!
Cybersecurity for Privacy by Design (C4P) Model
ComplianceForge offers a very unique set of solutions, beyond just cybersecurity policies and standards. Our comprehensive documentation addresses common cybersecurity and privacy frameworks that enables companies to obtain quality documentation to prove evidence of due care and due diligence for how cybersecurity and privacy principles are implemented. The European Union General Data Protection Regulation (EU GDPR) is more than a checklist of requirements - it is about processes. When processes are audited, it requires documentation to prove their existence. Therefore, documentation is king!
Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes and Technology.
A focus on C4P allows an organization to:
Enable privacy principles through an integrated approach with security;
Preset security configuration settings so that it is secure by default;
“Bake in” security mechanisms, as compared to “bolting on” protections as an afterthought;
Keeping things simple to save resources and avoid negatively affecting users;
Integrate throughout the lifecycle of projects / applications / systems;
Support a common method to “trust but verify” for projects / applications / systems; and
Position security to be seen as an enabler through educating users, managing expectations, and supporting change.
EU GDPR Compliance - Where Do We Start?
Within the European Union Regulation 2016/279 (General Data Protection Regulation (EU GDPR)), Articles 5, 25, 30 and 35 have shared responsibilities between cybersecurity and privacy teams. Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:
Step 1 - Make sure your company's policies and standards are "audit ready" for GDPR. This means that they are aligned with an industry-recognized leading framework, which shows that you are aligned with reasonable expectations for your industry.
Step 2 - Eliminate "tribal knowledge" by documenting how processes actually work and ensure that key stakeholders are aware of what "right" looks like. If you have written processes, audit them to make sure what is published is actually what is being done.
Step 3 - Establish governance / oversight of processes to ensure your company's processes are actually working as they are supposed to. If not, make fixes and keep verifying.
Understanding "Security By Design" As It Pertains To EU GDPR
In terms of the EU GDPR, the regulation is expecting your company to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:
International Organization for Standardization (ISO) 27002
National Institute of Standards and Technology (NIST) 800-53
NIST Cybersecurity Framework
Operationalize Security by Design (SbD) & Privacy by Design (SbD)
Most companies have requirements to document security and privacy processes, but lack the knowledge and experience to undertake such documentation efforts. That means organizations are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant. In either situation, it is not a good place to be.
The good news is that ComplianceForge developed a comprehensive, yet realistic, security & privacy by design product. The Security & Privacy By Design (SPBD) is made up of both an editable Microsoft Word document & Microsoft Excel checklists that are based on NIST 800-160, NIST 800-37, the Generally Accepted Privacy Principles (GAPP), and the OASIS Privacy Management Reference Model and Methodology (PMRM). This constitutes the "gold standard" for both secure engineering and privacy frameworks. Additionally, this documentation is capable of scaling for any sized company!
Please keep in mind that security & privacy engineering principles are not just limited to EU GDPR:
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics.
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about...
ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates
ISO 27001 & 27002 Policy Template UPDATED FOR ISO 27001:2022 & 27002:2022
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...