Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

European Union General Data Protection Regulation (EU GDPR)

GDPR permanently altered the role of cybersecurity within organizations — data protection is now a legal requirement, and cybersecurity is the only path to achieving it, with multi-million-euro fines and reputational damage for those who fall short.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Common Controls Framework™

The SCF is the Common Controls Framework™ (CCF™) — a Living Control Set (LCS) with 1,400+ controls across 33 domains, mapped to 200+ laws, regulations, and frameworks including EU GDPR. Free under Creative Commons. Importable into GRC platforms via .csv or NIST OSCAL JSON. Validated using NIST IR 8477 STRM set theory.

Law Overview

European Union General Data Protection Regulation (EU GDPR)

The EU General Data Protection Regulation (GDPR) is widely regarded as the most comprehensive data protection regulation enacted to date — requiring organizations to implement appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of personal data.

While often categorized as a privacy law, GDPR is equally rooted in information security. For cybersecurity leaders, it is a legal mandate for risk-based information governance, breach readiness, third-party accountability and continuous operational resilience.

Name

European Union General Data Protection Regulation (EU GDPR)

Type

Statutory (Law)

Authoritative Source

EU Regulation 2016/679

Adopted

April 27, 2016

Enforceable

May 25, 2018

Enforced By

EU national Data Protection Authorities (DPAs)

Max Fine (Tier 2)

€20 million or 4% of annual global turnover

Certification Available

No official certification. SCF CAP can demonstrate conformity.

TL / DR — Too Long / Didn’t Read

GDPR is almost a decade old, but it permanently altered the role of cybersecurity within organizations. No longer relegated to IT infrastructure, data protection is now a legal requirement and cybersecurity is the only path to achieving it. The law sets a high bar with continuous, demonstrable and risk-based control over how personal data is accessed, stored, transmitted and destroyed.

Non-compliance is no longer an internal matter. It invites multi-million-euro fines, lawsuits and reputational damage. As regulators increase scrutiny and public awareness grows, organizations must elevate cybersecurity from a technical function to a strategic compliance discipline.

A mature GDPR program is one where risk, governance, operations and technology work in concert. Strong documentation is the connective tissue — it links legal obligations to operational activity and enables the transparency, accountability and resilience demanded by modern data protection laws.

GRC-Focused Overview

GDPR — Origins and Purpose

GDPR requires organizations to implement “appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of personal data — foundational cybersecurity principles enforced by law with significant financial consequences for non-compliance.

GDPR was adopted on April 27, 2016 and became enforceable on May 25, 2018, replacing the 1995 Data Protection Directive (95/46/EC). The need for reform stemmed from the digital economy’s explosive growth and the proliferation of personal data across borders, platforms and technologies. GDPR was written for a world of cloud computing, AI, social media, mobile applications and global commerce. Its key objectives: harmonize data protection laws across the EU; strengthen individual rights over personal data; increase accountability for data controllers and processors; and establish significant fines for violations.

GDPR shifted the regulatory burden where organizations must be able to demonstrate compliance at all times. Both controllers and processors have independent obligations under GDPR — a key departure from previous EU laws.

Compliance Requirements

Key Security Obligations Under GDPR

GDPR is technology-neutral, but it imposes broad and enforceable security and accountability mandates that fall squarely within the cybersecurity function.

Article 32: Security of Processing. Controllers and processors must implement “appropriate technical and organizational measures” including pseudonymization and encryption, ongoing confidentiality/integrity/availability/resilience, ability to restore access to personal data in a timely manner, and regular testing and evaluation of controls.

Article 25: Data Protection by Design and by Default. Organizations must integrate data protection into systems and processes from the start of development — minimizing data collection, limiting access, ensuring privacy-centric defaults, and using secure development lifecycle (SDLC) practices.

Article 33: Breach Notification to Supervisory Authorities. Data controllers must notify the appropriate data protection authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals. Notification must include the nature of the breach, categories and number of affected individuals, mitigation measures, and contact details for the DPO.

Article 34: Breach Notification to Data Subjects. If a breach is likely to result in high risk to individuals’ rights and freedoms, the controller must also notify affected individuals without undue delay.

Article 35: Data Protection Impact Assessments (DPIAs). Required when processing is likely to result in high risk (e.g., profiling, large-scale processing, new technologies). DPIAs must describe processing operations, assess necessity and proportionality, evaluate risks to data subjects, and identify mitigating controls.

Enforcement

Ramifications of Non-Compliance with GDPR

The GDPR introduced a tiered enforcement regime giving supervisory authorities significant leverage: Up to €10 million or 2% of annual global turnover for violations related to recordkeeping, data protection by design/default, breach notification and processor obligations. Up to €20 million or 4% of annual global turnover for violations of core principles (e.g., data subject rights, consent, data transfers).

Under Article 82, data subjects have the right to seek compensation for material and non-material damage caused by GDPR violations. Member States can allow for representative actions, including class action lawsuits. Organizations found non-compliant may also face loss of customer trust, contractual termination by EU-based partners, restrictions on international data transfers, and operational disruption due to mandated remediation.

British Airways — £20 Million Fine (2020)

Incident: Hackers redirected BA website visitors to a fraudulent page, collecting over 400,000 payment card details. Finding: Inadequate security controls, including poor log management and failure to detect the breach for two months. Outcome: Originally proposed fine was £183M; final fine reduced due to COVID-19, but still emphasized failure to apply appropriate technical measures.

Marriott — £18.4 Million Fine (2020)

Incident: Breach of Starwood guest reservation database exposed data of 339 million guests. Finding: Marriott failed to conduct adequate due diligence and failed to detect intrusion for over four years. Outcome: Demonstrated the importance of security integration in M&A activity and continuous monitoring.

Meta (Facebook) — €1.2 Billion Fine (2023)

Violation: Illegal data transfers from EU to U.S. using invalidated standard contractual clauses (SCCs). Outcome: Largest GDPR fine to date, signaling increased scrutiny of cross-border infrastructure and international data processing.

H&M — €35.3 Million Fine (2020)

Violation: Covert monitoring of employee data, including health and family details, stored insecurely on shared drives. Outcome: Reinforced expectations around data minimization and access control even in internal systems.

Compliance Strategy

Common Methods to Achieve and Maintain GDPR Compliance

Compliance with GDPR’s security obligations is highly context-dependent. Regulators expect controls appropriate to the sensitivity of the data, size of the organization and nature of the risk:

Data Mapping and Classification

Maintain detailed data flow diagrams, tag or label personal and sensitive data, and map cross-border data transfers — especially to non-EU jurisdictions.

Encryption and Pseudonymization

AES-256 encryption for data at rest; TLS 1.2 or higher for data in transit; use of hashed identifiers, tokenization, or anonymization where feasible.

Access Controls and Identity Management

Role-based access control (RBAC), multi-factor authentication (MFA), privileged access management (PAM), and periodic user access reviews.

Logging and Monitoring

SIEM, audit trails of data access and changes, alerts for anomalous or unauthorized access, and log retention policies aligned with compliance needs.

Vendor Risk Management

Sign Data Processing Agreements (DPAs), perform security due diligence, monitor ongoing processor performance, and require breach notification clauses and subprocessor disclosures.

Security Testing and Validation

Regular penetration testing, vulnerability scanning, configuration audits, and secure code reviews — meeting the “regular testing and evaluation” requirement under Article 32.

Documentation

Understanding The Value of Quality Cybersecurity Documentation in GDPR Success

GDPR’s accountability principle (Article 5(2)) obligates organizations not only to comply — but to demonstrate compliance. Documentation is the linchpin of that defense. In regulatory audits or incident investigations, regulators do not assess intent — they assess evidence.

Security Policies and Procedures

Information security policy, access control policy, encryption and key management standards, incident response plans, and disaster recovery and business continuity procedures.

Risk Assessments and DPIAs

Threat models, control selection rationale, DPIA findings, and remediation tracking logs — aligned with ISO 27005 or NIST RMF methodologies.

Processor Contracts and Audit Trails

Written DPAs including security obligations, subprocessor listings, breach reporting timelines, and audit rights.

Breach Documentation

Internal documentation of breach facts, effects, and remediation steps — even if the breach does not meet the notification threshold.

Security Testing Results

Penetration test reports, remediation tracking, change logs, and security patches applied.

Get Started

See GDPR Mapped in the SCF

GDPR — and 200+ more laws, regulations, and frameworks — is mapped to the SCF’s 1,400+ controls across 33 domains. Download the Common Controls Framework™ free.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap