GDPR
General Data Protection Regulation (EU 2016/679)
The EU regulation governing the processing of personal data. Its security and accountability articles (notably Art. 5, 25, 30, 32–35) map directly onto technical and organizational controls in security frameworks.
Who it applies to
Any organization, anywhere in the world, that processes the personal data of individuals in the EU/EEA — whether established in the EU or offering goods and services to, or monitoring the behaviour of, people there.
Chapter II — Principles
Chapter IV — Controller and processor
- Art. 25 Data protection by design and by default10 mapped
Implement appropriate technical and organizational measures to embed data-protection principles by design and by default.
- Art. 30 Records of processing activities6 mapped
Maintain a record of processing activities under the controller's or processor's responsibility.
- Art. 32 Security of processing21 mapped
Implement appropriate technical and organizational measures — including encryption, confidentiality, integrity, availability and resilience — to ensure a level of security appropriate to the risk.
- Art. 33 Notification of a personal data breach to the supervisory authority13 mapped
Notify the supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours.
- Art. 35 Data protection impact assessment
Carry out an assessment of the impact of processing operations that are likely to result in a high risk to individuals' rights and freedoms.