EU GDPR Compliance Criteria (EGCC) - Using The DSP for EU GDPR Compliance

Posted by ComplianceForge on Mar 6th 2018

By the time you pour yourself a cup of coffee and read through this article, you can have a pretty solid understanding of the criteria you need in order to legitimately comply with the European Union General Data Protection Regulation (GDPR).

With GDPR, there is an expectation that your organization can demonstrate two things, which essentially govern GDPR compliance efforts:

  1. Your organization is aligned with a cybersecurity framework to ensure appropriate technical, administrative and physical controls in place; and
  2. Your organization is aligned with a privacy framework to ensure appropriate privacy controls are in place.

The good news is ComplianceForge can help with these requirements, especially with the Digital Security Program (DSP). The DSP covers both cybersecurity and privacy needs for businesses and it provides 1-1 mapping with the Secure Controls Framework (SCF). The DSP and SCF address 100 statutory, regulatory and contractual frameworks for cybersecurity and privacy compliance. This helps reduce the confusion and complexity of complying with multiple requirements.

The image below covers this process in greater detail and from there, the alignment with your frameworks essentially provides a “paint by numbers” approach to complying with GDPR, since GDPR is leveraging work you should already have done through your existing cybersecurity and privacy program. For the most part, GDPR is nothing new - it is just enforcing reasonably-expected practices and punishing non-compliance with significant penalties.

DOWNLOAD LINK - http://scf.securecontrolsframework.com/examples/EU-GDPR-Compliance-Criteria.pdf

EU GDPR Compliance Criteria

GDPR is process-related, as compared to a simple control checklist, such as PCI DSS. With a focus on process, this requires good documentation in order to demonstrate how people, processes and technology are managed to ensure that both cybersecurity and privacy principles are implemented consistently.

To help in managing GDPR requirements and to show how the GDPR articles map into common cybersecurity and privacy frameworks, the below spreadsheet is the EU GDPR Compliance Criteria (EGCC), which is a free reference from the Secure Controls Framework (SCF) (https://www.securecontrolsframework.com).

DOWNLOAD LINK - http://scf.securecontrolsframework.com/examples/EU-GDPR-Compliance-Criteria.pdf

GDPR compliance made easy

The EGCC maps GDPR articles to the following:

  • Secure Controls Framework (SCF) controls, including the focus (e.g., management, technical users or all users).
  • Cybersecurity frameworks (e.g., NIST 800-53, ISO 27002 & NIST Cybersecurity Framework).
  • Privacy frameworks (e.g., SOC2, GAPP).
  • A RACI-style diagram that shows the most common parties involved in managing certain controls.

If you have any questions about this, please feel free to contact me - Tom Cornelius tcornelius@complianceforge.com. ComplianceForge offers both cybersecurity documentation to help businesses comply with EU GDPR, but also consulting services.