EU - GDPR

Name: European Union General Data Protection Regulation (EU GDPR)

Type: Statutory (Law)

Authoritative Source: EU Regulation 2016/679

Certification Available: No. There is no official certification for EU GDPR. However, the Secure Controls Framework Conformity Assessment Program (SCF CAP) can provide a path to demonstrate conformity with EU GDPR through a third-party conformity assessment.

Too Long / Didn’t Read (TL/DR): GDPR is almost a decade old, but it permanently altered the role of cybersecurity within organizations. No longer relegated to IT infrastructure, data protection is now a legal requirement and cybersecurity is the only path to achieving it. The law sets a high bar with continuous, demonstrable and risk-based control over how personal data is accessed, stored, transmitted and destroyed.

Non-compliance is no longer an internal matter. It invites multi-million-euro fines, lawsuits and reputational damage. As regulators increase scrutiny and public awareness grows, organizations must elevate cybersecurity from a technical function to a strategic compliance discipline.

A mature GDPR program is one where risk, governance, operations and technology work in concert. Strong documentation is the connective tissue—it links legal obligations to operational activity and enables the transparency, accountability and resilience demanded by modern data protection laws.

GRC-Focused Overview of GDPR

The European Union’s General Data Protection Regulation (GDPR) is widely regarded as the most comprehensive data protection regulation enacted to date. While often categorized as a “privacy law,” GDPR is equally rooted in information security. It requires organizations to implement “appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of personal data. These are not abstract goals, but foundational cybersecurity principles.

For cybersecurity leaders, GDPR is not just a checkbox. It is a legal mandate for risk-based information governance, breach readiness, third-party accountability and continuous operational resilience.

This page provides a cybersecurity-focused summary of GDPR from a GRC practitioner's perspective, including:

  • The history of these laws;
  • The consequences of non-compliance;
  • Practical compliance strategies;
  • High-profile enforcement actions; and
  • The role of high-quality documentation in audit readiness and breach resilience.

GDPR - Origins and Purpose

GDPR was adopted on April 27, 2016 and became enforceable on May 25, 2018, replacing the 1995 Data Protection Directive (95/46/EC). The need for reform stemmed from the digital economy’s explosive growth and the proliferation of personal data across borders, platforms and technologies.

Whereas, the 1995 directive was designed for an analog-to-digital transition, GDPR was written for a world of cloud computing, AI, social media, mobile applications and global commerce. Its key objectives:

  • Harmonize data protection laws across the EU;
  • Strengthen individual rights over personal data;
  • Increase accountability for data controllers and processors; and
  • Establish significant fines for violations.

GDPR shifted the regulatory burden where organizations must be able to demonstrate compliance at all times. This fundamentally changed how cybersecurity, legal, risk and compliance teams approach data protection. Both controllers and processors have independent obligations under GDPR, which is a key departure from previous EU laws.

Key Definitions for Cybersecurity Relevance

  • Personal data: Any information relating to an identified or identifiable natural person (data subject).
  • Processing: Any operation performed on personal data (collection, storage, access, deletion, transmission).
  • Controller: Entity that determines the purposes and means of processing personal data.
  • Processor: Entity that processes personal data on behalf of the controller.

Ramifications of Non-Compliance with GDPR

The GDPR introduced a tiered enforcement regime, giving supervisory authorities across EU member states significant leverage to pursue violations. The most impactful regulatory tool is the ability to impose massive administrative fines.

  • Financial Penalties. For multinational corporations, these penalties can exceed hundreds of millions of euros—making them among the most serious corporate liabilities on the global regulatory landscape. There are two fine tiers:
    • Up to €10 million or 2% of annual global turnover (whichever is higher) for violations related to recordkeeping, data protection by design/default, breach notification and processor obligations.
    • Up to €20 million or 4% of annual global turnover for violations of core principles (e.g., data subject rights, consent, data transfers).
  • Civil Litigation and Class Actions. Cybersecurity breaches that result in exposure of personal data often trigger simultaneous regulatory investigations and civil suits, especially when lack of reasonable security can be demonstrated.
    • Under Article 82, data subjects have the right to seek compensation for material and non-material damage caused by GDPR violations. Member States can allow for representative actions, including class action lawsuits.
  • Business and Contractual Consequences. These indirect consequences often exceed the immediate cost of fines and can significantly impact long-term business viability in European markets. Organizations found non-compliant may also face:
    • Loss of customer trust;
    • Contractual termination by EU-based partners;
    • Restrictions on international data transfers; and
    • Operational disruption due to mandated remediation.

GDPR is technology-neutral, but it imposes broad and enforceable security and accountability mandates that fall squarely within the cybersecurity function. While Article 5 sets general principles, Articles 25, 32, 33, 34 and 35 specifically address security and breach obligations.

Article 32: Security of Processing

Controllers and processors must implement “appropriate technical and organizational measures” to ensure a level of security appropriate to the risk. This includes:

  • Pseudonymization and encryption;
  • Ongoing confidentiality, integrity, availability and resilience;
  • Ability to restore access to personal data in a timely manner; and
  • Regular testing and evaluation of controls.

This is effectively a mandate for a risk-based cybersecurity program, not a prescriptive checklist.

Article 25: Data Protection by Design and by Default

Organizations must integrate data protection into systems and processes from the start of development. Key cybersecurity actions:

  • Minimizing data collection;
  • Limiting access to personal data;
  • Ensuring default configurations are privacy-centric; and
  • Using secure development lifecycle (SDLC) practices.

Security must be engineered into software and business processes—not bolted on as an afterthought.

Article 33: Breach Notification (to Supervisory Authorities)

Data controllers must notify the appropriate data protection authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals.

The notification must include:

  • Nature of the breach;
  • Categories and number of affected individuals;
  • Mitigation measures; and
  • Contact details for the data protection officer (DPO).

Processors must notify controllers without undue delay after becoming aware of a breach.

Article 34: Breach notification (to Data Subjects)

If a breach is likely to result in high risk to individuals’ rights and freedoms, the controller must also notify affected individuals without undue delay. Failure to do so may result in higher fines, especially if the organization lacks adequate breach detection or containment capabilities.

Article 35: Data Protection Impact Assessments (DPIAs)

Required when processing is likely to result in high risk (e.g., profiling, large-scale processing, new technologies). DPIAs must:

  • Describe processing operations and purposes;
  • Assess necessity and proportionality;
  • Evaluate risks to data subjects; and
  • Identify and document mitigating controls.

Cybersecurity risk analysis is integral to DPIA outcomes and must be conducted before the processing begins.

Common Methods to Achieve and Maintain GDPR Compliance

Compliance with GDPR’s security obligations is highly context-dependent. Regulators expect organizations to implement controls appropriate to the sensitivity of the data, size of the organization and nature of the risk. The following cybersecurity strategies are widely recognized as essential.

  • Data Mapping and Classification. This information underpins risk assessments, DPIAs and breach analysis. Understand what personal data is collected, where it resides, who can access it and where it is transferred. Cybersecurity teams must:
    • Maintain detailed data flow diagrams;
    • Tag or label personal and sensitive data; and
    • Map cross-border data transfers (especially to non-EU jurisdictions).
  • Encryption and Pseudonymization. Pseudonymization reduces exposure in the event of a breach, which can affect whether notification is required under Article 33. Though not mandatory, encryption is cited in GDPR as a control that may reduce liability. Best practices include:
    • AES-256 encryption for data at rest;
    • TLS 1.2 or higher for data in transit; and
    • Use of hashed identifiers, tokenization, or anonymization when feasible.
  • Access Controls and Identity Management. Controllers are expected to ensure that personal data is only accessible to authorized individuals who need it to perform their duties. Limiting access is central to GDPR security. This includes:
    • Role-based access control (RBAC);
    • Multi-factor authentication (MFA);
    • Privileged access management (PAM); and
    • Periodic user access reviews.
  • Logging and Monitoring. Without detection, an organization cannot meet GDPR’s 72-hour breach notification window. Organizations must demonstrate that they can detect and respond to data breaches. Security operations should include:
    • Security Information and Event Management (SIEM);
    • Audit trails of data access and changes;
    • Alerts for anomalous or unauthorized access; and
    • Log retention policies aligned with compliance needs.
  • Vendor Risk Management. Shared liability requires a formalized third-party risk management framework—spreadsheets and informal agreements are insufficient. Data processors are legally accountable under GDPR. Controllers must:
    • Sign Data Processing Agreements (DPAs);
    • Perform security due diligence;
    • Monitor ongoing processor performance; and
    • Require breach notification clauses and subprocessor disclosures.
  • Security Testing and Validation. These actions help meet the requirement for “regular testing and evaluation” of security controls under Article 32. A mature GDPR program incorporates:
    • Regular penetration testing;
    • Vulnerability scanning;
    • Configuration audits; and
    • Secure code reviews.

Public Examples of GDPR Enforcement Actions

Since 2018, EU data protection authorities have levied hundreds of fines totaling billions of euros. Several high-profile cases underscore the intersection between cybersecurity failures and GDPR violations.

British Airways – £20 Million Fine (2020)

  • Incident: Hackers redirected BA website visitors to a fraudulent page, collecting over 400,000 payment card details.
  • Finding: Inadequate security controls, including poor log management and failure to detect the breach for two months.
  • Outcome: Originally proposed fine was £183M; final fine reduced due to COVID-19, but still emphasized failure to apply appropriate technical measures.

Marriott – £18.4 Million Fine (2020)

  • Incident: Breach of Starwood guest reservation database exposed data of 339 million guests.
  • Finding: Marriott failed to conduct adequate due diligence and failed to detect intrusion for over four years.
  • Outcome: Demonstrated the importance of security integration in M&A activity and continuous monitoring.

Meta (Facebook) – €1.2 Billion Fine (2023)

  • Violation: Illegal data transfers from EU to U.S. using invalidated standard contractual clauses (SCCs).
  • Relevance: Although this was a data transfer case, the underlying issue involved security of international data processing.
  • Outcome: Largest GDPR fine to date, signaling increased scrutiny of cross-border infrastructure.

H&M – €35.3 Million Fine (2020)

  • Violation: Covert monitoring of employee data, including health and family details, stored insecurely on shared drives.
  • Relevance: Failure to restrict access and secure sensitive personal data.
  • Outcome: Reinforced expectations around data minimization and access control even in internal systems.

Understanding The Value of Quality Cybersecurity Documentation in GDPR Success

GDPR's accountability principle (Article 5(2)) obligates organizations not only to comply—but to demonstrate compliance. Documentation is the linchpin of that defense. In regulatory audits or incident investigations, regulators do not assess intent—they assess evidence.

  • Security Policies and Procedures. These should be tailored to organizational structure and maintained as living documents—not outdated templates. Organizations must maintain:
    • Information security policy;
    • Access control policy;
    • Encryption and key management standards;
    • Incident response plans; and
    • Disaster recovery and business continuity procedures.
  • Risk Assessments and DPIAs. These assessments should align with ISO 27005 or NIST RMF methodologies and be refreshed periodically. Security decisions must be based on documented risk. Auditable records should include:
    • Threat models;
    • Control selection rationale;
    • DPIA findings; and
    • Remediation tracking logs.
  • Processor Contracts and Audit Trails. Logs of processor assessments, contract versions and communication are critical during breach investigations. Controller-processor relationships require written DPAs, which should include:
    • Security obligations;
    • Subprocessor listings;
    • Breach reporting timelines; and
    • Audit rights.
  • Breach Documentation. This breach register must be available for supervisory authority review and retained for accountability purposes. Even if a breach does not meet the threshold for notification, GDPR requires:
    • Internal documentation of the facts;
    • Effects of the breach; and
    • Remediation steps taken.
  • Security Testing Results. Retaining evidence of:
    • Penetration test reports;
    • Remediation tracking;
    • Change logs; and
    • Security patches applied.

** SPONSORED CONTENT **

ComplianceForge GRC importable policies standards procedures