Mapping of GDPR categories to EU legislation
GDPR #01 - Identification of data stores
Devices containing or processing private information shall be identified, monitored, and controlled.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to supporting data privacy, the organization must identify locations where personal information is stored, so this data can be managed and secured.
Recital or Article | Description |
|---|---|
Recital 1 | The protection of natural persons in relation to the processing of personal data is a fundamental right. |
Recital 26 | The principles of data protection should apply to any information concerning an identified or identifiable natural person. |
Recital 30 | Natural persons might be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses or other identifiers. |
Article 5 | Each controller shall maintain a record of processing activities under its responsibility. |
GDPR #02 - Network controls
(ISO 27001.A.10.6.1) Networks shall be adequately managed and controlled, including information in transit.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to supporting data privacy, the organization must safeguard their data by ensuring that the perimeter (firewalls and routers) protect the data from unauthorized access, and track transfers of data items that can contain personal and controlled information. This can be accomplished by implementing the specifications of ISO 27001.A.10.6.1, or other common security specifications.
Recital or Article | Description |
|---|---|
Recital 49 | The ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data (is required). |
Recital 81 | The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller. |
Article 44 | Any transfer of personal data that are undergoing processing or are intended for processing after transfer shall take place only if the conditions laid down in this section are complied with including for onward transfers of personal data. |
Article 48 | Any judgment requiring a controller or processor to transfer or disclose personal data might only be recognized or enforceable in any manner if based on an international agreement. |
GDPR #03 - Security of network services
(ISO 27001.A.10.6.2) Security features, service levels, and management requirements of all network services shall be identified and included.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to supporting data privacy, the organization must safeguard the data by managing services and adhering to an approved certification mechanism (such as the ISO 27001 standard, section A.10.6.2).
Recital or Article | Description |
|---|---|
Recital 39 | Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing. |
Recital 49 | The processing of personal data, network and information security, and the security of the related services offered by, or accessible using those networks and systems, constitutes a legitimate interest of the concerned data controller. For instance, stopping denial of service attacks. |
Recital 81 | The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller. |
Article 32 | The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security and organisational measures for ensuring the security of the processing. Adherence to an approved code of conduct or an approved certification mechanism might be used as an element by that to demonstrate compliance with the requirements. |
GDPR #04 - Audit logging
(ISO 27001.A.10.10.1) Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to demonstrating compliance, the organization must keep, maintain, and secure an audit trail for forensics and evidence of user and other activity, (such as discussed in the ISO 27001 standard, Section A.10.10.1).
Recital or Article | Description |
|---|---|
Recital 81 | The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller. |
Article 28 | The controller shall provide sufficient guarantees to implement appropriate technical and organisational measures, demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. |
Article 30 | Records of processing activities. Each controller and, wherever applicable, the controller's representative shall maintain a record of processing activities under its responsibility. |
Article 32 | The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller. |
GDPR #05- Monitoring of system usage
(ISO 27001.A.10.10.2) Monitoring of information processing facilities shall be established and reviewed.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to demonstrating compliance, the organization must keep, maintain, and review system usage, including user access and system performance (such as discussed in the ISO 27001 standard, section A.10.10.2).
Recital or Article | Description |
|---|---|
Recital 81 | The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller. |
Article 30 | Records of processing activities. Each controller and, wherever applicable, the controller's representative shall maintain a record of processing activities under its responsibility. |
Article 32 | The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller. |
Article 39 | The data protection officer shall monitor compliance with this regulation, awareness-raising and training of staff involved in processing operations, and the related audits. |
GDPR #06 - Protection of log information
(ISO 27001.A.10.10.3) Logging facilities and log information shall be protected against tampering and unauthorized access.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to demonstrating compliance, the organization must protect log information to allow forensics; specifically the organization must preserve chain of evidence associated with any audit related activities, necessary to support criminal investigations and prosecution of those crimes (such as discussed in the ISO 27001 standard, section A.10.10.3).
Recital or Article | Description |
|---|---|
Recital 19 | With regard to the processing of personal data (the controller should support) prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats. |
Recital 81 | The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller. |
Article 23 | Union or member state law might restrict or impose obligations associated with national security, defence, public security, the prevention, investigation, detection or prosecution of criminal offences, and the enforcement of civil law claims. |
GDPR #07 - Administrator and operator controls
(ISO 27001.A.10.10.4) system administrator and system operator activities shall be logged.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to demonstrating compliance, the organization must monitor the activities of administrators and operators (or all persons that have any path or contact with personal and private data), necessary to safeguard against abuse of privileged users and operators (such as discussed in the ISO 27001 standard, section A.10.10.4).
Recital or Article | Description |
|---|---|
Recital 39 | Any processing of personal data should consider the identity of the controller and the purpose of processing and further information to ensure fair and transparent processing. |
Article 28 | The controller shall provide sufficient guarantees to implement appropriate technical and organisational measures, demonstrate compliance, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. |
Article 32 | Appropriate level of security in assessing the account shall be taken. As well as in assessing the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. |
Article 40 | A code of conduct shall contain mechanisms that enable the body to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors that undertake to apply it. |
GDPR #08 - Fault logging
(ISO 27001.A.10.10.5) Faults shall be logged, analyzed, and appropriate action taken.
This requirement derives from multiple GDPR recitals and articles. As a prerequisite to demonstrating compliance, the organization must monitor performance of programs, especially faults, necessary to safeguard against abuse of privileged users and operators talking advantage of said faults, or failures of the software that might indicate the organization is no longer in compliance with the GDPR requirements (such as discussed in the ISO 27001 standard, section A.10.10.5.)
Recital or Article | Description |
|---|---|
Recital 81 | The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller. |
Article 32 | In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. |
Article 83 | Administrative fines shall take into account the degree of cooperation with the supervisory authority, the manner in that the infringement became known to the supervisory authority, to extent the controller or processor notified the infringement, and adherence to approved codes of conduct. |
GDPR #09 - Data store integrity
The integrity of all data stores containing personal data shall be continuously monitored.
This requirement derives from multiple GDPR recitals and articles. As a fundamental principle of the requirements, the data stores within the organization that contain private information must be identified to track user and program access to these data stores, and the machines that permit access to this information, necessary to guarantee that this data is controlled and safeguarded.
Recital or Article | Description |
|---|---|
Recital 1 | The protection of natural persons in relation to the processing of personal data is a fundamental right. The regulation provides that everyone has the right to the protection of personal data concerning him or her. |
Recital 39 | Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. |
Article 32 | Taking into account the state of the art, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. |
GDPR #10 - Data transfer monitoring
All data transfers of private personal data, outside of the managed organization, by any means, shall be logged and monitored.
This requirement derives from multiple GDPR recitals and articles. As a fundamental principle of the requirements, the data transfers of private information must be identified to track user and program access to these data stores, and the machines that permit access to this information, necessary to guarantee that this data is controlled and safeguarded.
Recital or Article | Description |
|---|---|
Recital 1 | The protection of natural persons in relation to the processing of personal data is a fundamental right. The regulation provides that everyone has the right to the protection of personal data concerning him or her. |
Recital 39 | Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to the extent the personal data are or will be processed. |
Article 30 | Each controller and, wherever applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain wherever applicable, transfers of personal data and documentation of suitable safeguards. |
Article 32 | Taking into account the state of the art, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. |
Article 48 | Transfers or disclosures of personal and private data might only be recognized or enforceable in any manner if based on an international agreement, without prejudice on grounds for transfer pursuant to this regulation. |
GDPR #11 - Security notifications
The Chief Data Protection Officer shall be notified of any breaches or events related to the integrity or security of personal data.
As a fundamental part of the GDPR regulation, the organization must appoint a data protection officer whose function is to ensure compliance with the regulations. This officer must monitor, approve, and review system setup, and receive (and dispatch) notifications of breaches. This implies that the GDPR software discussed in this officer will be a principle focus of operations, compliance, and auditing. This requirement is derived from multiple GDPR recitals and articles.
Recital or Article | Description |
|---|---|
Recital 85 | As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay. |
Recital 87 | Technological protection and organisational measures should be implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority. |
Article 37 | The controller and the processor shall designate a data protection officer. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the regulations. |
Article 39 | The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations. |
Article 57 | The performance of the tasks of each supervisory authority shall be free of charge for the data subject and wherever applicable for the data protection officer. |
GDPR #12 - Security reviews
Security officers and IT personnel shall receive and review daily reports pertinent to the GDPR process, and verify that the intents of GDPR are satisfied.
As with any other compliance standard, the implementation of the GDPR regulation requires review, and support for audits, such as required reviews of periodic reports generated by the system that show proper intent and operation of the system. This requirement is derived from multiple GDPR recitals and articles.
Recital or Article | Description |
|---|---|
Recital 11 | Effective protection of personal data throughout the union requires obligations for those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data. |
Recital 74 | The controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this regulation, including the effectiveness of the measures. |
Article 24 | The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation. Those measures shall be reviewed and updated wherever necessary. |
Article 41 | The monitoring of compliance with a code of conduct pursuant might be carried out by a body that has an appropriate level of expertise in relation to the subject-matter of the code necessary to monitor their compliance with its provisions and to periodically review its operation. |