GDPR

Comply with EU data protection requirements using CyberOrigen.

Overview

GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law. It applies to any organization processing personal data of EU residents.

Key Principles

Principle	Description
Lawfulness	Legal basis for processing
Purpose Limitation	Specific, explicit purposes
Data Minimization	Only necessary data
Accuracy	Keep data accurate
Storage Limitation	Don't keep longer than needed
Integrity & Confidentiality	Security of processing
Accountability	Demonstrate compliance

Chapter 2: Principles

Article	Title
5	Principles relating to processing
6	Lawfulness of processing
7	Conditions for consent
8	Child's consent
9	Special categories of data
10	Processing of criminal data
11	Processing without identification

Chapter 3: Rights of Data Subjects

Article	Title
12	Transparent information
13	Information at collection
14	Information when not from subject
15	Right of access
16	Right to rectification
17	Right to erasure
18	Right to restriction
19	Notification obligation
20	Right to data portability
21	Right to object
22	Automated decision-making

Chapter 4: Controller & Processor

Article	Title
24	Responsibility of controller
25	Data protection by design
28	Processor obligations
30	Records of processing
32	Security of processing
33	Breach notification to authority
34	Breach notification to subjects
35	Data protection impact assessment
37	Data protection officer

Getting Started

1. Enable Framework

Go to GRC → Frameworks
Click Enroll on GDPR
Click Enable

2. Data Inventory

Document personal data processing:

Identify data categories
Map data flows
Document lawful basis
Record in processing register

3. Security Assessment

Evaluate Article 32 requirements:

Encryption
Confidentiality
Integrity
Availability
Resilience

Key Controls

Article 32 - Security

Requirement	CyberOrigen Feature
Encryption	TLS/encryption scanning
Confidentiality	Access control scanning
Integrity	File integrity checks
Availability	Uptime monitoring
Testing	Vulnerability scanning

Article 25 - Privacy by Design

Principle	Implementation
Proactive	Risk assessment
Default settings	Configuration checks
Full lifecycle	Evidence management
Security	Continuous scanning
Visibility	Audit logging
User-centric	Access controls

Data Subject Rights

Right Fulfillment

Track and respond to data subject requests:

Right	SLA	Documentation
Access (Art. 15)	30 days	Request log
Rectification (Art. 16)	30 days	Change record
Erasure (Art. 17)	30 days	Deletion record
Portability (Art. 20)	30 days	Export format
Object (Art. 21)	30 days	Response record

CyberOrigen Tracking

Go to GRC → Control Library
Track DSR controls
Document procedures
Link evidence

Breach Notification

Timeline

Action	Deadline
Detect breach	As soon as possible
Notify DPA	72 hours from awareness
Notify subjects	Without undue delay

What to Report

Nature of breach
Categories of data affected
Approximate number of subjects
Contact for DPO
Likely consequences
Measures taken

CyberOrigen Support

Vulnerability detection
Threat intelligence
Incident documentation
Remediation tracking

DPIA Requirements

When Required

Data Protection Impact Assessment needed for:

Systematic profiling
Large-scale special category data
Systematic public monitoring
New technologies

DPIA Process

Describe processing
Assess necessity
Identify risks
Mitigate risks
Document outcome

Vendor Management

Processor Agreements

Track Article 28 requirements:

Go to GRC → Vendors
Add data processors
Upload DPAs
Track compliance

Subprocessor Management

Document subprocessors
Ensure DPA coverage
Monitor changes

Control Mapping

GDPR maps to other frameworks:

GDPR Article	SOC 2	ISO 27001
Art. 32 Security	CC6.1, CC6.7	A.8.24
Art. 30 Records	CC2.2	A.5.9
Art. 33 Breach	CC7.3	A.5.24
Art. 35 DPIA	CC3.1	6.1.2

Evidence Collection

Automated Evidence

Security scan reports
Access reviews
Encryption verification
Configuration assessments

Manual Evidence

Privacy policies
Processing records
Consent records
DPIAs
DPAs with processors

Common Gaps

Requirement	Issue	Solution
Art. 30	No processing records	Documentation
Art. 32	Weak encryption	Encryption upgrade
Art. 33	No breach process	Incident response plan
Art. 37	No DPO appointed	DPO designation

Penalties

Violation	Maximum Fine
Lower tier	10M EUR or 2% revenue
Higher tier	20M EUR or 4% revenue

GDPR ​

Overview ​

Key Principles ​

GDPR Articles ​

Chapter 2: Principles ​

Chapter 3: Rights of Data Subjects ​

Chapter 4: Controller & Processor ​

Getting Started ​

1. Enable Framework ​

2. Data Inventory ​

3. Security Assessment ​

Key Controls ​

Article 32 - Security ​

Article 25 - Privacy by Design ​

Data Subject Rights ​

Right Fulfillment ​

CyberOrigen Tracking ​

Breach Notification ​

Timeline ​

What to Report ​

CyberOrigen Support ​

DPIA Requirements ​

When Required ​

DPIA Process ​

Vendor Management ​

Processor Agreements ​

Subprocessor Management ​

Control Mapping ​

Evidence Collection ​

Automated Evidence ​

Manual Evidence ​

Common Gaps ​

Penalties ​

Resources ​