All Blogs

GDPR and Other Privacy Frameworks: How Compliance Leaders Can Use Privacy Compliance for Growing Their Business

Sharon Silver
September 8, 2022

People have always cared about privacy—about the security of their personal data information. It’s just that the digital age made it infinitely easier than in the past to misuse someone’s private data. Events like high-profile breaches or matters like Cambridge Analytica brought this issue onto the front pages in the past decade. Misuses of private data have been a public relations debacle for businesses and a massive expense for both businesses and consumers. 

Why Caring about Privacy Helps Your Business

The EU saw the need to restore trust. It created GDPR, the General Data Protection Regulation, to protect EU individuals. Effective since May 25, 2018, GDPR was the first regulation in the new age of privacy to require transparency and give people rights over their data. Many privacy laws all over the world—including in a growing number of states in the US—have followed, and data privacy has continued to be a major concern to countries and organizations. Today, understanding and complying with privacy laws is essential in order to conduct business in jurisdictions where these laws are in effect. 

The question is where and how to start a privacy Compliance program if you’re a Compliance leader who, until now, has focused on security Compliance. While a full guide on this topic is on its way (make sure to look out for it), we will focus here on understanding the privacy regulations and frameworks that can be the cornerstone of your business’s commitment to privacy.

There are some older privacy laws that relate to specific industries, including HIPAA for healthcare, FERPA for higher education, and GLBA for financial services. Those are still in use. But the newer, broader laws have a greater impact on business in general. For now, let’s focus on GDPR.

GDPR: Comprehensive and Stringent

First, GDPR in brief. GDPR is a regulation that’s composed of a series of articles. It is widely considered the most comprehensive privacy and security law in the world. GDPR protects the processing of personal data of individuals. “Processing” is broad, covering a wide range of operations performed on personal data. With specific exceptions, GDPR imposes obligations on organizations anywhere, if they handle data of persons within the EU. GDPR provides individuals with enforceable privacy rights. Again, the details of GDPR, particularly questions of who has Compliance obligations under GDPR and which information is protected, are much more complex than can be covered here.

Various aspects of GDPR demonstrate its broad scope and protectiveness, especially as compared to the privacy laws generally passed in states in the US: 

  1. It has an opt-in model for sharing data. An individual in the EU who wants to share their data must check a box. In contrast, US states’ privacy laws often work on an opt-out basis: you share your data unless you uncheck the pre-checked box.
  2. GDPR definitions are broader:

        a. Who is protected by GDPR: The definition of covered individuals, “Data Subjects,” even covers individuals               who are not residents or citizens of the EU. So if an individual travels to the EU and, while there, signs up on               a website, that person is protected by GDPR.

         b. Who could be subject to GDPR: The regulation applies to a “data controller” and a “data processor.” For               example, a law firm collects data from employees when it hires them. It gives this data to a payroll company               in order to process the payroll. The law firm is a data controller because it decides how to use its employees’               data. The payroll company is a data processor.

  3. What data is protected: A broad array of data is protected under GDPR, including data relating to genetics,         religion, race, political affiliation and ethnicity.

  4. What rights are granted: All privacy laws grant rights to protected individuals, including the right to object to         the sale of personal information, to correct inaccurate information, and to delete information. But GDPR grants         a right to private action. (Of the states’ laws, only California has a form of this right, for certain breaches.) So an         individual can actually sue for noncompliance with GDPR. (US states’ privacy laws generally require an         individual to go to that state’s attorney general to try to get redress if there’s been a breach.)

   5. Obligations that businesses have to meet: All privacy laws require affected businesses to adhere to certain         rules, including keeping records, implementing data security, conducting assessments, managing consent, etc.         But GDPR features heavier obligations for businesses: a requirement to appoint a data privacy officer and for         notifications about breaches (including deadlines). 

   6. Consequence of noncompliance: Some state privacy laws allow time to cure a breach. GDPR doesn’t. Fines can         be harsh. The law states a maximum fine of 20 million euro or 4% of revenue. In practice, the fine levied may         end up reduced in negotiations.

All the above may have put the fear of GDPR into you. But the reality is that an organization needs to take privacy Compliance into account as one of the key factors that will enable business growth. GDPR Compliance, in particular, is a game-changer; it’s necessary in order to do business with people who are in the EU.

Implementing GDPR is process-based, requiring that an organization create a data flow diagram around how they process data. GDPR does not provide checklists of controls. How, then, can an organization know that it is complying with GDPR? The answer: Conform to one of the numerous standards created in order to allow organizations to confidently attest to GDPR Compliance.

Selected Privacy Regulations and Frameworks that map to GDPR

The following four frameworks can help an organization comply with GDPR:

  • The Secure Controls Framework EU GDPR Compliance Criteria,
  • The CSA Code of Conduct (CoC) for GDPR, when implemented with the CSA Cloud Controls Matrix v.4 (CCM), 
  • ISO/IEC 27701, and
  • ISO/IEC 27018

Note that since complying with GDPR does not depend on passing an audit or receiving a certificate, using these frameworks should be seen not as a guarantee of Compliance, but as evidence that an organization is doing its best to ensure that it is complying with GDPR.

Let’s take a closer look.

  1. The Secure Controls Framework EU GDPR Compliance Criteria (SCF EGCC)

      a. What it does: The full SCF consists of hundreds of controls—many of which are outside the scope of GDPR—            and cross-maps them across dozens of frameworks. For the EGCC, SCF shows only the GDPR-relevant            controls. 

      b. Who it’s for: Companies that:

          1. have not adopted CSA STAR (see below), and

          2. are not ISO/IEC certified.

   2. CSA Code of Conduct (CoC) for GDPR, when implemented in conjunction with the CSA Cloud Controls Matrix        (CCM), version 4 (collectively, “CoC/CCM”): 

        a. What it does: The CSA CoC/CCM for GDPR Compliance offers a consistent and comprehensive framework              for complying with GDPR, plus transparency guidelines regarding the level of data protection offered by a              cloud service provider.

        b. Who it’s for: certain companies that are data processors.

            1. For companies choosing to undergo an audit (i.e., CSA STAR attested/certified), CoC/CCM enables a formal                 attestation of GDPR Compliance.

            2. Companies not wishing to undergo a CSA STAR audit can submit a self-assessment and receive a                 certificate saying that GDPR Compliance is “declared,” as opposed to “certified.”

    3. ISO/IEC 27701 is ISO’s approach to a kind of “GDPR framework.”

         a. What it does: Creates a Privacy in Information Management System (PIMS). ISO/IEC 27701 offers an               extended set of privacy controls, based on GDPR requirements, to the existing ISO/IEC 27001 Annex A               controls. The framework is composed of 3 sections: The first is PIMS-specific requirements, or extensions to               the existing controls in an Information Security Management System (ISMS) under ISO 27001. The other               two sections are additional annexes—one for data controllers, and the other for data processors. Note that               an organization can function as both. 

         b. Who it’s for: Companies that:

             1. are data controllers and/or data processors,

             2. are ISO/IEC 27001 certified,

             3. process personally identifiable information (PII), and 

             4. want an auditable standard to give validation to their attestation of Compliance with GDPR. 

    4. ISO/IEC 27018 — international standard to protect PII in the cloud

        a. What it does: It’s the standard for protecting PII in cloud storage. It gives further helpful implementation             guidance for the controls published in ISO/IEC 27001 and sets out extra guidance for PII protection for the             cloud.

         b. Who it’s for: Cloud service providers that are ISO/IEC 27001 certified

         c. Note: An organization that’s entirely cloud-based can implement either this standard or ISO/IEC 27701, but              ISO/IEC 27018 is less rigorous and easier to               implement.

Why Opt for Privacy Compliance

Privacy is too important for an organization to settle for a check-the-box certification. A company’s stakeholders need to know that the company takes data privacy seriously. Not just because businesses have been ruined for breaking their customers’ trust, but because taking on privacy frameworks allows a business to expand. With a system of continuous privacy Compliance that uses automation, privacy posture is continually monitored, so that an organization demonstrates its full-time commitment to safeguarding data privacy, even as the world gets more complex. Safeguarding privacy should become as integrated into your company as your security Compliance is. (Or as it should be, at least.)

Consumers want to be able to trust the organizations handling their data. Adopting privacy frameworks lets a business take on new opportunities and make new alliances. Because people have always cared about privacy. So be a business that takes its customers’ trust seriously. 



*The information provided in this blog, like all other content on this website, does not, and is not intended to, constitute legal advice.

Sharon Silver
Lawyer-turned-CPA-turned-Writer-turned-Compliance-enthusiast. Lover of words. Fixer of mistakes. Content Specialist at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.