My business is thinking of expanding into Europe and the UK. We are SOC 2 compliant – what else do we need to do to comply with GDPR?
SOC 2 compliance is a really great start, as it shows you have a good security control framework in place, assessed against an accepted standard. However it is not designed to cover the same areas as the GDPR.
The graphic below compares the GDPR principles relating to personal data processing with the SOC2 trust services categories.
As you can see the requirements are similar but not the same.
There are also some specific requirements set out in the GDPR, such as:
- Records of processing activities
You need to keep detailed records of how personal data is processed including specific information set out in Article 30.
- Privacy information
You need to provide specific information about how, when, why and by whom personal data is processed including specific information set out in Articles 13 and 14.
- Risk assessments
You need to complete data protection impact assessments and legitimate interest assessments before you carry out certain kinds of processing.
- Breach notifications
In the event of a personal data breach that is likely to harm the rights and freedoms of individuals, you have 72 hours to notify the regulator, providing specific information that is set out in Article 33 and might also need to notify affected individuals ‘without undue delay’.
- Data Protection Officer
Certain types of organisations need to appoint a data protection officer to carry out specific tasks.
- International transfers
There are specific rules to follow if you send personal data overseas for processing (and if you are SOC 2 compliant, you almost certainly do).
- Data subject rights
You need to implement processes so that EU and UK citizens can exercise their GDPR rights. These include making sure you can provide access by extracting a copy of an individual’s data from your systems on demand, making sure you can stop processing activities when necessary, and making sure you can erase and correct the data you hold when required.
SOC 2 certainly gets you started, but if this is new for you I would recommend getting specialist support to help you get it right.
Gemserv can ensure you are maintaining compliance. Email firstname.lastname@example.org to find out more.