NHS DSPT New Submission Requirements

View All

Case Studies

Powering Alt HAN Co.'s Smart Meter Rollout

View All

Upcoming Events

LEMA Summit 2024

View All



Ask a Privacy Manager

19th Jan, 2023

My business is thinking of expanding into Europe and the UK. We are SOC 2 compliant – what else do we need to do to comply with GDPR?

SOC 2 compliance is a really great start, as it shows you have a good security control framework in place, assessed against an accepted standard. However it is not designed to cover the same areas as the GDPR.  

The graphic below compares the GDPR principles relating to personal data processing with the SOC2 trust services categories. 


As you can see the requirements are similar but not the same.

There are also some specific requirements set out in the GDPR, such as:  

  • Records of processing activities
    You need to keep detailed records of how personal data is processed including specific information set out in Article 30.
  • Privacy information
    You need to provide specific information about how, when, why and by whom personal data is processed including specific information set out in Articles 13 and 14.
  • Risk assessments
    You need to complete data protection impact assessments and legitimate interest assessments before you carry out certain kinds of processing.
  • Breach notifications
    In the event of a personal data breach that is likely to harm the rights and freedoms of individuals, you have 72 hours to notify the regulator, providing specific information that is set out in Article 33 and might also need to notify affected individuals ‘without undue delay’.
  • Data Protection Officer
    Certain types of organisations need to appoint a data protection officer to carry out specific tasks
  • International transfers
    There are specific rules to follow if you send personal data overseas for processing (and if you are SOC 2 compliant, you almost certainly do).
  • Data subject rights
    You need to implement processes so that EU and UK citizens can exercise their GDPR rights. These include making sure you can provide access by extracting a copy of an individual’s data from your systems on demand, making sure you can stop processing activities when necessary, and making sure you can erase and correct the data you hold when required.

SOC 2 certainly gets you started, but if this is new for you I would recommend getting specialist support to help you get it right. 

Interested in our Data Protection Services?

Gemserv can ensure you are maintaining compliance. If you would like to know more about our data protection work, or speak with one of our experts, please complete this short form.


Camilla Winlo

Head of Data Privacy

Read Bio