Security Compass Makes GDPR Compliance Easy

Download a free guide to learn more about GDPR requirements for applications

The European Union’s General Data Protection Regulation (GDPR) changes the way organizations across the globe handle personal information by enforcing strict guidelines on how that information is collected and used. The penalties for noncompliance are severe.

I am interested in speaking to a sales rep
Opt-in for future communications

By submitting your information, you are agreeing to the Security Compass Terms of Service & Privacy Policy

Teach your team the critical GDPR requirements by enrolling them in an eLearning course, GDPR For Developers.

GDPR for Developers is a focused and practical course that gives developers the essential knowledge to ensure that they are able to design applications that meet GDPR requirements.

We designed our software security training to meet the agile needs of today’s modern organizations, with adaptive courseware that can be tailored to meet the learning goals of individual students. Whether you are trying to reach compliance or raise security standards across an organization, our training is flexible enough to meet your educational needs.

See a full catalogue of Security Compass software security training courses here.

Incorporate GDPR's requirements for data protection by design and default into your software with SD Elements.

SD Elements, a policy-to-procedure platform for security and compliance, enables organizations to rapidly and efficiently deliver technology that’s secure by design. It provides tailored security advice for each phase of the software development lifecycle. These solutions simplify GDPR compliance by using a series of tasks and reports that can be assigned to developers, and monitored for completion. We’ve created a guide that explains how SD Elements can help incorporate Data Protection by Design and Default into software development.

SD Elements translates GDPR’s complex requirements into readable guidance and code samples for software architects and engineers. SD Elements provides more than just a static translation—it’s a dynamic system that is contextually aware of the specific requirements and tech stack for an application.

Download GDPR Whitepaper

Download a free GDPR guide to learn how we can help you comply with the EU GDPR.

I am interested in speaking to a sales rep
Opt-in for future communications

By submitting your information, you are agreeing to the Security Compass Terms of Service & Privacy Policy

GDPR is complex and touches on virtually all aspects of an organization's operations, including technical practices that are beyond the scope of knowledge for many employees tasked with enforcing the new regulations. Software architects and engineers understand the technical details of application development, but familiar with the details of GDPR. SD Elements is a painless and efficient way of reconciling complex GDPR policies with development procedures.

How SD Elements Helps With GDPR Compliance

SD Elements helps organizations comply with the sections of GDPR that require software to protect data by Design and by Default. What does “Design and Default” mean?

Article 25 - Data Protection by Design and Default

By Design.

“The controller shall...implement appropriate technical and organisational measures...which are designed to implement data-protection principles...in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

By Default.

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed...Such measures shall ensure that by default personal data are not made accessible without the individual’s intervention...”

In other words, the the controls outlined in GDPR must be built into the systems that process any personal data, such that full privacy is the default state of these systems.

Organizations will struggle to determine how to implement GDPR controls, and also to prove that they have employed secure development practices and that these controls are working. Another major challenge will be finding a way to incorporate these practices into rapid release cycle development methodologies such and Agile and DevOps.

Enter SD Elements

SD Elements provides tailored security advice for each phase of the software development lifecycle. These solutions simplify GDPR compliance by using a series of tasks and reports that can be assigned to developers, and monitored for completion.

SD Elements provides a library of controls for organizations to implement GDPR compliance.

SD Elements issues tasks that serve as instructions for protecting against a vulnerability at various stages similar to the phases of software development. They’re procedures for solutions or tests that improve an application’s security and compliance with established standards, like privacy and GDPR.

SD Elements can help implement new features in software systems that GDPR requires, such as:

  • Data portability (export and transfer between systems)
  • Right to be forgotten and opt-out (capability to delete personal data)
  • Mandatory security measures (encryption, anonymization, etc.)
  • Consent (Only necessary data can be collected)
  • Data transfer between countries and to the third parties

SD Elements also features robust tracking, logging and reporting capabilities, so it’s easy to prove that GDPR controls have been implemented and validated to be working correctly.GDPR controls have been implemented and validated to be working correctly.

SD Elements and GDPR Coverage

SD Elements by Security Compass is the world’s leading policy-to-procedure platform for security and compliance. SD Elements features a comprehensive set of requirements and tasks covering 32 of the 99 articles in GDPR. The content has been produced by our own team of expert application security researchers. See what we cover in the table below.

CHAPTER 1

General provisions

Article 2

Material scope

Article 3

Territorial scope

Article 4

Definitions

CHAPTER 2

Principles

Article 5

Principles relating to processing of personal data

Article 6

Lawfulness of procession

Article 7

Conditions for consent

Article 8

Conditions applicable to child's consent in relation to information society services

Article 9

Processing of special categories of personal data

CHAPTER 3

Rights of the data subject

Article 12

Transparent information, communication and modalities for the exercise of the rights of the data subject

Article 13

Information to be provided where personal data are collected from the data subject

Article 15

Right of access by the data subject

Article 16

Right to rectification

Article 17

Right to erasure ('right to be forgotten')

Article 18

Right to restriction of processing

Article 20

Right to data portability

Article 21

Right to object

Article 22

Automated individual decision-making, including profiling

CHAPTER 4

Controller and processor

Article 24

Responsibility of the controller

Article 25

Data protection by design and by default

Article 30

Records of processing activities

Article 32

Security of processing

Article 33

Notification of a personal data breach to the supervisory authority

Article 34

Communication of a personal data breach to the data subject

Article 35

Data protection impact assessment

Article 40

Codes of Conduct

Article 44

General Principle for transfer

Article 45

Transfers on the basis of an adequacy decision

Article 46

Transfers subject to appropriate safeguards

Article 47

Binding corporate rules

Article 49

Derogations for specific situations

CHAPTER 5

Provisions relating to specific processing situations

Article 88

Processing in the context of employment

Article 89

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

  • CHAPTER 1 - General provisions
    • Article 2
      Material scope
    • Article 3
      Territorial scope
    • Article 4
      Definitions
  • CHAPTER 2 - Principles
    • Article 5
      Principles relating to processing of personal data
    • Article 6
      Lawfulness of procession
    • Article 7
      Conditions for consent
    • Article 8
      Conditions applicable to child's consent in relation to information society services
    • Article 9
      Processing of special categories of personal data
  • CHAPTER 3 - Rights of the data subject
    • Article 12
      Transparent information, communication and modalities for the exercise of the rights of the data subject
    • Article 13
      Information to be provided where personal data are collected from the data subject
    • Article 15
      Right of access by the data subject
    • Article 16
      Right to rectification
    • Article 17
      Right to erasure ('right to be forgotten')
    • Article 18
      Right to restriction of processing
    • Article 20
      Right to data portability
    • Article 21
      Right to object
    • Article 22
      Automated individual decision-making, including profiling
  • CHAPTER 4 - Controller and processor
    • Article 24
      Responsibility of the controller
    • Article 25
      Data protection by design and by default
    • Article 30
      Records of processing activities
    • Article 32
      Security of processing
    • Article 33
      Notification of a personal data breach to the supervisory authority
    • Article 34
      Communication of a personal data breach to the data subject
    • Article 35
      Data protection impact assessment
    • Article 40
      Codes of Conduct
    • Article 44
      General Principle for transfer
    • Article 45
      Transfers on the basis of an adequacy decision
    • Article 46
      Transfers subject to appropriate safeguards
    • Article 47
      Binding corporate rules
    • Article 49
      Derogations for specific situations
  • CHAPTER 5 - Provisions relating to specific processing situations
    • Article 88
      Processing in the context of employment
    • Article 89
      Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

GDPR Overview

What Is GDPR?

The General Data Protection Regulation passed by the EU is a "Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC."

It comes into effect on May 25, 2018.

Penalties and Fines for Noncompliance are Strict

As detailed in Article 83:

"Infringements of the following provisions shall ... be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher"

To Whom Does GDPR Apply?

In the broadest sense, any organization that is processing personal data of residents of the European Union must comply with GDPR, even if they are not physically located within the EU. Data subjects are are defined as “residing in the Member state,” or are EU residents (Article 3, Territorial Scope) but don’t have to be EU citizens. GDPR applies to any processor/controller that processes their data, even if even the organization in question is not physically in EU. As specified in Article 3, “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.”

GDPR Main Features

The European Union introduced GDPR to drastically improve the security and privacy of its residents. GDPR Recitals, Articles and Controls generally fall into one of the categories below.

Overview of GDPR

Download a free guide to learn more about GDPR requirements for applications

I am interested in speaking to a sales rep
Opt-in for future communications

By submitting your information, you are agreeing to the Security Compass Terms of Service & Privacy Policy