The General Data Protection Regulation (GDPR) is a landmark privacy law in the European Union that governs the protection of data collected on European Citizens. The GDPR is extra-judicial, meaning that its reach and enforcement extends outside the boundaries of the European Union and applies to any organization that collects, stores, processes, or transfers personal data on individuals in Europe.
The rights afforded to European Citizens under the GDPR include the right to information, the right of access, the right to rectification, the right to be forgotten, the right to restrict processing, the right of portability, the right to object, and the right to avoid automated decision-making.
GDPR requires a risk assessment process, and certain security controls overlap with other frameworks. Additionally, it is important to monitor vendors for compliance with GDPR’s data security and processing obligations if your organization is outsourcing the processing of data to third parties. From the lens of operational resilience, you should understand how your organization processes and stores data of European Citizens when working through important business service mapping. Additionally, the data and application inventory required under the GDPR may be a useful place to start your service mapping.