GDPR
The General Data Protection Regulation — an EU regulation enacted in 2018 that governs data protection and privacy for all individuals within the European Economic Area. GDPR grants individuals rights including access, rectification, erasure ('right to be forgotten'), data portability, and the right to object to processing. Organizations must have a lawful basis for processing personal data, implement data protection by design, report breaches within 72 hours, and appoint a Data Protection Officer (DPO) in certain cases. Fines can reach up to 4% of annual global revenue or 20 million EUR. GDPR is tested in CISSP, CIPP/E, and security governance certifications.
Why It Matters
In practice, GDPR is critical because it has set the global standard for data privacy regulation, influencing similar laws worldwide including CCPA in California, LGPD in Brazil, and POPIA in South Africa. Organizations that fail to comply with GDPR face enforcement actions that have included a 1.2 billion euro fine against Meta for improper data transfers and significant penalties against Amazon, Google, and WhatsApp. GDPR applies to any organization processing EU residents' data regardless of where the company is headquartered, giving it extraterritorial reach that affects businesses globally. Cross-border data transfer mechanisms like Standard Contractual Clauses add operational complexity. On certification exams such as CISSP, CIPP/E, and CISM, expect questions about data subject rights, lawful bases for processing, the 72-hour breach notification requirement, understanding the role of Data Protection Officers, and evaluating cross-border data transfer mechanisms.
Practice this topic
Test your knowledge of GDPR concepts with exam-style practice questions.
Related GRC terms
Risk Assessment
The process of identifying, analyzing, and evaluating potential risks to an organization's information assets to determine the likelihood and impact of threats exploiting vulnerabilities. Risk assessment methodologies include qualitative (rating risks as High/Medium/Low), quantitative (calculating Annual Loss Expectancy using SLE x ARO = ALE), and hybrid approaches. Frameworks like NIST SP 800-30, ISO 27005, and FAIR provide structured risk assessment processes. The output drives risk treatment decisions: accept, mitigate, transfer (insurance), or avoid. Risk assessment is the cornerstone of CISSP Domain 1, CISM, and CISA certifications.
Vulnerability Assessment
A systematic process to identify, quantify, and prioritize security vulnerabilities in systems, applications, and networks using automated scanning tools and manual review. Common tools include Nessus, Qualys, OpenVAS, and Rapid7 InsightVM. Vulnerability assessments differ from penetration testing — they identify weaknesses without actively exploiting them. Results are typically scored using CVSS (Common Vulnerability Scoring System) and prioritized by severity, asset criticality, and exploitability. Regular vulnerability assessments are required by PCI DSS, HIPAA, and other compliance frameworks and are a key topic in Security+, CySA+, and CISSP certifications.
Penetration Testing
An authorized simulated cyberattack on a computer system, network, or application performed to evaluate its security posture and identify exploitable vulnerabilities. Pentest types include black box (no prior knowledge), white box (full system knowledge), and gray box (partial knowledge). The methodology follows phases: planning and scoping, reconnaissance, scanning, exploitation, post-exploitation, and reporting. Industry standards include the PTES, OWASP Testing Guide, and NIST SP 800-115. Penetration testing is the focus of OSCP, PenTest+, CEH, and GPEN certifications and a key assessment method in CISSP Domain 6.
Compliance
The act of conforming to established guidelines, specifications, regulations, or legislation related to information security and data protection. Key compliance frameworks include PCI DSS (payment card data), HIPAA (healthcare data), SOX (financial reporting), GDPR (EU personal data), and FedRAMP (US government cloud). Non-compliance can result in significant fines, legal liability, and reputational damage. Organizations use controls frameworks (NIST CSF, ISO 27001, CIS Controls) to demonstrate compliance. Compliance management is a central topic in CISA, CISM, and CISSP Domain 1 (Security and Risk Management).
NIST Framework
A set of guidelines and best practices published by the National Institute of Standards and Technology to manage cybersecurity risk, most commonly referring to the NIST Cybersecurity Framework (CSF) with its five core functions: Identify, Protect, Detect, Respond, and Recover. NIST also publishes the SP 800 series (including 800-53 for security controls, 800-171 for CUI, and 800-63 for digital identity). The framework is voluntary but widely adopted across industries and required for U.S. federal agencies. NIST provides the foundation for many organizational security programs and is heavily referenced in CISSP, CISM, and Security+ certifications.
ISO 27001
An international standard for information security management systems (ISMS) that specifies requirements for establishing, implementing, maintaining, and continually improving an organization's security management program. ISO 27001 follows a Plan-Do-Check-Act (PDCA) cycle and requires organizations to assess risks, implement appropriate controls (from the Annex A control set), and undergo regular audits. Certification is granted by accredited third-party auditors and is valid for three years with annual surveillance audits. ISO 27001 is globally recognized and often required by enterprise customers and partners. It is a key framework in CISM, CISA, and CISSP GRC domains.