SOC 2 Auditors
Get quotes

GDPR

US law · Varies · ongoing

Controls
EU regulation; data-subject rights and lawful-basis duties
Recertification
No certificate; ongoing legal obligation
Oversight
EU data protection authorities
Common gaps
DPAs, records of processing, data-subject request handling
Related
SOC 2 (Privacy criteria), ISO 27001
Public registry
EUR-Lex

What is GDPR?

The General Data Protection Regulation is the EU's data-protection law. It governs how personal data of EU residents is collected and processed, with significant penalties for non-compliance.

Is GDPR a certification or an attestation?

GDPR is a regulation, not a certification. SOC 2's optional Privacy criteria can help evidence parts of a privacy program, but the two are not equivalent.

Who needs GDPR?

Any organization processing the personal data of people in the EU, regardless of where the company is based.

What does it cost and how long does it take?

Compliance is an ongoing program rather than a one-off audit; legal counsel typically leads, with security controls supporting.

Sources

Other frameworks buyers ask about

SOC 2 Type 2$15K–$400K · 6–15 monthsSOC 2 Type 1$10K–$150K · 4–10 weeksISO 27001$15K–$120K · 3–12 monthsHIPAA$10K–$60K · variesPCI DSS$15K–$200K · 3–9 monthsFedRAMP$250K+ · 12–24 monthsHITRUST CSF$40K–$200K · 6–18 monthsCMMC$25K–$200K+ · 6–18 monthsNIST CSFNo cert · ongoing

Get 3 quotes that fit.

Tell us your stage, framework, and timeline once. We match you with three firms that fit — one short call, not five sales pitches.

Get 3 quotesBrowse the directory

Free for buyers · No spam · Independent of every firm listed