What is the primary objective of **GDPR**?

**The primary objective of GDPR is to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data, while ensuring the free movement of personal data within the EU.** Enacted as Regulation (EU) 2016/679 and enforceable since May 25, 2018, it replaces the fragmented 1995 Data Protection Directive by establishing uniform rules through its seven core principles in Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Who is legally or professionally required to comply with **GDPR**?

**GDPR applies to any controller or processor established in the EU, or any non-EU entity offering goods/services to or monitoring the behaviour of EU data subjects, regardless of location.** Under Article 3's extraterritorial scope, this includes controllers determining processing purposes and processors handling data on their behalf. Public authorities and large-scale processors of special categories (e.g., health data) or systematic monitoring must appoint a **Data Protection Officer (DPO)** per Article 37.

Does **GDPR** require an external audit or third-party certification?

**No, GDPR does not mandate external audits or third-party certification for compliance.** Article 42 encourages voluntary certification mechanisms, seals, and marks by supervisory authorities or accredited bodies to demonstrate compliance with principles like data protection by design (Article 25). Organizations must self-demonstrate accountability via Records of Processing Activities (Article 30) and Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35).

How often should an assessment for **GDPR** be performed?

**GDPR requires ongoing, risk-based assessments rather than fixed intervals, with reviews triggered by changes in processing activities or risk levels.** Article 32 mandates "appropriate technical and organisational measures" reflecting the state of the art, implying continuous evaluation. DPIAs (Article 35) must be conducted prior to high-risk processing and reviewed if risks evolve, while breach assessments (Articles 33-34) demand evaluation within 72 hours of awareness.

What are the consequences of non-compliance with **GDPR**?

**Non-compliance with GDPR can result in administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for severe infringements.** Tiered penalties under Article 83 apply: up to €10 million or 2% for lesser violations (e.g., records, DPO duties). Supervisory authorities enforce via the one-stop-shop mechanism (Article 56), with additional remedies including data subject compensation (Article 82) and injunctions.

Can **GDPR** be mapped to other international frameworks?

**Yes, GDPR principles such as accountability, data minimisation, and lawful processing bases can be mapped to international frameworks like Brazil's LGPD, California's CCPA/CPRA, and Japan's APPI.** Its global influence stems from the "Brussels Effect," where extraterritorial scope (Article 3) compels alignment, though divergences exist (e.g., GDPR's opt-in consent vs. CCPA's opt-out). Adequacy decisions (Article 45) facilitate transfers to equivalent regimes like Japan.

What is the first step to begin implementing **GDPR**?

**The first step to implement GDPR is conducting a comprehensive data mapping exercise to identify all personal data processing activities, legal bases, and associated risks.** This informs Records of Processing Activities (Article 30) and determines DPIA needs (Article 35), enabling controllers to establish accountability (Article 5(2)) and appoint a DPO if required (Article 37).

What is the primary objective of **AS9120B**?

**AS9120B establishes a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics.** Built on ISO 9001:2015’s 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like traceability loss, counterfeit parts, documentation errors, and external provider controls. The standard ensures chain-of-custody integrity through operational controls in Clause 8, including identification/traceability, preservation, configuration management, and prevention of suspected unapproved parts.

Who is legally or professionally required to comply with **AS9120B**?

**AS9120B applies to aviation, space, and defense distributors, stockists, and pass-through organizations that procure, store, split, or resell parts without modifying conformity.** It targets entities reliant on OEM/Tier-1 supply chains, where certification is a commercial requirement for OASIS listing and contract eligibility (2,442 global certifications as of May 2023). It excludes value-added distributors altering products or MRO entities; scope must justify non-applicability (e.g., Clause 8.3 design) without impacting conformity.

Does **AS9120B** require an external audit or third-party certification?

**AS9120B requires third-party certification through accredited bodies for formal recognition and OASIS listing.** Certification involves Stage 1 (documentation review) and Stage 2 (on-site effectiveness audit) per AS9101F, with ongoing surveillance audits. Internal audits (Clause 9.2) at planned intervals ensure conformity, but external certification demonstrates market readiness to OEMs and primes.

How often should an assessment for **AS9120B** be performed?

**AS9120B requires internal audits at planned intervals to cover the QMS annually, plus management reviews at defined frequencies ensuring suitability and effectiveness.** Clause 9.2 mandates audit programs evaluating all processes, risks, and Clause 9.3 inputs like performance trends and supplier metrics. Surveillance audits occur yearly post-certification, with recertification every three years.

What are the consequences of non-compliance with **AS9120B**?

**Non-compliance with AS9120B risks commercial exclusion, supply chain rejection, and safety liabilities from traceability failures or counterfeit parts.** Lacking certification bars OEM contracts and OASIS visibility; audit findings trigger corrective actions, potential decertification, recalls, or legal exposure for product nonconformities affecting aviation safety.

Can **AS9120B** be mapped to other international frameworks?

**AS9120B aligns directly with ISO 9001:2015’s high-level structure, enabling seamless mapping of its 10 clauses.** Aerospace additions (e.g., counterfeit prevention, traceability) build on ISO baseline without exclusions, supporting integrated QMS for distributors transitioning from generic standards while maintaining standalone applicability.

What is the first step to begin implementing **AS9120B**?

**The first step is conducting a gap analysis against AS9120B clauses using cross-functional teams to map current processes.** Document context (Clause 4), justify scope/non-applicability, and prioritize distributor risks like supplier controls and traceability, yielding a risk register and implementation backlog.

GDPR vs AS9120B

Standards Comparison

GDPR

Mandatory

2016

EU regulation for personal data protection and privacy rights

AS9120B

Mandatory

2016

Aerospace QMS standard for parts distributors.

Quick Verdict

GDPR mandates data privacy protection for EU residents worldwide, enforcing rights and accountability with hefty fines. AS9120B certifies aerospace distributors' quality systems for traceability and counterfeit prevention. Organizations adopt GDPR for legal compliance, AS9120B for market access.

Data Privacy

GDPR

Regulation (EU) 2016/679 General Data Protection Regulation

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Applies extraterritorially to non-EU organizations targeting EU residents
Enforces accountability principle requiring demonstrated compliance via DPIAs
Imposes fines up to 4% of global annual turnover
Grants data subjects rights to erasure and portability
Mandates 72-hour personal data breach notifications

Quality Management

AS9120B

AS9120B Quality Management Systems - Requirements

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and suspected unapproved parts prevention
Traceability and chain-of-custody for split lots
Risk-based external provider evaluation and controls
Configuration management in distribution operations
Product safety and ethical behavior awareness

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

GDPR Details

What It Is

Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), is a directly applicable EU law protecting natural persons' personal data. It modernizes privacy rules with extraterritorial scope, applying to any entity processing EU residents' data. Core approach is accountability-based, requiring organizations to demonstrate compliance via risk assessments like DPIAs.

Key Components

Seven principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
Enhanced data subject rights: access, rectification, erasure, portability, objection.
Obligations: appoint DPOs, maintain processing records, breach notifications.
Enforcement: fines up to €20M or 4% global turnover; no formal certification, but ongoing compliance audited by DPAs.

Why Organizations Use It

Mandated for EU data processors; reduces legal risks, builds trust, enables global data flows. Enhances reputation, avoids penalties, supports Digital Single Market.

Implementation Overview

Risk-based rollout: gap analysis, policy updates, training, DPIAs. Applies universally to controllers/processors; high complexity for SMEs. Two-year transition originally; continuous audits by EDPB and national authorities.

AS9120B Details

What It Is

AS9120B is the IAQG's quality management system standard for aerospace distributors, fully titled AS9120B Quality Management Systems – Requirements. This certification standard augments ISO 9001:2015's high-level structure with over 100 distributor-specific requirements. Its primary purpose is ensuring safe, traceable resale of parts without alteration, employing a risk-based PDCA approach to address supply chain vulnerabilities like counterfeits and traceability loss.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, improvement
Distributor emphases: counterfeit prevention, traceability for split lots, external provider controls, configuration management
Built on ISO 9001 baseline plus aerospace additions
Certification model via accredited bodies with OASIS registration

Why Organizations Use It

Commercial gatekeeper for OEM/Tier-1 supply chains
Mitigates risks of nonconformities, recalls, legal liabilities
Enhances efficiency, customer satisfaction, market access (2,442 global certifications)
Builds stakeholder trust through auditable chain-of-custody

Implementation Overview

Phased 6-12 months: gap analysis, process design, training, internal audits
Suited for aviation/space/defense distributors worldwide
Requires Stage 1/2 audits for certification

Key Differences

Aspect	GDPR	AS9120B
Scope	Personal data protection and privacy rights	Aerospace distribution quality management
Industry	All sectors worldwide targeting EU data	Aerospace distributors globally
Nature	Mandatory EU regulation with fines	Voluntary certification standard
Testing	DPIAs, audits by supervisory authorities	Internal audits, certification body reviews
Penalties	Up to 4% global turnover fines	Loss of certification, no legal fines

Scope

GDPR

Personal data protection and privacy rights

AS9120B

Aerospace distribution quality management

Industry

GDPR

All sectors worldwide targeting EU data

AS9120B

Aerospace distributors globally

Nature

GDPR

Mandatory EU regulation with fines

AS9120B

Voluntary certification standard

Testing

GDPR

DPIAs, audits by supervisory authorities

AS9120B

Internal audits, certification body reviews

Penalties

GDPR

Up to 4% global turnover fines

AS9120B

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about GDPR and AS9120B

GDPR FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

SOC 2 for Bootstrapped SaaS: Lazy Founder's Automation Roadmap with Vanta/Drata Templates

Bootstrapped SaaS founders: Achieve SOC 2 Type 2 in 3 months with Vanta automation (cuts 70% manual work). Free templates, workflows, screenshots, metrics & Sig

CMMC Cost Calculator: Realistic Budgets for Levels 1-3, C3PAO Fees, and ROI for Small DIB Suppliers

Calculate realistic CMMC costs for Levels 1-3: self-assessments, C3PAO fees, tooling, remediation & ROI. Interactive tool for small DIB suppliers. Get benchmark

The Service-Oriented SOC: Leveraging Maturity Assessments to Guarantee SLOs and Operational Predictability

Transform your SOC into a service provider using maturity assessments to standardize workflows, guarantee SLOs, and ensure predictability amid turnover and risi

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

OSHA vs ISO 27018

Compare OSHA safety standards vs ISO 27018 cloud privacy controls. Expert guide to compliance gaps, risks & integration for secure workplaces. Optimize now!

EU AI Act vs CIS Controls

Compare EU AI Act vs CIS Controls: Decode AI risk tiers, prohibitions & cyber hygiene safeguards. Bridge compliance gaps for high-risk systems & enterprise security. Align now!

ISO 27001 vs PIPEDA

Compare ISO 27001 vs PIPEDA: International ISMS standard vs Canadian privacy law. Uncover key differences, overlaps, compliance tips & strategies for robust data protection. Boost security now!

GDPR

AS9120B

Quick Verdict

GDPR

Key Features

AS9120B

Key Features

Detailed Analysis

GDPR Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

AS9120B Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

GDPR FAQ

What is the primary objective of GDPR?

Who is legally or professionally required to comply with GDPR?

Does GDPR require an external audit or third-party certification?

How often should an assessment for GDPR be performed?

What are the consequences of non-compliance with GDPR?

Can GDPR be mapped to other international frameworks?

What is the first step to begin implementing GDPR?

AS9120B FAQ

What is the primary objective of AS9120B?

Who is legally or professionally required to comply with AS9120B?

Does AS9120B require an external audit or third-party certification?

How often should an assessment for AS9120B be performed?

What are the consequences of non-compliance with AS9120B?

Can AS9120B be mapped to other international frameworks?

What is the first step to begin implementing AS9120B?

You Might also be Interested in These Articles...

SOC 2 for Bootstrapped SaaS: Lazy Founder's Automation Roadmap with Vanta/Drata Templates

CMMC Cost Calculator: Realistic Budgets for Levels 1-3, C3PAO Fees, and ROI for Small DIB Suppliers

The Service-Oriented SOC: Leveraging Maturity Assessments to Guarantee SLOs and Operational Predictability

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

OSHA vs ISO 27018

EU AI Act vs CIS Controls

ISO 27001 vs PIPEDA