What is the primary objective of GDPR?

The primary objective of GDPR is to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data, while ensuring the free movement of personal data within the EU. Enacted as Regulation (EU) 2016/679 and enforceable since May 25, 2018, it replaces the fragmented 1995 Data Protection Directive by establishing uniform rules through its seven core principles in Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Who is legally or professionally required to comply with GDPR?

GDPR applies to any controller or processor established in the EU, or any non-EU entity offering goods/services to or monitoring the behaviour of EU data subjects, regardless of location. Article 3 defines its extraterritorial scope, capturing global organisations processing personal data of EU residents. Controllers determine processing purposes, while processors act on their behalf; both must appoint a Data Protection Officer (DPO) for large-scale systematic monitoring of special categories of data or public authorities (Article 37).

Does GDPR require an external audit or third-party certification?

GDPR does not mandate external audits or third-party certification for general compliance. Article 42 encourages voluntary certification mechanisms, codes of conduct (Article 40), and seals/ marks to demonstrate conformity, but these are optional. Controllers must self-demonstrate accountability via Records of Processing Activities (Article 30), Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35), and internal governance.

How often should an assessment for GDPR be performed?

GDPR requires ongoing, risk-based assessments rather than fixed intervals, with Data Protection Impact Assessments (DPIAs) conducted prior to high-risk processing and reviewed if risks change. Article 35 mandates DPIAs for systematic monitoring, large-scale special category data processing, or novel technologies posing high risks. Article 32 demands continuous evaluation of security measures based on state-of-the-art risks, ensuring perpetual accountability under Article 5(2).

What are the consequences of non-compliance with GDPR?

Non-compliance with GDPR incurs administrative fines up to €20 million or 4% of total global annual turnover, whichever is higher, for severe violations like unlawful processing or data subject rights breaches. Tiered penalties under Article 83 apply: up to €10 million or 2% for lesser infringements (e.g., records, DPO duties). Supervisory authorities enforce via the one-stop-shop (Article 56), with additional remedies including data subject compensation (Article 82) and injunctions.

Can GDPR be mapped to other international frameworks?

Yes, GDPR principles such as accountability, data minimisation, and data subject rights align closely with frameworks like Brazil's LGPD, California's CCPA/CPRA, and Japan's APPI. Its global influence stems from the "Brussels Effect," where extraterritorial scope (Article 3) and adequacy decisions (Article 45) facilitate mappings, though divergences exist in consent models (opt-in vs. opt-out) and penalties.

What is the first step to begin implementing GDPR?

The first step to implement GDPR is to conduct a comprehensive data mapping exercise to identify all personal data processing activities, legal bases, and associated risks. This informs Records of Processing Activities (Article 30), determines DPIA needs (Article 35), and establishes the accountability principle (Article 5(2)), enabling data protection by design/default (Article 25).

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks—including malicious acts, functional failures, and disruptions—while integrating top management leadership, risk treatment aligned with ISO 31000, and operational controls for supply chain interdependencies. The standard is sector-agnostic, applicable to all organization sizes, emphasizing holistic governance over prescriptive controls.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and not legally mandatory for any organization. It applies professionally to any entity—commercial, government, or non-profit—across all sizes and activities influencing supply chain security, such as logistics providers, manufacturers, retailers, ports, and 3PLs. Compliance is driven by contractual "flow-down" requirements, customer demands, insurer preferences, or trade facilitation programs, with organizations tailoring implementation proportionally to their risk context and interested parties.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity may be verified via internal or external auditing. Certification is optional, following ISO 28003 guidelines for certification bodies, typically involving Stage 1 (design review) and Stage 2 (effectiveness audit) after internal audit and management review. Organizations pursue it for market credibility, with ongoing surveillance audits ensuring sustained maturity.

How often should an assessment for ISO 28000 be performed?

Risk assessments under ISO 28000 must be maintained as an ongoing process, with internal audits conducted at planned intervals per a risk-based program. Clause 9.2 requires audits considering process importance and prior results; management reviews (Clause 9.3) occur at planned intervals to evaluate performance, context changes, and compliance. Frequency is organization-defined but typically annual for reviews and audits, with ad-hoc reassessments for changes or incidents.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties as it is a voluntary standard. Consequences are indirect: operational disruptions from unmanaged risks (e.g., theft, sabotage), loss of contracts or market access due to unmet partner requirements, higher insurance premiums, and reputational damage. Internally, ineffective SMS exposes organizations to incidents without structured response, recovery, or continual improvement.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 is structurally aligned with Annex SL for integration with other ISO management system standards. Its PDCA structure, clause numbering (4–10), and risk principles (Clause 4, aligned with ISO 31000) enable mapping to frameworks like those for quality, environment, or business continuity, sharing elements such as policy, objectives, audits, and reviews while focusing on supply chain security risks.

What is the first step to begin implementing ISO 28000?

The first step is determining the context of the organization, interested parties, and SMS scope per Clause 4. This involves mapping internal/external issues, supply chain requirements, legal obligations, and externally provided processes, producing documented scope and a compliance register to inform risk planning (Clause 6) and leadership commitment (Clause 5).

Standards Comparison

GDPR vs ISO 28000

GDPR

Mandatory

2016

EU regulation for personal data protection and privacy

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

GDPR mandates personal data protection for EU residents globally with hefty fines, while ISO 28000 is a voluntary standard for supply chain security management via risk-based systems. Companies adopt GDPR for legal compliance; ISO 28000 for resilience and certification.

Data Privacy

GDPR

Regulation (EU) 2016/679 General Data Protection Regulation

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Extraterritorial scope targets non-EU entities processing EU data
Accountability principle demands demonstrable compliance proof
Fines up to 4% of global annual turnover
72-hour mandatory personal data breach notification
Enhanced rights including erasure and portability

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk assessment and treatment aligned with ISO 31000
PDCA cycle for continual security improvement
Supply chain-focused operational controls and plans
Leadership commitment and top management accountability
Integration with ISO 22301 for resilience

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

GDPR Details

What It Is

GDPR (Regulation (EU) 2016/679) is a binding EU regulation protecting natural persons' personal data. It modernizes privacy for the digital age with extraterritorial scope, applying globally to EU data processors. Core approach is accountability-based, requiring organizations to demonstrate compliance via risk assessments.

Key Components

Seven principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity, accountability.
Data subject rights: access, rectification, erasure, portability, objection.
Obligations: DPO appointment, DPIAs, 72-hour breach notifications, ROPAs.
Enforcement via DPAs with fines up to 4% global turnover; no certification needed, continuous compliance model.

Why Organizations Use It

Mandated for EU data handling, reduces breach risks, builds trust. Enables Digital Single Market, avoids massive penalties, inspires global standards like LGPD. Enhances reputation, supports innovation under privacy-by-design.

Implementation Overview

Assess processing, map data flows, appoint DPO, train staff, update contracts. Applies to all sizes/industries processing EU data; SMEs face high burdens. No formal certification; ongoing audits by DPAs, two-year initial transition typical.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security management systems — Requirements is an international certification standard for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security. It adopts a risk-based approach using the PDCA cycle to manage threats like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), operational controls, and security plans.
Built on harmonized ISO structure for integration; supports third-party certification per ISO 28003.

Why Organizations Use It

Reduces supply chain risks and incidents for continuity.
Meets contractual, regulatory, and partner requirements.
Enhances market access, insurance terms, and stakeholder trust.
Provides governance for resilience and competitive edge.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, audits.
Applicable to all sizes/industries; scalable for logistics, manufacturing.
Involves training, documentation; certification via Stage 1/2 audits.

Key Differences

Aspect	GDPR	ISO 28000
Scope	Personal data privacy and protection	Supply chain security management
Industry	All sectors processing EU data globally	Logistics, manufacturing, any supply chain
Nature	Mandatory EU regulation with fines	Voluntary management system standard
Testing	DPIAs, audits by DPAs	Internal audits, certification audits
Penalties	Up to 4% global turnover fines	Loss of certification, no legal fines

Scope

GDPR

Personal data privacy and protection

ISO 28000

Supply chain security management

Industry

GDPR

All sectors processing EU data globally

ISO 28000

Logistics, manufacturing, any supply chain

Nature

GDPR

Mandatory EU regulation with fines

ISO 28000

Voluntary management system standard

Testing

GDPR

DPIAs, audits by DPAs

ISO 28000

Internal audits, certification audits

Penalties

GDPR

Up to 4% global turnover fines

ISO 28000

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about GDPR and ISO 28000

GDPR FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

ISO 27701 Implementation Roadmap: Extending Your ISMS to PIMS in 12 Months or Less

Extend ISO 27001 ISMS to ISO 27701 PIMS in 12 months with our phased roadmap. Templates, checklists & infographics for RoPA, DSARs & audit-ready privacy complia

Thailand PDPA Implementation Guide: Subordinate Regulations for 72-Hour Breach Reporting and Cross-Border Transfers (2022-2024 Rules)

Step-by-step Thailand PDPA guide: 72-hour breach notifications, cross-border transfers (2022-2024 rules). Risk checklists, GDPR templates avoid THB 5M fines. Mu

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

Advanced compliance tools use AI, analytics & real-time monitoring to predict regulatory shifts, cut non-compliance costs 3x, and ensure audit readiness. Stay p

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how GDPR and ISO 28000 compare against other standards

Other GDPR Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Seven principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity, accountability.

Data subject rights: access, rectification, erasure, portability, objection.

Obligations: DPO appointment, DPIAs, 72-hour breach notifications, ROPAs.

Enforcement via DPAs with fines up to 4% global turnover; no certification needed, continuous compliance model.

What It Is

Aspect

GDPR

ISO 28000

Scope

Personal data privacy and protection

Supply chain security management

Industry

All sectors processing EU data globally

Logistics, manufacturing, any supply chain

Nature

Mandatory EU regulation with fines

Voluntary management system standard

Testing

DPIAs, audits by DPAs

Internal audits, certification audits

Penalties

Up to 4% global turnover fines

Loss of certification, no legal fines