Question 1

Is GDPR a certification?

Accepted Answer

No. GDPR is an EU regulation enforced by national data protection authorities. There is no GDPR certificate. Companies demonstrate compliance through documentation: privacy notices, records of processing activities (Article 30), DPIAs, DPAs with sub-processors, and lawful basis records.

Question 2

Does SOC 2 cover GDPR?

Accepted Answer

Partially. The Privacy Trust Services Criterion in SOC 2 maps to several GDPR controls (data subject rights, retention, disposal), but GDPR also requires legal artifacts (DPAs, lawful basis, DPO designation in some cases) that SOC 2 does not directly attest to. Most enterprise buyers expect both a SOC 2 + Privacy report and a documented GDPR program.

Question 3

What are the maximum GDPR fines?

Accepted Answer

Tier 1 violations carry fines up to the greater of €10M or 2% of global annual revenue. Tier 2 violations (consent, data subject rights, cross-border transfers) carry fines up to the greater of €20M or 4% of global annual revenue.

GDPR

Key controls