If I have SOC 2, am I GDPR compliant?

No. SOC 2 covers security controls; GDPR covers privacy obligations. They overlap on roughly 30 to 40 percent of controls (access, encryption, incident response). SOC 2 alone does not satisfy GDPR's lawful basis, data subject rights, or RoPA requirements.

Does the SOC 2 Privacy TSC cover GDPR?

Partially. The Privacy TSC adds privacy notice, choice, consent, and collection limitation controls based on AICPA's GAPP. It is closer to GDPR than the default Security TSC alone, but does not address GDPR-specific requirements like cross-border transfers, data subject rights process, or DPIA obligations.

What is the easiest way to cover both SOC 2 and GDPR?

SOC 2 Type II Security TSC + ISO 27701 (Privacy Information Management System extension of ISO 27001). Most GRC platforms (Vanta, Drata, Sprinto, Secureframe) support all three frameworks and reuse evidence across them, reducing the marginal cost of adding the second and third framework by 40 to 60 percent.

Do EU customers accept SOC 2 instead of GDPR documentation?

Sometimes for security questionnaire purposes, never for legal compliance. EU customers typically request both — a SOC 2 Type II report for security evidence, and a Data Processing Agreement (DPA) plus privacy policy for GDPR obligations. They are complementary, not interchangeable.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Does SOC 2 cover GDPR?

By Editorial team · Published 2026-04-26 · Last updated 2026-04-26

No. SOC 2 and GDPR overlap on roughly 30 to 40 percent of controls but are not substitutes. SOC 2 with the optional Privacy TSC narrows the gap; ISO 27701 closes it further.

Short answer: no. SOC 2 is a security controls attestation. GDPR is a privacy regulation. They overlap on roughly 30 to 40 percent of controls — access management, encryption, incident response, vendor risk — but cover different scopes. SOC 2 will not satisfy a GDPR Article 32 obligation by itself, and GDPR will not satisfy a SOC 2 Trust Services Criteria audit.

What each framework actually covers

Where SOC 2 and GDPR overlap

Access controls (CC6 ↔ Article 32 'access by authorized personnel only').
Encryption (CC6.7 ↔ Article 32 'encryption of personal data').
Incident response (CC7.4 ↔ Article 33 'breach notification within 72 hours').
Vendor risk (CC9 ↔ Article 28 'data processor obligations').
Logging and monitoring (CC7.2 ↔ Article 32 'ability to ensure ongoing confidentiality').

Where GDPR goes beyond SOC 2

Lawful basis for processing (Article 6) — SOC 2 doesn't address why you collect data, only how you protect it.
Data subject rights (Articles 15-22) — access, rectification, erasure, portability. Not in SOC 2 scope.
Records of processing activities (Article 30) — formal data inventory, mostly absent from SOC 2.
Privacy by design and default (Article 25) — only partially covered by SOC 2 Privacy TSC.
Cross-border data transfer mechanisms (Articles 44-49) — entirely outside SOC 2 scope.
DPO appointment and DPIA processes — GDPR-specific.

What SOC 2 + Privacy TSC adds

SOC 2 has an optional Privacy Trust Services Criterion that adds privacy notice, choice, consent, collection limitation, and disposal controls. Adding the Privacy TSC narrows the gap to GDPR but does not close it. The Privacy TSC is closer to AICPA Generally Accepted Privacy Principles (GAPP) than to GDPR, and roughly half of SOC 2 reports do not include the Privacy TSC at all.

Closing the gap: ISO 27701

ISO 27701 is the privacy management extension of ISO 27001. It maps directly to GDPR controllers and processors and is the most common framework choice for companies that want both SOC 2 and GDPR coverage. Many companies pursue SOC 2 (Security) + ISO 27001 (ISMS) + ISO 27701 (Privacy) as the bundle that satisfies both US and EU procurement.

Practical guidance

If you sell to US enterprises: SOC 2 Type II Security TSC. Add Privacy TSC if multiple customers ask.
If you sell to EU enterprises: ISO 27001 + ISO 27701, plus a public privacy policy and DPA process. SOC 2 is optional.
If you sell globally: SOC 2 Type II + ISO 27001 + ISO 27701 is the most common combination. Reuse evidence across all three.
Always: maintain a Records of Processing Activities (RoPA), ship a customer-facing DPA, and document your data subject rights process. These are GDPR-specific and not auto-generated by SOC 2 alone.