eu-regulations

[ { "control_id": "A.5.1", "control_name": "Policies for information security", "regulation": "GDPR", "articles": ["24", "32"], "coverage": "partial", "notes": "GDPR requires appropriate technical and organisational measures (Art 32) and controller responsibility (Art 24)" }, { "control_id": "A.5.2", "control_name": "Information security roles and responsibilities", "regulation": "GDPR", "articles": ["24", "37", "38", "39"], "coverage": "partial", "notes": "Controller accountability (Art 24), DPO designation and tasks (Art 37-39)" }, { "control_id": "A.5.10", "control_name": "Acceptable use of information and other associated assets", "regulation": "GDPR", "articles": ["5", "6"], "coverage": "full", "notes": "Purpose limitation and lawfulness principles (Art 5, 6)" }, { "control_id": "A.5.31", "control_name": "Legal, statutory, regulatory and contractual requirements", "regulation": "GDPR", "articles": ["1", "2", "3"], "coverage": "full", "notes": "GDPR scope and applicability (Art 1-3)" }, { "control_id": "A.5.33", "control_name": "Protection of records", "regulation": "GDPR", "articles": ["5", "30"], "coverage": "full", "notes": "Storage limitation principle (Art 5) and records of processing (Art 30)" }, { "control_id": "A.5.34", "control_name": "Privacy and protection of PII", "regulation": "GDPR", "articles": ["1", "5", "6", "7", "9", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22"], "coverage": "full", "notes": "Core GDPR requirements for personal data protection" }, { "control_id": "A.6.8", "control_name": "Information security event reporting", "regulation": "GDPR", "articles": ["33", "34"], "coverage": "full", "notes": "Personal data breach notification within 72 hours (Art 33) and communication to data subjects (Art 34)" }, { "control_id": "A.7.10", "control_name": "Storage media", "regulation": "GDPR", "articles": ["5", "32"], "coverage": "partial", "notes": "Storage limitation (Art 5) and security measures (Art 32)" }, { "control_id": "A.8.3", "control_name": "Information access restriction", "regulation": "GDPR", "articles": ["25", "32"], "coverage": "partial", "notes": "Data protection by design and by default (Art 25), security measures (Art 32)" }, { "control_id": "A.8.10", "control_name": "Information deletion", "regulation": "GDPR", "articles": ["17"], "coverage": "full", "notes": "Right to erasure ('right to be forgotten') - Art 17" }, { "control_id": "A.8.11", "control_name": "Data masking", "regulation": "GDPR", "articles": ["4", "25", "32"], "coverage": "full", "notes": "Pseudonymisation defined (Art 4) and required as security measure (Art 25, 32)" }, { "control_id": "A.8.12", "control_name": "Data leakage prevention", "regulation": "GDPR", "articles": ["32", "33"], "coverage": "partial", "notes": "Security of processing (Art 32) and breach notification requirements (Art 33)" }, { "control_id": "A.8.24", "control_name": "Use of cryptography", "regulation": "GDPR", "articles": ["32", "34"], "coverage": "partial", "notes": "Encryption mentioned as appropriate measure (Art 32), affects breach notification requirements (Art 34)" }, { "control_id": "A.8.28", "control_name": "Secure coding", "regulation": "GDPR", "articles": ["25"], "coverage": "partial", "notes": "Data protection by design and by default (Art 25)" } ]