Adopting GDPR Using

COBIT® 5

Abstract
This white paper will discuss the key elements of the General Data Protection Regulation (GDPR), the importance
of governance of enterprise IT (GEIT) and the role of COBIT® 5 in establishing a framework for governance, the
connections between COBIT 5 and the compliance requirements of GDPR, and key tips and takeaways for
implementation efforts for GDPR using COBIT 5.
Introduction—The Clock is Ticking on GDPR
The May 25, 2018, deadline for General Data Protection
Regulation (GDPR) compliance is fast approaching, yet many
multinational companies are still behind in their preparations.
Adopted by the European Parliament and the European
Council in April 2016, the EU Data Protection reform replaces
the Data Protection Directive, and is a sweeping regulation
mandating organizations to meet very stringent requirements
regarding data protection over the personal data of EU citizens.
For the first time, this requirement also impacts companies
based outside of Europe that do business in Europe. This
compliance will affect security and privacy teams handling
personally identifiable information (PII), including basic identity
information; addresses (including Internet addresses); and
health, biometric, ethnic, political or sexual information. It is an
important development that enterprises must address.
Why is GDPR different? The requirements to protect personal
information are not new, but they have been significantly
growing with the explosion of cloud computing and storage.
The cloud, security and compliance are major areas of
focus within the GDPR. From a regulatory perspective, this
type of implementation is nothing new. To date, the world
has seen EU privacy directives, the US Health Insurance
Portability and Accountability Act (HIPAA), Safe Harbor, the
US Gramm-Leach-Bliley Act (GLBA), the US Patriot Act, and
many more. In recent years, EU data protection authorities
have become much more active, in the wake of some major
events regarding privacy. The GDPR is much more aggressive
than previous requirements, with tougher consequences for
violations. However, the GDPR language does leave room for
interpretation: It uses the term “reasonable” in its definition of
the required level of protection regarding personal data, but it
does not define what “reasonable” actually means. This offers
the GDPR governing body wide latitude when it comes to
assessing fines for noncompliance.
The bottom line: It does not matter where an enterprise is. If
the enterprise hosts private information on an EU citizen, then
it is liable for protecting that data. This will have a drastic effect
on the way companies hold, store and use data regarding
customers, employees, suppliers or any other individuals. It
is forcing many non-EU companies to rethink their strategy
in the European market, and here is why: Any company that
stores or processes personal information about EU citizens
must comply. Specific criteria triggering compliance include:
1) A business’s physical presence in the EU, or 2) A business’s
processing of the personal data of EU residents, even if the
business maintains no physical presence in the EU.
Adopting GDPR Using COBIT® 5 // 2
Key Elements of the GDPR
There are numerous facets to the GDPR legislation, and many
organizations are at first overwhelmed with the requirements.
However, once it is broken down to its basic elements, it is
possible to see the building blocks that will eventually form the
overall project plan. The GDPR outlines key principles relating
to the processing of personal data. These can be thought of
as the highest level in the requirements taxonomy. They can
be broken down and correlated with the enterprise’s current
practices to ease the shock of the legislation’s magnitude.
Here are the key GDPR principles1 that apply to processing
personal data:
• Lawfulness, fairness and transparency. Personal data shall
be processed lawfully, fairly and in a transparent manner in
relation to the data subject.
• Purpose limitation. Personal data shall be collected
for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with
those purposes.
Governance of Enterprise IT and COBIT Principles
For companies already equipped with a solid governance
structure, the compliance battle might be half-won already.
For those without a formal structure in place, the GDPR has
just become a major driver to adopting one. Governance
frameworks are good practices designed to be adaptable
to the specific environment in which they operate and
generally withstand the test of time; that is, they are applicable
regardless of the changing external environment and changes
in technologies. Good governance frameworks define a
common language, provide a sharp business focus, and help
meet compliance and regulatory requirements by providing
repeatable methods. Most importantly, governance frameworks
are focused on providing value to enterprise stakeholders by
ensuring benefits delivery while optimizing risks and resources.
Although there are countless frameworks in the market today
1 Article 5, General Data Protection Regulation—principles relating to processing of personal data, https://www.privacy-regulation.eu/en/5.htm
• Data minimization. Personal data shall be adequate, relevant
and limited to what is necessary in relation to the purposes
for which they are processed.
• Accuracy. Personal data shall be accurate and, where
necessary, kept up to date; every reasonable step must
be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are
processed, are erased or rectified without delay.
• Storage limitation. Personal data shall be kept in a form
which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal
data are processed.
• Integrity and confidentiality. Personal data shall be
processed in a manner that ensures appropriate security of
the personal data, including protection against unauthorized
or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or
organizational measures.
• Accountability. The controller shall be responsible for, and
be able to demonstrate compliance with, the GDPR.
applicable to assisting in GDPR compliance, one stands out as
an appropriate and useful tool: COBIT.
Although today the framework is simply known as COBIT, its
origins are based on the confidentiality, integrity, availability and
assurance of information, hence the original acronym of Control
Objectives for Information and related Technology. The latest
version, COBIT 5, is considered the only business framework
that focuses on the governance and management of enterprise
IT (GEIT). This principles-based, holistic model is well suited as
a tool to assist in the adoption of sound practices to support
the enterprise goal of creating value for its stakeholders. Its
strength is ensuring benefits realization, risk optimization and
resource optimization, as well as providing an overarching
framework to govern and manage efforts toward GDPR
Adopting GDPR Using COBIT® 5 // 3
compliance. Figure 1 illustrates the COBIT 5 principles and
their high-level applicability to GDPR adoption success.
FIGURE 1: COBIT 5 PRINICPLES
One nice feature of COBIT 5 is that it can be leveraged
as a framework to manage frameworks. This means that
organizations can get better visibility and control of the
various frameworks, standards and best practices they use by Different stakeholders have
different assurance requirements,
organizing them under one centralized model. MEETING
and the COBIT goals cascade
STAKEHOLDER
Leveraging COBIT for compliance is nothing new. In fact, many validates the alignment of
NEEDS
organizations successfully used the framework to assist in the stakeholder needs with specific
processes and practices.
adoption of practices in support of the US Sarbanes-Oxley
legislation, so it is well suited to help with the GDPR as well.

COBIT covers all functions and

Enabling a COVERING THE

processes within the enterprise
and treats information and

Holistic Approach ENTERPRISE

END TO END
related technologies as assets
that need to be dealt with just
like any other asset by everyone
At the core of the framework are the enablers. Illustrated in in the enterprise.
figure 2, enablers are “factors that, individually and collectively,
influence whether something will work.”2
COBIT aligns with other relevant
Enablers can be thought of as ingredients to a holistic
APPLYING standards and frameworks at
approach to governing and managing information in relation a high level, and thus can serve
A SINGLE
to GDPR requirements. The following categories of enablers INTEGRATED as the overarching framework
provide a complete view of the enterprise’s approach to FRAMEWORK for the governance and
adopting the practices required to meet conformance and management of enterprise IT.
performance needs:
• Principles, Policies and Frameworks. Desired behaviors
are translated into practical guidance and the flexible COBIT defines a set of interacting
frameworks that manage the connections and modifications ENABLING components, or enablers, to
to those principles and policies. Good practices include A HOLISTIC support the implementation of a
scope and validity, consequences of compliance failure, the APPROACH comprehensive governance and
means of handling exceptions, and the ways compliance management system.
will be monitored and measured.
• Processes. A process is an organized set of practices and
activities to achieve certain objectives and produce a set of COBIT makes a clear distinction
outputs in support of overall enterprise goals. The COBIT between governance and
process reference model identifies 37 processes in five SEPARATING management, which is key to
domains (one governance domain, and four management GOVERNANCE ensuring that stakeholder needs,
domains). Fortunately, there is an enabler guide, COBIT 5: FROM conditions and options are
Enabling Processes, which is a great asset. The applicability MANAGEMENT evaluated to determine balanced,
to GDPR compliance is significant. For each of the agree-on enterprise objectives to
processes, COBIT identifies the following: be achieved.

SOURCE: ISACA, COBIT 5: A Business Framework for the Governance and

Management of Enterprise IT, figure 2, USA, 2012

2 ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, page 27, USA, 2012

Adopting GDPR Using COBIT® 5 // 4

 FIGURE 2—COBIT 5 ENABLERS
Processes
Principles, Policies and Frameworks
Information
and Applications
SOURCE: ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, figure 12, USA, 2012
• Description and purpose
• IT-related goals and associated metrics
• Process goals and associated metrics
• Governance and management practices (the guidance
necessary to achieve process goals)
• The activities supporting each practice (the guidance to
achieve governance and management practices)
• Responsible, accountable, consulted, informed
(RACI) chart
• Inputs and outputs at the practice level
• Related guidance (other industry frameworks and standards
that can be referred to for more detailed information)
Finally, process good practices include the COBIT 5 process
reference model, complete with specific practices, activities
and industry references to achieving process purpose. The
37 processes that make up the process reference model are
noted in figure 3. This publication will refer to some specific
processes in subsequent sections.
• Organizational Structures. This enabler is often the easiest
to identify, but hardest to document, and is much more than
just creating organization charts. It includes good practices
such as key decision-making entities, span of control, level/
delegation of authority, operating principles and escalation
procedures in an enterprise.
Organizational Culture, Ethics
Structures and Behabior
Services,
People, Skills and
Infrastructure
Competencies
• Culture, Ethics and Behavior. Often underestimated as a
success factor in governance and management activities,
this enabler refers to the set of individual and collective
behaviors in an enterprise that support the overall goal
of providing value. Good practices include communication,
awareness of desired behavior, incentives, and rules
and norms.
• Information. This enabler may be considered the lifeblood
not only of COBIT, but GDPR as well. Pervasive throughout
any organization, this includes all information produced
and used by the enterprise. The nature of information
can be better understood through defining and clarifying
its properties, including all information generated and
processed by business or IT processes through its life cycle
of data, from information, to knowledge, to value. A more
in-depth description of the information life cycle and key
attributes can be found in COBIT 5: Enabling Information.
• Services, Infrastructure and Applications. This enabler
includes all technology that provides processing of
information and services. Good practices include reuse,
buy vs. build, simplicity, agility, openness and, of course,
additional industry frameworks for service management,
such as IT Infrastructure Library (ITIL®).
Adopting GDPR Using COBIT® 5 // 5
FIGURE 3—COBIT 5 PROCESS REFERENCE MODEL

GOVERNANCE MANAGEMENT

Evaluate, Direct and Align, Plan and Build, Acquire and Deliver, Service and Monitor, Evaluate and
Monitor Organize Implement Support Assess

EDM01 Ensure APO01 Manage the IT BAI01 Manage DSS01 Manage MEA01 Monitor,
Governance Management Programs and Operations Evaluate
Framework Framework Projects and Assess
Setting and Performance
DSS02 Manage Service
Maintenance and
APO02 Manage BAI02 Manage Requests and
Conformance
Strategy Requirements Incidents
EDM02 Ensure Benefits Definition
Delivery MEA02 Monitor,
APO03 Manage DSS03 Manage
Evaluate and
Enterprise BAI03 Manage Problems
Assess the
EDM03 Ensure Risk Architecture Solutions
System of
Optimization Identification DSS04 Manage Internal Control
and Build
APO04 Manage Continuity
EDM04 Ensure Resource Innovation
MEA03 Monitor,
Optimization BAI04 Manage DSS05 Manage Evaluate
Availability and
APO05 Manage Security and Assess
Capacity
EDM05 Ensure Portfolio Services Compliance
Stakeholder With External
Transparency BAI05 Manage Requirements
APO06 Manage Budget DSS06 Manage
Organizational
and Costs Business
Change
Process
Enablement
Controls
APO07 Manage Human
Resources
BAI06 Manage
Changes
APO08 Manage
Relationships
BAI07 Manage
Change
APO09 Manage Service Acceptance and
Agreements Transitioning

APO10 Manage BAI08 Manage

Suppliers Knowledge

APO11 Manage Quality BAI09 Manage Assets

APO12 Manage Risk BAI10 Manage

Configuration
APO13 Manage
Security

SOURCE: ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, figure 16, USA, 2012

Adopting GDPR Using COBIT® 5 // 6

• People, Skills and Competencies. People are required
for successful completion of activities and decision
making; therefore, defining the right roles and competencies
is crucial to enterprise success. Good practices for
this enabler include determining objective skill requirements
for each role, which are different for each skill level
and category.
For each enabler, COBIT 5 identifies four common dimensions
that add depth. These include:
• Stakeholders. Each enabler has stakeholders who either
play a role or have an interest in the enabler. There are
internal and external stakeholders.
• Goals. Each enabler has a number of goals, and the
achievement of these goals contributes to the overall goal
of delivering value. These goals are classified as intrinsic,
contextual and accessibility/security.
• Life cycle. Each enabler has a life cycle that spans from
inception through disposal. The phases include plan,
design, build/acquire/implement, use/operate, evaluate/
monitor and update/dispose.
How COBIT Can Help With GDPR Compliance
The GDPR contains nearly 100 articles defining requirements
and rights granted to EU citizens, compliance structure, and
noncompliance penalties. Of course, every organization needs
to review the GDPR and determine its specific next steps. The
following sections outline some of the key areas of concern and
the relevant COBIT approach.
Defining High-risk Data and Impact
Assessments
Companies must conduct data protection impact assessments
(DPIAs) when using new technologies for any data deemed
of high risk to the rights and freedoms of EU citizens. Those
assessments also must describe how the company is
addressing the risk through systematic and extensive processing
or monitoring activities. This is akin to a risk assessment, which
assesses the risk and measures in place to address it. These are
the primary COBIT processes to consider:
• EDM02 Ensure Benefits Delivery
• EDM03 Ensure Risk Optimization
• APO11 Manage Quality
• APO12 Manage Risk
• APO13 Manage Security
• Good practices. Each enabler can have some good
practices defined that support the achievement of the
enabler goals. These are examples or suggestions on how
to best implement the enabler. They can be either COBIT-
specific examples or guidance from other standards and
frameworks.
As is evident, leveraging the enablers is a great way not only to
effectively govern and manage enterprise IT and information,
but also to provide a reasonable approach to scoping out
which areas to consider. It is important to note that each of
these enablers, although described as separate subjects,
has a major impact on all the other enablers. Hence, creating
a balanced and thorough governance framework means
recognizing the interaction between these ingredients.
Following is a more detailed description of each enabler and
how it can help with organizing a GDPR compliance effort.
A short definition of these enablers is included. More details
about the enablers can be found in COBIT 5: A Business
Framework for the Governance and Management of Enterprise
IT. Any additional references are noted.
• DSS05 Manage Security Services
• DSS06 Manage Business Process Controls
Protection, Processing and Storing of
Personal Data
For each individual, all personal data must be processed
transparently, and only for the purpose specified. Companies
must provide a “reasonable” level of data protection and
privacy. Data must be processed securely to protect against
unauthorized access, loss or damage. This must be done
using appropriate technical/organizational measures.
GDPR does not define what that means, but it is safe to
presume that if the data are lost or stolen, the enterprise is
clearly in breach of compliance. These are the primary
COBIT processes to consider:
• EDM05 Ensure Stakeholder Transparency
• APO01 Manage the IT Management Framework
• APO02 Manage Strategy
• APO03 Manage Enterprise Architecture
• APO10 Manage Suppliers
Adopting GDPR Using COBIT® 5 // 7
• BAI01 Manage Programs and Projects
• BAI02 Manage Requirements Definition
• BAI03 Manage Solutions Identification and Build
• BAI04 Manage Availability and Capacity
• BAI06 Manage Changes
• BAI07 Manage Change Acceptance and Transitioning
• BAI08 Manage Knowledge
• BAI09 Manage Assets
• BAI10 Manage Configuration
Consent, Portability, Right to Access and
Right To Be Forgotten
Individuals must provide consent regarding the personal data
being stored, and those individuals have the right to know,
upon request, what personal data a company is using and how
the data are being used. An EU citizen may transfer his/her
personal data from one company to another upon request in
a machine-readable format. Furthermore, companies will stop
processing and/or delete personal data upon an EU citizen’s
request. This requirement goes one step further: allowing the
EU citizen the right to be forgotten by having personal data
deleted upon request. These are the primary COBIT processes
to consider:
• EDM05 Ensure Stakeholder Transparency
• APO01 Manage the IT Management Framework
• APO08 Manage Relationships
• APO09 Manage Service Agreements
• APO10 Manage Suppliers
• BAI08 Manage Knowledge
Appointment of Data Protection Officers
Some companies must appoint a data protection officer (DPO),
who oversees the company’s data security strategy and overall
GDPR compliance. Which enterprises are required to have a
DPO? The requirement applies to those that process or store
large amounts of EU citizen data, process or store personal
data, regularly monitor data subjects, or are public authorities.
These are the primary COBIT processes to consider:
• EDM01 Ensure Governance Framework Setting and
Maintenance
• APO07 Manage Human Resources
• BAI05 Manage Organizational Change Enablement
Reporting Data Breaches
Enterprises (more specifically, data controllers) are required to
notify data protection authorities within 72 hours of discovering
a breach. Data processors would typically discover a breach
and would be responsible for notifying the controller. Many
organizations already have these procedures in place, but few
actually conduct tests to ensure the standards are met. These
are the primary COBIT processes to consider:
• DSS01 Manage Operations
• DSS02 Manage Service Requests and Incidents
• DSS03 Manage Problems
• DSS04 Manage Continuity
• DSS05 Manage Security Services
• DSS06 Manage Business Process Controls
Ensuring Regulatory Compliance
To ensure proper compliance to the legislation, organizations
need to constantly monitor, evaluate and assess their controls
and continually investigate improvements in terms of innovative
technologies and ideas. Organizations must provide assurance
that they follow the stated requirements. These are the primary
COBIT processes to consider:
• APO04 Manage Innovation
• APO05 Manage Portfolio
• APO06 Manage Budget and Costs
• MEA01 Monitor, Evaluate and Assess Performance and
Conformance
• MEA02 Monitor, Evaluate and Assess the System
of Internal Control
• MEA03 Monitor, Evaluate and Assess Compliance With
External Requirements
Adopting GDPR Using COBIT® 5 // 8
Readers who were keeping track may have noticed that all 37
processes from the COBIT 5 process reference model can
be connected to a GDPR program. Admittedly, some of these
connections are very strong and others are minimal, but the
message is clear: Adopting a GEIT framework such as COBIT
5 can drastically enhance an enterprise’s posture toward
Key Tips & Takeaways for GDPR Implementation
To ease the pain of gaining compliance, a series of
implementation tips follows. Based on observations of, and
recommendations from, several entities that have already
begun the path toward GDPR compliance, the following is a list
of key success factors to consider on the compliance journey:
1. Develop a sense of urgency. It is no surprise that this is at the
top of the list. Gaining executive-level support is key here, as
that support drives the attitudes and expectations required to
successfully adopt good governance practices to apply and
comply with GDPR.
Hint: Read COBIT 5: Implementation for more tips and
techniques on gaining executive-level support and
recognizing the need to act.
2. Think of GDPR as an opportunity. Although gaining and
maintaining compliance seems burdensome, it is clearly the
right approach. Remember that the reason the enterprise
exists is to create value for stakeholders, and well-applied
GDPR is an important value-adding contributor.
Hint: The COBIT 5 goals cascade identifies stakeholder
needs that are cascaded to enterprise goals, to IT-related
goals, and to enabler goals to assist in determining the
most appropriate processes on which to focus to enhance
stakeholder value.
3. Get an inventory of the enterprise’s current governance
frameworks and practices, including the data protection
plan. Most enterprises already have a plan in place, but they
will need to review and update it to ensure that it aligns with
GDPR requirements.
Hint: GDPR is a regulatory concern that can be satisfied
by adopting existing best practices such as COBIT, ITIL,
The Open Group Architecture Forum’s (TOGAF) framework,
the US National Institute of Standards and Technology
(NIST) publications, the International Organization for
Standardization (ISO) standards, and many others.
meeting the GDPR, as well as most regulatory requirements
that exist in the market today. The 37 processes are just one
of seven enablers, and understanding the connections among
these enablers provides a clear picture of stakeholder needs as
well as the practices required to satisfy those needs.
4. Consider COBIT 5 as a framework to manage frameworks,
but do not stop with just one framework. This is an extension
of the previous tip. Although it is the only business framework
for GEIT, COBIT is not the only game in town. However, it is
well suited to serve as a central framework to help determine
the components needed from other frameworks to provide a
true GEIT model.
Hint: The COBIT Online website has additional information
about this approach at https://cobitonline.isaca.org/about.
5. Appoint a DPO and other applicable roles now. Even in
enterprises that are not affected by the GDPR, these are still
good roles to identify and appoint. These roles may already
be fulfilled now, just under different names.
Hint: COBIT 5: Enabling Processes identifies RACI charts for
all 37 processes.
6. Conduct an enterprise risk assessment to assist in decision
making. It is important to know what data the enterprise
stores and processes on EU citizens, as well as any
associated risk. Risk assessments can help identify the risk,
determine measures to mitigate the risk and develop action
plans to manage the risk.
Hint: COBIT 5 for Risk and ISO 31000 are great places to
start when determining an appropriate risk assessment
process and linking it to the GDPR requirements.
7. Launch a widespread awareness and training program.
Everyone in the organization must be familiar with the
requirements of GDPR as well as his or her specific role.
Training is most likely one of the most important actions
an enterprise can take to increase the probability of a
successful program.
Hint: In enterprises that are leveraging COBIT to assist in
their compliance efforts, the COBIT 5 Foundation course is
a good place to start.
Adopting GDPR Using COBIT® 5 // 9
8. Plan and rehearse incidence response plans. Most
organizations already have some form of incident response
plan; however, the GDPR has some requirements that
may not have been considered. Enterprises must report
breaches within 72 hours of their discovery. How well
response teams react will directly affect the enterprise’s
risk of fines for the breach.
Hint: Improve existing incident response procedures by
looking at the applicable COBIT and ITIL processes and
then creating a specific model for the GDPR requirement.
9. Focus on the information. Remember that information is
an asset, a resource and, if it is not protected, a liability.
Understanding the attributes, location and life cycle of
the data can enhance the enterprise’s ability to provide
the protections required under the GDPR.
Hint: COBIT 5: Enabling Information can assist in
understanding these life cycles and attributes.
10. Perform continuous assessment and assurance.
Maintaining compliance requires continuous monitoring
and improvement. It is important for the enterprise not to
let its efforts fade away as it moves to the next initiative or
unpleasant surprises may occur. Keep the momentum going.
Hint: Use COBIT’s implementation model or ITIL’s Continual
Service Improvement (CSI) approach, and ensure that the
internal assurance/audit function is engaged.
In summary, organizations that focus on compliance alone
simply do not have a holistic governance framework in place.
Meeting GDPR requirements should be a conformance
component of a larger risk/benefit initiative that balances
that conformance with enterprise performance. The COBIT 5
framework, while complete in enterprise governance coverage,
does not satisfy every compliance need that an enterprise has,
but it can certainly provide the governance and management
framework to assist in determining the most appropriate
approach to creating value and confidence for stakeholders.
In this case, that is providing assurance that personal data
have the confidentiality, integrity and availability based on the
GDPR legislation.
Adopting GDPR Using COBIT® 5 // 10
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback:
www.isaca.org/GDPRusingCOBIT5
ISACA®
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving
digital world by offering innovative and world-class knowledge, standards, networking,
credentialing and career development. Established in 1969, ISACA is a global nonprofit
association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity
Nexus™ (CSX), a holistic cybersecurity resource, and COBIT®, a business framework to
govern enterprise technology.

Participate in the ISACA

Knowledge Center:
Disclaimer
www.isaca.org/knowledge-center This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome.
Readers should apply their own professional judgment to their specific circumstances.
Follow ISACA on Twitter:
https://twitter.com/ISACANews
Reservation of Rights
Join ISACA on LinkedIn:
ISACA (Official), © 2017 ISACA. All rights reserved.
http://linkd.in/ISACAOfficial

Like ISACA on Facebook:

www.facebook.com/ISACAHQ

Adopting GDPR Using COBIT® 5 // 11

ACKNOWLEDGMENTS
ISACA would like to recognize:

Author ISACA Board of Directors Tichaona Zororo

CISA, CRISC, CISM, CGEIT, COBIT 5 Certified Assessor,
Mark Thomas Theresa Grafenstine
CIA, CRMA, EGIT | Enterprise Governance of IT (Pty) Ltd,
CRISC, CGEIT, Escoute Consulting, USA CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CISSP, CPA,
South Africa, Director
U.S. House of Representatives, USA, Chair
Christos K. Dimitriadis, Ph.D.
Expert Reviewers Robert Clyde
CISA, CRISC, CISM, Intralot, S.A., Greece, Past Chair
CISM, Clyde Consulting LLC, USA, Vice-Chair
Sue Milton
Robert E Stroud
CISA, CGEIT, GEIT Business Advisor, UK Brennan Baybeck
CRISC, CGEIT, Forrester Research, Inc., USA, Past Chair
CISA, CRISC, CISM, CISSP, Oracle Corporation,
Peter Tessin
USA, Director Tony Hayes
CISA, CRISC, CGEIT, ISACA, USA
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland
Zubin Chagpar
Government, Australia, Past Chair
CISA, CISM, PMP, Amazon Web Services, UK, Director
Matt Loeb
Peter Christiaans
CGEIT, FASAE, CAE, ISACA, USA, Director
CISA, CRISC, CISM, PMP, Deloitte Consulting LLP,
USA, Director

Hironori Goto
CISA, CRISC, CISM, CGEIT, ABCP, Five-I, LLC,
Japan, Director

Mike Hughes
CISA, CRISC, CGEIT, Haines Watts, UK, Director

Leonard Ong
CISA, CRISC, CISM, CGEIT, CPP, CFE, PMP, CIPM,
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,
GCIH, GSNA, GCFA, Merck & Co., Inc.,
Singapore, Director

R.V. Raghu
CISA, CRISC, Versatilist Consulting India Pvt. Ltd.,
India, Director

Jo Stewart-Rattray
CISA, CRISC, CISM, CGEIT, FACS CP, BRM Holdich,
Australia, Director

Ted Wolff
CISA, Vanguard, Inc., USA, Director

Adopting GDPR Using COBIT® 5 // 12