EU Regulations & Directives

IAM Maturity Assessment for GDPR

The EU General Data Protection Regulation governs the processing of personal data. Articles 25 and 32 expect appropriate technical and organizational measures, and provisions on consent, data minimization, and data subject rights shape how customer identity programs are designed and operated.

Maturity threshold
2.5 / 4.0
Mapped questions
5
IAM domains
3
Assessment scope
All scopes
Identity Expectations

What GDPR Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to GDPR citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Consent and privacy management across the customer identity lifecycle, including withdrawal and preference handling
  • Customer registration and onboarding designed around data minimization and lawful processing
  • Visibility into which identities can access personal data, and data security posture mapping from identity to data
Question Mapping

AXIS Questions Mapped to GDPR

5 of the 37 questions in the AXIS bank carry GDPR citations, including 2 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to GDPR, with domain, capability, and framework references
QuestionDomainCapabilityGDPR references
SEC-04SecurityData Security Posture & Identity-to-Data Risk Mapping (DSPM)GDPR Art 30 (Records of Processing)
CIAM-01
Domino
CIAMRegistration & OnboardingGDPR Art 5 (Data Minimization); GDPR Art 5
CIAM-02
Domino
CIAMConsent & Privacy ManagementGDPR Art 6 (Lawfulness); GDPR Art 7 (Consent conditions); GDPR Art 7; GDPR Recital 32 (clear affirmative action); GDPR Art 5(2) (Accountability); GDPR Art 30 (Records of processing); GDPR Art 7(3) (Withdrawal as easy as giving consent); GDPR Art 12 (Transparent communication); GDPR Art 17 (Erasure); GDPR Art 20 (Portability)
CIAM-05CIAMCustomer Onboarding, Identity Proofing & KYCGDPR Art 25 (Privacy by Design); GDPR Art 5 (Data Minimization)
CIAM-DATA-01CIAM × DataCustomer Access-to-Data Visibility & Impact ControlGDPR Art 30; GDPR Art 32
Scoring Model

How AXIS Scores GDPR Alignment

A threshold model: each mapped control either meets the GDPR maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.5 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For GDPR, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for GDPR in a given assessment reflects the answers selected. The table above lists every question whose answer options carry GDPR citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

GDPR appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to General Data Protection Regulation (GDPR). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how GDPR applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against GDPR

Run the AXIS assessment and get your maturity score, GDPR alignment, and a prioritized roadmap in one pass. No signup required to start.