SOC 2 CC6.1 access controls vs GDPR Art. 32 — how do you reconcile audit evidence requirements

SOC 2 Type II requires continuous monitoring of access controls (CC6.1-CC6.8), but GDPR Art. 32 mandates 'regular testing, assessing and evaluating' of technical measures. When running a SaaS that processes EU citizen data, how are teams reconciling these two frameworks during audits? Specifically: - Do SOC 2 auditor reports count as 'regular testing' under Art. 32, or do you need separate GDPR-specific assessments? - If a penetration test reveals a vulnerability that affects personal data, does GDPR's 72-hour breach notification clock start from the pen-test discovery date, even if no actual exfiltration occurred? - How are teams documenting the overlap in their RoPA (Art. 30) — as a single processing entry with dual legal basis, or split entries per framework?