GDPR Compliance
Data protection and privacy governance.
Do you need to act on GDPR?
If you handle personal data of people in the EU, GDPR applies. The real question is whether your security measures hold up.
You likely need this if
- You process personal data of customers, employees or users in the EU
- You are unsure your technical and organizational measures meet the 'appropriate security' bar
- You have no tested process for detecting and reporting a breach within 72 hours
- You rely on processors or share data without clear security assurance
Not sure where you land? A short scoping call will tell you plainly, including if you do not need this yet.
Book a scoping callWhat is GDPR?
The General Data Protection Regulation (GDPR) establishes mandatory data privacy and security requirements for organizations processing the personal data of individuals within the European Union. Our comprehensive service portfolio addresses the regulation's core principles through governance frameworks, continuous data mapping, technical security measures, and workforce privacy awareness programs. By combining proactive risk planning, encryption management, and rights validation, organizations can demonstrate compliance with mandatory privacy measures while building consumer trust and operational resilience against data incidents.
Core Requirements & Our Services
Governance & Accountability
Establish Data Protection Impact Assessments (DPIAs), privacy policies, and the appointment of data protection roles across controllers and processors.
Data Mapping & Inventory
Support mandatory compliance through data flow mapping - identifying what personal data is collected, where it is stored, and how it moves.
Technical Security (TOMs)
Implement technical and organizational measures including encryption, pseudonymization, and access controls across all systems processing personal data.
Data Subject Rights
Fulfill Subject Access Requests (SARs) and implement mechanisms for individuals to exercise their rights to access, rectification, and portability.
Vendor Management
Fulfill Article 28 requirements through Data Processing Agreements (DPAs) and continuous monitoring of third-party supply-chain risks.
Breach Response & Reporting
Meet mandatory incident handling requirements with a 72-hour notification window to supervisory authorities and detailed reporting obligations.
Human Factor
Fulfill human resources security requirements through data privacy awareness training and confidentiality clauses for staff handling sensitive data.
The full GDPR capability set
From data mapping to board reporting - everything in one programme.
Gap analysis & readiness assessment
Baseline your processing activities and controls against GDPR obligations.
Tailored privacy bundles
Service bundles scoped to your sector, data types, and risk profile.
Incident response & forensic readiness
72-hour breach notification playbooks and evidence capture.
Audit-ready reports for regulators
Evidence packs mapped to each GDPR article, board-ready.
Employee training & awareness
Role-based privacy awareness tied to your HR security duties.
Supply chain & third-party risk
Processor (DPA) risk scoring and a maintained vendor register.
Continuous security monitoring
Always-on control telemetry and drift detection.
Executive dashboards
Live privacy posture and compliance status for the board.
- 01 Summary of Compliance Status p.2
- 02 Risk Overview p.4
- 03 Incident Handling Capability p.6
- 04 Vulnerability & Threat Posture p.8
- 05 Actions Taken & Next Steps p.10
Take a look inside the board report
This export-ready sample shows how our reporting structure aligns with GDPR and can be presented to your board or regulatory body - every section, exactly as they'll see it.
Delivered to your inbox in seconds. No spam.
FAQ - GDPR
Any organization that processes the personal data of individuals residing inside the European Union (EU) must comply with GDPR.
This applies regardless of where your company is physically located or headquartered. If you market goods or services to, or monitor the behavior of, EU residents, the General Data Protection Regulation applies to your business under its extra-territorial jurisdiction rule.
Under GDPR, personal data is any information relating to an identified or identifiable natural person.
This includes obvious direct identifiers as well as indirect digital footprints. Examples include:
- Basic identifiers: full names, physical addresses, and email addresses.
- Digital identifiers: IP addresses, browser cookie data, and location tracking data.
- Sensitive personal data: biometric data, health records, political affiliations, sexual orientation, and ethnic origin.
Enterprises must handle all personal information in accordance with seven foundational data protection principles outlined in Article 5.
- Lawfulness, fairness & transparency: have a valid legal basis for processing and clearly communicate it to users.
- Purpose limitation: data must only be collected for specified, explicit, and legitimate purposes.
- Data minimization: only collect the absolute minimum amount of data necessary.
- Accuracy: take reasonable steps to ensure inaccurate data is erased or rectified.
- Storage limitation: personal data must be deleted or anonymized once it is no longer needed.
- Integrity & confidentiality: appropriate security measures must protect data against unauthorized access or loss.
- Accountability: you must be able to actively demonstrate compliance with these rules.
No, appointing a Data Protection Officer (DPO) is not mandatory for every business.
However, you are legally required to designate a DPO if you meet any of these criteria:
- You are a public authority or body.
- Your core activities require regular, systematic, and large-scale monitoring of data subjects.
- Your core activities involve large-scale processing of special categories of sensitive data (such as health or criminal records).
Note on data breaches: if a breach occurs, regardless of whether you have a DPO, you must report it to the relevant supervisory authority within 72 hours of discovery.
Technical and Organizational Measures (TOMs) are the combined security safeguards, IT controls, and internal policies an organization implements to protect personal data.
- Technical measures: data encryption (at rest and in transit), multi-factor authentication (MFA), pseudonymization, firewalls, and regular vulnerability scanning.
- Organizational measures: employee privacy training, strict access control policies, physical building security, and robust incident response frameworks.
Yes. Article 28 of the GDPR mandates a legal contract - a Data Processing Agreement (DPA) - with every third-party vendor (data processor) that handles personal data on your behalf.
This includes your cloud hosting providers, email marketing tools, CRM software, and analytics systems. The DPA binds the processor to strict security standards and outlines exactly how they are allowed to handle your users' information.
Data subject rights grant individuals extensive control over how organizations collect and use their personal data.
Your business must have processes to fulfill these requests (often called Data Subject Access Requests, or DSARs) within 30 days. Core rights include:
- Right of access: to know what data you hold about them and receive a copy.
- Right to rectification: to have inaccurate or incomplete data updated.
- Right to erasure: the 'right to be forgotten', allowing users to request complete deletion.
- Right to data portability: to download their data in a structured, machine-readable format.
- Right to object: to stop their data being processed for direct marketing.
GDPR penalties are structured into two tiers and can be devastating to a business's bottom line.
- Standard infringements: up to 10 million euro or 2% of total global annual turnover from the preceding financial year, whichever is higher (procedural violations like missing DPAs).
- Severe infringements: up to 20 million euro or 4% of total global annual turnover from the preceding financial year, whichever is higher (violations of core principles or data subject rights).
The critical first step is performing a comprehensive data mapping audit and gap analysis.
Before writing privacy policies, you must understand your organization's data lifecycle - documenting exactly what personal data you collect, where it is stored, who has access to it, and which third-party systems it flows through. This mapping highlights your highest-risk gaps so you know exactly what to fix first.