Lawful basis & consent
Every processing activity needs a documented lawful basis. Where you rely on consent, it must be freely given, specific, informed, and as easy to withdraw as to grant.
Compliance · EU Data Protection
GDPR compliance, engineered to last
The General Data Protection Regulation reshaped how the world handles personal data. S-Security helps you map it, secure it, and prove it — so a routine audit or a 3 a.m. breach never becomes an existential event.
What is GDPR?
One regulation, global reach
The GDPR (Regulation EU 2016/679) took effect on 25 May 2018 and governs how organizations collect, process, store, and transfer the personal data of people in the European Union and European Economic Area.
Crucially, it applies extraterritorially. If you offer goods or services to EU residents — or merely monitor their behavior — you fall in scope regardless of where your company is headquartered. A SaaS startup in Texas, a retailer in Singapore, and a bank in Frankfurt are all equally accountable.
GDPR rests on seven principles: lawfulness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. The last one matters most operationally — you must not only comply, you must be able to demonstrate it.
Who must comply
Any controller (decides why and how data is processed) or processor (processes on a controller's behalf) handling EU personal data — including non-EU companies serving EU customers.
- Organizations established in the EU/EEA
- Non-EU firms offering goods or services to EU residents
- Anyone tracking the online behavior of EU individuals
- Processors and sub-processors anywhere in the supply chain
Key requirements
The obligations that define GDPR
These are the pillars regulators test against — and where most non-compliance findings originate.
72-hour breach notification
A personal data breach must be reported to the supervisory authority within 72 hours of becoming aware. High-risk breaches also require notifying affected individuals without undue delay.
Data subject rights
Individuals can request access, rectification, erasure (right to be forgotten), restriction, portability, and objection. You must respond — usually within one month, free of charge.
Security of processing (Art. 32)
Implement appropriate technical and organizational measures — encryption, pseudonymization, access control, and resilience — proportionate to the risk of the data you hold.
DPO & accountability
Public bodies and organizations doing large-scale or sensitive processing must appoint a Data Protection Officer and maintain Records of Processing Activities (RoPA) and DPIAs.
International transfers
Moving data outside the EEA requires safeguards — adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules — plus a transfer impact assessment.
How S-Security helps
From scattered data to provable compliance
We map GDPR's legal obligations to concrete, audited controls — and run them for you, continuously.
| GDPR obligation | How we deliver it | Backed by |
|---|---|---|
| Article 32 security of processing | Encryption, access governance, and continuous posture monitoring across your estate | Cloud Security |
| 72-hour breach notification | 24/7 detection and a rehearsed IR playbook that produces a regulator-ready report fast | Incident Response |
| Data minimization & mapping | Data discovery and classification to find PII sprawl, shadow data, and exposed secrets | Managed Detection & Response |
| Identity & access control | Zero-trust access so personal data is reachable only by who needs it, when they need it | Zero Trust |
| Demonstrating accountability | Validation that your stated controls actually hold up under real-world attack | Penetration Testing |
Also handling US healthcare or payment data? See HIPAA and PCI-DSS.
The compliance journey
Your path to GDPR readiness
A pragmatic, phased program — most clients reach demonstrable readiness within a single quarter.
Data mapping & gap assessment
We inventory where personal data lives, how it flows, and which lawful bases apply — then score you against every GDPR article to expose the gaps.
Controls & governance
We define your RoPA, DPIA process, retention schedules, and the technical safeguards required under Article 32, aligned to your actual risk.
Secure, remediate, rehearse
Encryption, zero-trust access, and monitoring go live. We run a tabletop breach exercise so your 72-hour clock is muscle memory, not theory.
Evidence & audit support
We assemble the documentation a supervisory authority expects and stand beside you for inquiries, audits, and data subject requests.
Continuous compliance
Regulations shift and so does your data. We monitor, re-test, and update controls so you stay compliant between audits — not just on audit day.
The cost of getting it wrong
GDPR carries two tiers of administrative fines. Lesser violations can reach €10 million or 2% of global annual turnover, whichever is higher. The most serious breaches — violating data subject rights or core processing principles — can reach €20 million or 4% of global annual turnover, whichever is higher.
Regulators have shown they mean it: enforcement actions since 2018 have totaled well over €4 billion, including individual fines exceeding €1 billion. Beyond the headline penalty, expect mandatory breach disclosure, civil claims from affected individuals, processing bans, and the reputational damage that follows a front-page incident.
0
Max fine, share of global turnover
0
Breach notification deadline
0
Total GDPR fines issued to date
0
To answer a data subject request
"We expanded into the EU without a privacy program. S-Security mapped our data, stood up our breach process, and walked us through a regulator inquiry without a single finding. We passed clean."
Marcus BellVP Information Security · Cobalt Financial
FAQ
GDPR questions, answered
Does GDPR apply to my company if we're based outside the EU?
Very likely yes. GDPR applies extraterritorially: if you offer goods or services to people in the EU/EEA, or monitor their behavior, you're in scope regardless of where you're incorporated. Many non-EU organizations also need to appoint an EU representative under Article 27.
Do we really have to report a breach within 72 hours?
Yes — the clock starts when you become aware of a personal data breach likely to risk individuals' rights. You can submit in phases as facts emerge, but the initial notification to the supervisory authority is due within 72 hours. Our incident response process is built to hit that deadline with a complete, defensible report.
Do we need to appoint a Data Protection Officer?
A DPO is mandatory if you're a public authority, carry out large-scale systematic monitoring, or process special-category data at scale. Even when not required, many organizations appoint one voluntarily. We help you scope the role and the supporting governance regardless of which side of the line you fall on.
How is GDPR different from achieving ISO 27001 or SOC 2?
GDPR is a legal obligation focused on privacy rights; ISO 27001 and SOC 2 are voluntary frameworks that certify your security management. They reinforce each other — strong ISO/SOC controls provide much of the technical evidence GDPR's Article 32 demands, but GDPR adds privacy-specific duties they don't cover.
Ready to get compliant?
Make GDPR a strength, not a scramble
Start with a free GDPR readiness assessment. We'll show you exactly where the gaps are and the fastest path to closing them.