GDPR
GDPR (General Data Protection Regulation)
Any organisation processing personal data of EU residents, regardless of where the organisation is based. Controllers and processors have different obligations.
Data subject access request volume spikes, DPA investigation opens, a breach triggers 72-hour notification, or a customer pushes the DPA review forward.
Records of processing activities, lawful basis documentation, data subject rights workflows, breach response procedures, and (when scaled) a Data Protection Officer.
Brings the DPO, privacy counsel, and customer-facing privacy teams into deals. In data-heavy categories, privacy effectively becomes a co-buyer with security.
A data-rights and accountability story, not a security story. The buyer cares about discovery, response, and proof — not about whether the data is encrypted at rest.