European Union, with extraterritorial reach to any organisation processing EU resident data.

GDPR

GDPR (General Data Protection Regulation)

Applies to

Any organisation processing personal data of EU residents, regardless of where the organisation is based. Controllers and processors have different obligations.

Creates urgency when

Data subject access request volume spikes, DPA investigation opens, a breach triggers 72-hour notification, or a customer pushes the DPA review forward.

Evidence burden

Records of processing activities, lawful basis documentation, data subject rights workflows, breach response procedures, and (when scaled) a Data Protection Officer.

Buying-committee effect

Brings the DPO, privacy counsel, and customer-facing privacy teams into deals. In data-heavy categories, privacy effectively becomes a co-buyer with security.

GTM angle

A data-rights and accountability story, not a security story. The buyer cares about discovery, response, and proof — not about whether the data is encrypted at rest.