EU regulation · personal data protection

GDPR

The General Data Protection Regulation (Regulation (EU) 2016/679) has applied across the EU since May 2018. Article 32 requires security of processing appropriate to the risk. We deliver and validate that security and produce the evidence.
Who it applies to
Any organization that processes personal data of people in the EU, as a controller or a processor
Companies for which a personal data breach would carry regulatory, financial, or reputational risk
Organizations that need to demonstrate Article 32 security to customers, a DPO, or the supervisory authority
What it requires
The obligations, clearly explained.
01
Security of processing (Article 32)
Technical and organizational measures appropriate to the risk, including encryption, access control, and resilience.
02
Data protection by design and by default (Article 25)
Security and data minimization built into systems from the start, not added afterwards.
03
Breach detection and notification (Articles 33-34)
The ability to detect a personal data breach and notify the supervisory authority within 72 hours.
04
Accountability
Documented evidence that the measures exist, operate as described, and are reviewed.
How Raptoric helps
We do the engineering work, not just the documentation.
Security gap assessment
We assess your processing environment against the Article 32 security requirements and identify the gaps.
Control implementation
We implement and validate the technical controls: encryption, access control, logging, and segmentation.
Breach readiness
We build the detection and response that make the 72-hour notification deadline achievable.
Testing and evidence
We test the controls through penetration testing and produce the evidence of security of processing.
We deliver and validate the technical and organizational security measures (Article 32). We do not provide legal advice or act as your data protection officer; we work alongside your DPO and legal counsel.
FAQ
Questions, answered
Does GDPR apply to my company?
If you process personal data of individuals in the EU, as a controller or a processor, it applies. The obligations follow the data, not the company's location.
What does Article 32 require?
Security of processing appropriate to the risk: technical and organizational measures such as encryption, access control, and resilience, and a process for regularly testing their effectiveness. We implement and validate these measures.
Do you provide legal or DPO services?
No. We deliver the security half of GDPR, the technical and organizational measures and the evidence that they work. We work alongside your legal counsel and data protection officer, who own the legal interpretation.
How does GDPR connect to penetration testing?
Article 32 calls for a process to regularly test and evaluate the effectiveness of security measures. Penetration testing is how that effectiveness is demonstrated, and the report becomes part of your accountability evidence.
Need to be ready for GDPR?
Our team will define the scope of work with you on a 30-minute call.
Book a scoping call or email contact@raptoric.com