▸Any organization that processes personal data of people in the EU, as a controller or a processor
▸Companies for which a personal data breach would carry regulatory, financial, or reputational risk
▸Organizations that need to demonstrate Article 32 security to customers, a DPO, or the supervisory authority