Skip to main content
Scoping call

Choose your region and language

GDPR you can evidence — not a binder no one operates.

Practical readiness for the GDPR’s security and accountability obligations — the technical and organisational measures, the records, and the evidence a regulator or a customer asks to see.

Request a scoping call See how we work
  • Senior-led delivery.
  • Vendor-independent.
  • Evidence-driven reporting.

The GDPR (Regulation (EU) 2016/679) has applied since May 2018, and it reaches well beyond the EU — any organisation offering goods or services to people in the EU, or monitoring them, sits in scope. Most programmes fail the same way: strong policies, thin evidence, and security measures that read well but were never tested.

We focus on the part we can prove — the security of processing and the accountability evidence — and keep the interpretation with your counsel or DPO. Because we also run offensive security, the Article 32 “appropriate technical measures” are advised by people who know how those measures actually fail. Whether and how the GDPR applies, and the legal judgement calls, stay with your counsel.

Where we help

Security of processing (Article 32)

The appropriate technical and organisational measures — and the evidence they operate. This is where our offensive work informs the advice: we know which controls hold under a real attack and which only look right on a register.

Records, lawful basis & accountability

Records of processing (Article 30), a defensible lawful-basis and consent posture, and the accountability evidence that turns “we comply” into something you can show — to a supervisory authority, an auditor, or an enterprise customer.

Data protection by design & processors

Data-protection-by-design and -by-default baked into how systems are built, plus the Article 28 processor management — agreements, due diligence, and oversight of the vendors that touch personal data.

Transfers & breach readiness

International-transfer mechanisms (SCCs, adequacy, transfer impact assessments) and a breach-response process that meets the 72-hour notification clock — built to hold under pressure, not just on paper.

Scope. We provide practical compliance evidence and readiness, not legal advice — lawful-basis judgements, DPIAs as a legal instrument, and how the GDPR applies to you are your counsel’s or DPO’s call. We hold no supervisory authority and claim none.

When teams call us

The most common moments organisations bring us in for GDPR:

  • An enterprise customer’s data-protection or procurement team is sending a GDPR questionnaire before they sign.
  • You’re launching a product that handles personal data and want data protection by design from the start, not retrofitted.
  • A supervisory authority has made an enquiry, or a breach has exposed how thin the evidence is.
  • You act as a processor and your controllers are pushing Article 28 obligations down to you.

What you receive

The HackingByte Engagement Brief

Every service ends in the same three connected artifacts — so exploit, control gap, and business impact tell one story.

  1. Technical Report

    Reproducible findings with evidence and per-finding remediation, written for your engineers.

  2. Executive Risk Brief

    The same findings as business risk for leadership and the board — no jargon, no CVSS tables.

  3. Action Plan

    Prioritised, owner-assigned, and scoped to what your team can actually deliver.

Timeline

What a typical readiness engagement looks like.

GDPR readiness runs to a defined gate. A representative engagement opens with a scoping and gap diagnostic across the accountability and security obligations — usually a couple of weeks — then a prioritised remediation plan, the records and evidence model, and where useful a technical assessment of the Article 32 measures, over the following weeks to a few months. An ongoing arrangement then keeps the records, processor oversight, and breach-readiness current.

We set the schedule around your real pressure — a customer’s data-protection questionnaire, a regulator’s enquiry, or a new product handling personal data — and confirm it during scoping before you commit.

How it’s different

  1. Security-first — we lead with Article 32 (security of processing), the obligation our offensive work makes us genuinely qualified to evidence, rather than reciting the whole regulation.

  2. Evidence over policy — a binder no one operates fails the first supervisory-authority question. We build proof that’s a by-product of how your team works, not a scramble before an audit.

  3. Interpretation left to counsel — we operationalise the GDPR and hand the legal judgement calls to your counsel or DPO; we support that work, we don’t pretend to replace it.

Who the GDPR reaches

Controllers, processors — and organisations well outside the EU.

The GDPR follows the data, not the office. If you offer goods or services to people in the EU, or monitor their behaviour, you are in scope wherever you are based — and you are in scope as a controller (you decide why and how data is processed), a processor (you process it on someone’s instructions), or both, with different obligations for each. We confirm which hat you wear for which processing before designing anything, because a SaaS processor and the controller using it carry very different evidence burdens.

Whether and how the GDPR applies to a given activity is a legal determination for your counsel or DPO. We help you scope the obligations and build the evidence once that is settled.

Security of processing

Article 32 — the obligation we’re built to evidence.

Article 32 requires “appropriate technical and organisational measures” for the security of personal data, taking account of the risk — and, crucially, a process to test and evaluate their effectiveness. That testing requirement is where most GDPR programmes are weakest and where we are strongest: we assess the measures the way an attacker would, then document that they hold. The same penetration testing and security assessment that prove exploitable risk become the evidence that your security of processing is real, not assumed.

See our penetration testing

Frequently asked questions

Are you lawyers or a DPO?

No. We provide practical security and accountability readiness; lawful-basis judgements, DPIAs as a legal instrument, and how the GDPR applies are your counsel’s or DPO’s call. We support that work — particularly the Article 32 security evidence — rather than replace it.

Does the GDPR apply to us if we’re not in the EU?

Possibly. The GDPR has extraterritorial reach — offering goods or services to people in the EU, or monitoring them, brings you into scope wherever you’re based. Whether it applies to a given activity is a determination for your counsel.

How does this connect to your penetration testing?

Directly. Article 32 requires you to test the effectiveness of your security measures; our testing produces exactly that evidence. GDPR readiness and the testing can run as one programme.

We already do ISO 27001 — does that cover GDPR?

It covers much of the security side, and we map one control set across both. But the GDPR adds data-protection-specific obligations — lawful basis, data-subject rights, transfers, records — that ISO 27001 doesn’t, so we cover the gap rather than assume it’s closed.

Tell us whether you’re a controller, a processor, or both — and what’s driving the deadline. We’ll scope GDPR readiness around the obligations that actually apply.

Every engagement ends in the same three connected artifacts, and the continuous platforms keep watch between engagements. Continuous monitoring platforms.

Request a scoping call