100%
Data Flows Mapped
& Documented
4%
Of global revenue or 20M euros
72 hrs
Breach notification deadline
27
EU member states covered
Data subject
Rights must be honoured
Data Mapping & Processing Inventory
Most organizations do not have a complete picture of what personal data they hold, where it came from, or where it flows. When a supervisory authority investigates or a data subject submits an access request, that uncertainty becomes a liability. We map every category of personal data your organization processes, source, storage, access, retention, and destination, and build the Record of Processing Activities your GDPR program requires. You know exactly what you hold and can prove it.
Lawful Basis & Consent Management
Using consent as the default lawful basis for every processing activity, a common mistake, creates an obligation to honor withdrawals that can break your business model. Relying on legitimate interests without a proper balancing test is a finding waiting to happen. We assess each processing activity, determine the correct lawful basis, document the rationale, and where consent is genuinely the right choice, design mechanisms that are specific, informed, freely given, and auditable.
Privacy Notices & Data Subject Rights
A privacy notice buried in a footer that no one reads, or a subject access request process that takes 45 days and delivers an incomplete response, are both enforcement risks. We rewrite your privacy notices into plain language that is actually read, and build internal procedures for handling access, rectification, erasure, restriction, and portability requests, with response templates and escalation paths so your team can respond correctly in the one-month window GDPR requires.
Data Protection Impact Assessments (DPIA)
Launching a new product feature, implementing AI-driven profiling, or onboarding a new data processor without a DPIA when one is required is a compliance failure before the project goes live. We conduct Data Protection Impact Assessments for high-risk processing activities, new systems, large-scale profiling, surveillance, and sensitive data, identifying privacy risks early enough to build mitigating controls in before launch, not as a retrofit after regulators raise concerns.
Vendor & Third-Party Data Management
Under GDPR, you remain responsible for personal data even after it leaves your systems. A vendor that mishandles data you shared with them is your liability too. We audit your vendor relationships, identify every processor and sub-processor that handles EU personal data on your behalf, review your Data Processing Agreements for legal sufficiency, and close the gaps, contractually and operationally, so your third-party chain does not become your biggest compliance risk.
Breach Response & Ongoing Governance
The 72-hour breach notification window starts from the moment your organization becomes aware of a breach, not from when legal or compliance is briefed. Without a tested incident response process, that window closes before you have decided whether notification is even required. We build your breach detection, assessment, and notification procedures in advance, so when an incident occurs your team makes the right call quickly and notifies the supervisory authority with a complete notification rather than a premature or incomplete one that triggers follow-up inquiries.
Understanding GDPR
What organizations handling EU personal data need to know
What is GDPR?
The General Data Protection Regulation is an EU law that governs the collection, use, storage, and transfer of personal data belonging to EU residents. Effective since May 2018, it applies to any organization worldwide that processes the personal data of EU residents, regardless of where that organization is based. GDPR establishes eight data subject rights and requires documented accountability for every processing activity.
Who does it apply to?
GDPR applies to any organization, US-based or otherwise, that offers goods or services to EU residents, monitors their behavior, or processes their personal data as part of any business activity. Controllers (who determine the purpose of processing) and processors (who process data on a controller's behalf) both have direct obligations. There is no size exemption, a five-person startup with EU users must comply.
Why does it matter?
GDPR enforcement carries penalties of up to 4% of global annual turnover or 20 million euros, whichever is greater. Beyond fines, breaches must be reported to supervisory authorities within 72 hours, and affected individuals must be notified. High-profile enforcement actions, including against major US technology companies, have established that regulators pursue cross-border cases actively.
How do you comply?
Compliance requires mapping all personal data flows, establishing a lawful basis for every processing activity, implementing data subject rights procedures, reviewing vendor contracts for GDPR-compliant Data Processing Agreements, conducting DPIAs for high-risk processing, and maintaining a Record of Processing Activities. It is an ongoing governance obligation, not a one-time implementation project.
What Makes Us Different From Others
- Compliance That Works in Practice We build GDPR programs around how your business actually operates, not around a theoretical ideal that falls apart the moment your team tries to follow it.
- Data Mapping Done Properly Many organizations have incomplete or outdated records of processing. We do the work of understanding your actual data flows before making any compliance recommendations.
- Risk-Based, Not Checkbox-Based GDPR is a risk-based regulation. We focus your effort and investment on the processing activities and gaps that represent genuine risk to individuals and your organization.
- Vendor Management Included Third-party data risk is one of the most commonly overlooked areas of GDPR compliance. We address it directly rather than treating it as someone else's problem.
- Documentation Built for Real Use Privacy notices, DPIAs, and data subject rights procedures are written in plain language your staff can actually follow, not dense legal documents that require a lawyer to interpret.
- Ongoing Support Beyond Initial Implementation GDPR compliance is not a one-time project. We support ongoing governance, annual reviews, and updates as your processing activities, vendors, and regulatory requirements change.
We had been collecting customer data across multiple platforms with no consistent privacy framework. garrisonOne mapped every data flow, built our records of processing activities, implemented proper consent mechanisms, and created a DPIA process we actually use. We went from GDPR liability to a defensible program in about six months.
Client results
See how we have helped
Technology / SaaS
SaaS Startup — AWS Security Hardening
A seed-stage SaaS startup had customer data in a public S3 bucket. garrisonOne conducted a full AWS security assessment against CIS benchmarks and hardened the environment in 4 weeks.
3
Public S3 buckets closed
19
Overprivileged IAM roles fixed
100%
Security review passed
Industry focus
Industries we serve
Related Services: ISO 27001 Compliance | Security Policy Documentation | Security Assessment & Audit | All Compliance Services
Frequently asked questions
Who does GDPR apply to?
GDPR applies to any organization that processes the personal data of individuals in the European Union, regardless of where the organization itself is based. If you have EU customers, employees, or website visitors whose data you collect, GDPR applies to you even if your business is headquartered outside Europe.
What counts as personal data under GDPR?
Personal data is any information that relates to an identified or identifiable individual. This includes obvious identifiers like names and email addresses, but also IP addresses, location data, cookie identifiers, device IDs, and any other data that could be used to single out a person, either alone or in combination with other information.
What are the lawful bases for processing personal data?
GDPR identifies six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Consent is often assumed to be required, but it is just one option and not always the most appropriate. We help you identify the correct basis for each processing activity, which has significant implications for how you manage and communicate that processing.
What are data subject rights and how do we handle them?
Individuals have the right to access their data, correct inaccuracies, request erasure, restrict processing, receive their data in a portable format, and object to certain uses. You are generally required to respond within one month. We implement documented processes and response templates so your team can handle requests correctly without scrambling each time one arrives.
When do we need to conduct a Data Protection Impact Assessment?
A DPIA is required when processing is likely to result in a high risk to individuals' rights and freedoms. This includes systematic profiling, large-scale processing of sensitive data, and systematic monitoring of publicly accessible areas. We assess your processing activities and advise on when a DPIA is required and how to conduct it properly.
What happens if we have a data breach?
Under GDPR, you are required to notify your supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals, and to notify affected individuals if the risk is high. We develop your breach response procedures in advance so you can meet these timelines rather than trying to figure out the process while a breach is actively unfolding.
Do we need a Data Protection Officer (DPO)?
A DPO is mandatory for public authorities, organizations that carry out large-scale systematic monitoring of individuals, and those that process special categories of data at large scale. Even if not mandatory, having a designated privacy contact is good practice. We can advise on whether a DPO is required for your organization and what the role should cover.
How does GDPR interact with other compliance frameworks we have?
GDPR shares meaningful overlap with ISO 27001, SOC 2, and HIPAA in areas such as data security, access controls, incident response, and vendor management. If you are already working toward one of these frameworks, we can build your GDPR program to draw on that existing work rather than treating it as a completely separate effort.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
