Accountability
Hardsecure support data controllers to be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways, Hardsecure can support the organization in this:

• Support data protection responsibilities to organization team.
• Maintain detailed documentation of the data that organization is collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
• Train organization staff and implement technical and organizational security measures.
• Have Data Processing Agreement contracts in place with third parties that organization contract to process data for you.
• Support Data Protection Officer (internally or Hardsecure will deliver this services).

Data Security
Organization is required to handle data securely by implementing “appropriate technical and organizational measures.” Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.
Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organization who need it.
If you have a data breach, you have 72 hours to tell the data subjects to the UE country entity responsible for GDPR audit, or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

Data Protection by design and by default
Hardsecure support everything that organization must do, “by design and by default,” consider data protection. Practically speaking, this means that organization must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25.
Suppose, for example, you’re launching a new app for your company. You must think about what personal data the app could possibly collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.

Data Protection Officers
Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which organization are required to appoint a DPO and be supported by Hardsecure:

1. You are a public authority other than a court acting in a judicial capacity.
2. Your core activities require you to monitor people systematically and regularly on a large scale.
3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g., You’re a medical office.)