So the proof that regulators are looking for to ensure organizations are doing the right thing, it really depends on how the regulators engage with the organization. It could be either that they would proactively come in to the organization to assess them and make sure they're in line with GDPR requirements, or reactively, they've come in based on a breach that the organization has had to personal data. The regulator is looking for proof that the organizations board is aware of GDPR and is aware of the personal data risks. They need to ensure that the organization has assessed the scope of GDPR within that organization.
The regulator also needs to prove that the organization has carried out an exercise to know what personal data they have, where it's going and what kind of entities and parties are accessing that data. Whether it’s internal teams, or it's third parties and vendors that are partnering with that organization. And then it's about that controls that the organization has implemented. Whether it's inscription or masking or monitoring, detection and response controls. And this depends on the risk profile the organization has accepted.
So whether it's monitoring detection and response controls that organizations have implemented. GDPR is a risk-based framework. It's a risk based regulatory framework and the organizations have the ability to choose the right controls for the risk profile, as long as they can justify those controls to the regulator, when they come knocking on their door.