A complete GDPR compliance programme, from data mapping and DPIAs to breach notification and DPA management, covering obligations for both controllers and processors handling EU/EEA personal data.
GDPR applies to any organisation worldwide that processes EU/EEA personal data. Fines from supervisory authorities have exceeded €4.5 billion since 2018. Beyond fines, GDPR compliance is now a standard enterprise procurement requirement.
Map all personal data flows across systems, vendors, and transfers; build and maintain Article 30 RoPA.
Conduct Article 35 DPIAs for high-risk processing; deliver documented assessments ready for supervisory authority review.
Review current processing practices against all GDPR obligations; identify gaps and prioritise remediation by risk level.
Evaluate international transfers against Schrems II requirements; implement supplementary measures and TIAs for non-adequate countries.
Audit processors and sub-processors for GDPR compliance; review DPAs, data handling, and cross-border transfer mechanisms.
Identify and document the legal basis under Article 6 for every processing activity; conduct legitimate interest assessments where applicable.
Deploy granular, revocable consent mechanisms compliant with GDPR; implement cookie banners, marketing consent, and preference centres.
Build Article 28 DPAs with all sub-processors; manage review, remediation, and vendor compliance tracking.
Implement Article 15-22 rights workflows: access, rectification, erasure, portability, restriction, and objection within statutory timelines.
Build incident response aligned to Article 33 (72-hr SA notification) and Article 34 (subject notification); deliver templates, decision trees, and tabletop exercises.
Draft GDPR-compliant privacy notices covering all Article 13/14 disclosures; include concise, layered, and child-friendly versions.
Support mandatory DPO appointment per Article 37; establish DPO charter, reporting lines, and task delegation under Articles 37-39.
Conduct periodic reviews of processing activities, DPIA triggers, and regulatory developments across EU supervisory authorities.
Deliver role-based GDPR training for marketing, HR, product, and engineering teams; include annual refreshers and scenario-based exercises.
Align technical and organisational measures with Article 32; implement pseudonymisation, encryption, and resilience testing.
Maintain Article 30 RoPA as processing activities change, vendors rotate, or data flows are modified.
Review international transfer mechanisms as adequacy decisions evolve; update SCCs and supplementary measures as required.
Support supervisory authority investigations, complaints handling, and formal enquiries across EU member state DPA jurisdictions.
GDPR applies regardless of where you are based. If you offer goods or services to EU residents or monitor their behaviour online, GDPR applies to you.
Technology companies processing EU customer data are in scope, and their enterprise customers require GDPR-compliant sub-processors with valid DPAs in place.
Multinationals with EU offices, employees, or customers must comply with GDPR across all data processing activities touching EU personal data.
A structured six-phase process from initial gap assessment through to ongoing regulatory monitoring and compliance maintenance.
Map all personal data flows and gap-assess current practices against GDPR obligations across all processing activities and systems.
Build RoPA, privacy notices, DPAs, consent flows, legal basis register, and DPIA programme with documented procedures.
Implement data subject rights workflows and breach notification procedures aligned to Articles 33 and 34 with response templates.
Deploy consent management platforms and align technical security measures with Article 32, including encryption, access controls, and pseudonymisation.
Deliver role-based GDPR training across the organisation and establish or support the Data Protection Officer function with clear reporting lines.
Periodic review of processing activities, new DPIA triggers, regulatory developments, and cross-border transfer mechanisms as adequacy decisions evolve.