CASE 15Banking & FS
DORA across 11 ICT functions, on schedule.
→
CASE 14GDPRPUBLISHED · 2026
Audit-ready GDPR programme stood up in four months.
Eleven priority gaps. Six-month clock. We took the DPO function on day one, rebuilt the programme around special-category data, and delivered a clean response pack to the supervisory authority in four months.
Sector
Pharmaceutical
Scale
4,000 employees
Region
CEE + DACH
Regulation
GDPR
Duration
4 months
Team
7 practitioners
AT A GLANCE
SCOPE
DPO function and authority liaison
Article 30 register and DPIA programme
Special-category data flows across 7 jurisdictions
Vendor estate, ~80 processors
OUTCOME
All 11 priority findings closed by deadline
Response pack accepted on first authority review
Programme handed back to internal DPO on schedule
01 / THE BRIEF
What landed on our desk.
A pharmaceutical group failed a regulator-prompted self-assessment with eleven findings classified as priority — six of them concerning special-category data flows across legal entities in seven jurisdictions.
The supervisory authority gave a six-month deadline to deliver a remediation pack. The internal data protection function had been vacant for four months. There was no DPIA inventory, no current Article 30 record, and an unmapped vendor estate of roughly 80 processors.
02 / WHAT WE DID
Five workstreams, one programme.
01
DPO function, day one
Took the role of named DPO of record across all entities. Single point of accountability to the authority for the duration of the engagement.
02
Rebuild around special-category data
Mapped clinical, HR-health and pharmacovigilance flows first. Lawful bases re-grounded under Art. 9. Cross-entity transfers re-papered under Art. 46.
03
Vendor estate triaged
Eighty processors classified by risk and category. Article 28 DPAs renegotiated where required. Sub-processor chains documented end-to-end.
04
Authority liaison
Drafted and submitted the response pack. Ran two formal authority sessions. Closed all eleven findings without conditional commitments.
05
Programme handover
Trained two senior internal hires into the run-state functions. Documentation handed over with an operating manual the authority had already accepted.
03 / OUTCOMES
What changed, in numbers.
● VERIFIED · CLIENT-APPROVED11 / 11
Priority findings closed
all closed by deadline
4 mo
Time to remediation pack
against 6-month deadline
Accepted
Authority review
on first submission, no conditions
7 d
DSAR cycle time
from 24 d at programme start
63 / 63
Vendors re-papered
Article 28 DPAs in force
On time
Programme handover
internal DPO hire onboarded
04 / VOICE
“They walked in, picked up the file, and stayed accountable until the authority closed it. We never had to chase them.
— GROUP GENERAL COUNSEL
05 / ENGAGEMENT
How the work was set up.
SCOPE OF WORK
GDPR programmeDPIAsVendor riskCross-border transfersDPO-as-a-ServiceAuthority liaison
DURATION
4 months
7 practitioners
COVERAGE
CEE + DACH
4,000 employees · Pharmaceutical
BRING US IN
Same shape, your problem.
Senior partner on the call, scoped engagement letter inside two weeks, named DPO from day one if that is the brief.
Related cases.
All cases →CASE 13Enterprise SaaS
AI Act classification of 7 production models.
→
CASE 10Energy operator
NIS2 essential-entity programme passed authority review.
→