EU regulation since 2018 governing personal data.
Sets the rules for how organisations collect, store, use and share personal data of people in the EU.
SERVICE PRACTICE · DATA PROTECTION & GDPR
External DPO and full GDPR programme.
We act as your external Data Protection Officer, build the full GDPR programme, and deliver audit-ready documentation. DSAR handling, breach response, DPIA, vendor DPAs and supervisory liaison included.
DPO.DESK · LAST 30 DAYS● LIVE
Data subject requests handledavg 9 d cycle128
DPIAs reviewed / signed17
Vendor DPAs negotiated34
Article 33 incidents triaged1 notified4
Cross-border transfer assessments11
Records of Processing entries kept current420
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / GDPR IN 60 SECONDS
GDPR overview.
Anyone processing EU personal data, anywhere.
Applies regardless of where the organisation is headquartered. Sole proprietors to multinationals. Same rulebook.
Most-fined regulation in the EU. €5.9B issued.
Fines up to €20M or 4% of global turnover. Enforcement is cross-border, coordinated, and accelerating.
TIER 1 · PROCEDURAL
Up to €10M or 2% turnover
Records, security measures, breach notification, DPIA failures.
TIER 2 · SUBSTANTIVE
Up to €20M or 4% turnover
Lawful basis, data subject rights, international transfers, principles.
§ 02 / ARTICLES IN SCOPE
Articles in scope.
DATA SUBJECT RIGHTS
Art. 15Right of accessConfirmation, copy, processing context.
Art. 16-17Rectification and erasureCorrect or delete. Right to be forgotten.
Art. 20Data portabilityStructured, machine-readable export.
Art. 21-22Objection and automated decisionsOpt-out of profiling. Human review of AI decisions.
CORE OBLIGATIONS
Art. 30Records of processingInventory of activities, purposes, recipients, retention.
Art. 32Security of processingTechnical and organisational measures, tested.
Art. 33Breach notification72 hours to the supervisory authority.
Art. 35DPIA for high-risk processingPre-deployment assessment. Residual risk sign-off.
Art. 37-39Data Protection OfficerAppointed, named, independent, reachable.
§ 03 / HOW TO ENGAGE
Engagement models.
DPOMOST POPULAR
DPO-as-a-Service
Outsourced Data Protection Officer named to the supervisory authority. We run your privacy programme end-to-end on a monthly retainer.
- →Named DPO of record
- →Monthly steering review
- →DSAR and breach response
- →Annual programme report
PROG12-16 WK
GDPR Programme Implementation
Fixed-scope, fixed-fee build of a complete programme. Policies, RoPA, DPIAs, vendor stack, training, controls.
- →Full policy stack
- →Records of Processing
- →DPIA library
- →Trained staff and playbooks
AUDIT2-3 WK
GDPR Audit and Gap Assessment
Independent review against current ICO and EDPB guidance. Maturity score, prioritised gap register, executive readout.
- →Maturity baseline
- →Gap register, priority-scored
- →Risk-weighted roadmap
- →Board-ready readout
§ 04 / SCOPE
Scope of work.
01 / 04
Programme and governance
- Privacy policy stack
- Records of Processing (Art. 30)
- Roles and responsibilities (RACI)
- Board reporting cadence
- Privacy-by-design SDLC integration
02 / 04
Operational obligations
- Data subject request handling
- Article 33 breach triage and notification
- DPIAs (Art. 35)
- Legitimate interest assessments
- Children and special-category controls
03 / 04
Third parties and transfers
- Vendor and sub-processor register
- Article 28 DPA negotiation
- Cross-border transfer assessments (TIA)
- SCC implementation and monitoring
- Joint-controller arrangements
04 / 04
People and evidence
- Role-based GDPR training
- Awareness campaigns and phishing tests
- Internal audit programme
- Supervisory authority correspondence
- Annual programme report
§ 05 / DPO-AS-A-SERVICESee sample engagement letterPDF · 6PP
Named DPO function.
An external DPO named in your register, available to staff and supervisory authorities. Article 38 independence, no conflict of interest, monthly programme support and on-call breach triage.
Response SLA · DSARs
24 h
Response SLA · breach
4 h
Quarterly steering
Included
DPA registration
We file
SAMPLE.MONTHLY.READOUTOCT 2026
DSARs14 / 14 in SLA
Breach incidents2 triaged, 1 notified
DPIAs delivered3
New vendors onboarded7 / DPA signed
Open risk register12 items · 0 high
Authority correspondence1 voluntary submission
SIGNED. IVANA ŠARIĆ, DIRECTOR. REGULATORY STRATEGY
§ 06 / SELECTED WORK
All case studies →Recent engagements.
CASE 01Pharmaceutical · 4,000 employees
Full GDPR programme passed DPA audit with zero findings.
0
Audit findings
4 mo
Time to audit-ready
€3.2M
Fines avoided
SCOPEGDPR · DPIAs · Vendor risk · DPO-aaS
CASE 02Pan-EU e-commerce
Cross-border transfer assessments after Schrems II. 47 vendors remediated.
47
Vendors assessed
47
TIAs completed
92%
Remediation
SCOPEArt. 46 transfers · TIA · SCCs · Vendor renegotiation
CASE 03B2B SaaS · 200-person
Outsourced DPO covering 11 EU jurisdictions on a single retainer.
11
Jurisdictions
~90
DSARs / month
7 d
Avg cycle
SCOPEDPO-aaS · DSAR ops · Authority liaison
§ 07 / WHY THIS MATTERS
Enforcement landscape.
€5.88B
Total GDPR fines issued (2018-2025)
€1.2B
Largest single fine (Meta, 2023)
2,170+
Public enforcement decisions tracked
72 h
Article 33 breach notification window
TREND 01
Cross-border enforcement is now the default
EDPB consistency mechanism resolved 38 disputes in 2025. Lead-authority shopping has effectively ended.
TREND 02
Special-category data carries premium fines
Health, biometric and children's data drive multipliers. AI trained on customer data sits in this risk class.
TREND 03
DSARs are weaponised
Volume up 3.4× in five years. Failures account for one in five complaints to authorities.
§ 08 / FAQ
Common questions.
01Do we actually need a DPO?+
Article 37 mandates one for public bodies, large-scale monitoring, and large-scale special-category processing. Many organisations under that threshold still appoint one as a matter of governance and to satisfy customer due diligence.
02Can an outsourced DPO be named to the supervisory authority?+
Yes. Article 37(6) explicitly permits a service-contract DPO. We are named on your register, identifiable to staff and authorities, and reachable by data subjects.
03How quickly can you stand up a programme?+
A working baseline (RoPA, core policies, DSAR process, breach playbook) in 6 weeks. Audit-ready maturity in 12-16 weeks for a typical mid-market organisation.
04Will you work alongside our internal counsel?+
Yes. Most engagements run that way. We deliver evidence and operations. Legal counsel keeps strategic privilege. We integrate via your matter-management or ticketing system.
05What happens at a supervisory authority enquiry?+
We respond as DPO of record, prepare the evidence pack, brief executives, and attend the meeting. Pre-supervisory readiness reviews are part of the DPO-aaS retainer.
06Can the same engagement cover GDPR and AI Act obligations?+
Yes. Our DPIA template extends to combined GDPR and AI Act assessments, and the records architecture serves both. See the Technology & AI sector page for AI Act-specific scope.
§ 09 / RESOURCES
Templates and guides.
GUIDEPDF · 28 pages
GDPR Compliance Guide
Complete implementation roadmap for European businesses. 30-point checklist included.
Download ↓EMAIL REQUIRED
GUIDEPDF · 22 pages
Schrems II and International Transfers
SCCs, Transfer Impact Assessments, US Privacy Framework, adequacy decisions.
Download ↓EMAIL REQUIRED
TEMPLATEPDF + DOCX
Breach Response Playbook
Step-by-step procedure for managing GDPR breaches inside the 72-hour window.
Download ↓EMAIL REQUIRED
§ 10 / RELATED PRACTICES
Related practices.
Cybersecurity & NIS2
Same incident, two clocks. NIS2 layers a 24-hour CERT warning on top of the GDPR 72-hour notification.
Open practice →AI Compliance
Article 35 DPIA extends to AI Act conformity. Same DPO, same records spine.
Open practice →Incident Response
Pre-built breach playbooks, DPA notification templates, crisis-team coordination.
Open practice →11 / GET STARTED
Start your GDPR programme.
Free initial meeting. Clear next steps. Indicative pricing within one business day.