GDPR, where it actually matters.
GDPR applies to U.S. companies handling EU residents' data — and the penalties are material. We help you understand what applies, build the operating program, and respond to subject requests and breach obligations.
- Scope
- EU / UK personal data
- Engagement
- Implement + operate
- Subject requests
- Workflow built
- Breach SLA
- 72 hours
What's included
Applicability analysis
Where GDPR applies to your business and where it doesn't. Many companies over-scope.
Data mapping & ROPA
Record of Processing Activities built and maintained.
DPIA where required
Data Protection Impact Assessment for high-risk processing.
Controller / processor terms
Data Processing Agreements with your customers, vendors, and sub-processors.
Subject-request workflow
Access, deletion, portability, restriction — workflow built and SLA-managed.
Breach-notification workflow
72-hour notification workflow with documentation requirements.
Engagement lifecycle
- 01Weeks 1–3
Scope + map
Applicability analysis, data mapping, ROPA built.
- 02Months 1–3
Controls + agreements
Controls implemented; DPAs negotiated with customers and vendors.
- 03Months 3–4
Workflows
Subject-request and breach-notification workflows tested.
- 04Ongoing
Operate + refresh
Quarterly refresh; ad-hoc on material change.
What you walk away with
- Defensible applicability narrative
- Current ROPA and DPIAs where required
- DPA library negotiated with key counterparties
- Subject-request workflow operating within SLAs
- 72-hour breach-notification workflow tested
- EU / UK enterprise procurement eligibility