GDPR applies to every company that processes personal data from EU and UK residents — regardless of where the company is headquartered. We build your GDPR compliance programme: data mapping, lawful basis documentation, DPA templates, and the privacy infrastructure your European enterprise buyers require.
Timeline 8–14 weeks depending on data processing complexity
Data mapping · ROPA · DPA template · Privacy notices · Lawful basis documentation
Senior advisor with EU/UK market experience
Any company processing EU or UK personal data
Fixed fee — agreed upfront
The General Data Protection Regulation (GDPR) is European Union law that governs the collection, processing, storage, and transfer of personal data from EU and UK residents. The UK retained substantially equivalent legislation — UK GDPR — following Brexit. Unlike most regulatory frameworks that apply based on where a company is incorporated, GDPR applies based on where the data subjects are located: if you process personal data from EU or UK residents, GDPR applies to your company regardless of whether you are based in New York, San Francisco, or Austin.
GDPR establishes six lawful bases for processing personal data, specific rights for data subjects (access, portability, erasure, restriction), requirements for Data Protection Agreements with processors who handle personal data on your behalf, rules governing international data transfers from the EU to third countries (including the US), and mandatory breach notification timelines. Non-compliance carries fines of up to €20 million or 4% of global annual turnover — whichever is higher.
For enterprise buyers in the EU and UK, GDPR compliance is not optional supplier criteria — it is a legal requirement. Before signing a Data Processing Agreement (DPA) with you, their legal and procurement teams will review your privacy programme, your data mapping documentation, your international transfer mechanisms, and your security measures. A compliant GDPR programme is the prerequisite for European enterprise sales — not something to build after the contract is signed.
Article 30 of GDPR requires organisations to maintain a Record of Processing Activities — a documented inventory of every data processing activity, including what data is collected, the lawful basis for processing, how long it is retained, who it is shared with, and what security measures protect it. Data mapping is both a GDPR compliance requirement and the foundation of your entire privacy programme. We map every data flow in your environment and produce a ROPA that satisfies regulatory requirements and enterprise buyer due diligence.
GDPR requires a documented lawful basis for every data processing activity. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most B2B SaaS companies, the primary lawful bases are contract (processing necessary to perform a contract) and legitimate interests. We document your lawful basis for every processing activity in your ROPA and prepare the legitimate interests assessments required to rely on that basis.
When you process personal data on behalf of an EU or UK customer, you are acting as a data processor and are required to sign a Data Processing Agreement. When you engage sub-processors who handle EU personal data, you must have DPAs with them. We prepare your standard DPA template, review DPAs presented to you by customers, and build your sub-processor management programme — so you can respond to DPA requests quickly and with documents that meet regulatory requirements.
When you process personal data on behalf of an EU or UK customer, you are acting as a data processor and are required to sign a Data Processing Agreement. When you engage sub-processors who handle EU personal data, you must have DPAs with them. We prepare your standard DPA template, review DPAs presented to you by customers, and build your sub-processor management programme — so you can respond to DPA requests quickly and with documents that meet regulatory requirements.
GDPR requires clear privacy notices that disclose how personal data is collected and used. It also requires procedures for handling data subject rights requests — access, rectification, erasure, restriction, portability, and objection. We produce your privacy notice, cookie notice, and data subject rights procedures — and build the operational workflow for handling requests within the required 30-day timeframe.
Send us the DPA or questionnaire. We will review it and tell you exactly what it requires, whether you can comply today, and what the fastest path to a compliant programme looks like — at no cost, no obligation.
We map every personal data flow in your environment — what data is collected, from whom, for what purpose, where it is stored, who has access to it, how long it is retained, and who it is shared with. We produce your initial Records of Processing Activities (ROPA) and identify every processing activity that requires a documented lawful basis, a DPA, or an international transfer mechanism.
We document the lawful basis for every processing activity in your ROPA and prepare any Legitimate Interests Assessments required. We conduct a gap assessment against GDPR's Article 32 security requirements, your data subject rights procedures, and your international transfer obligations — producing a prioritised remediation roadmap for every gap identified.
We produce your DPA template, privacy notice, cookie notice, data subject rights procedure, and data retention policy. We implement Article 32 security measures where gaps exist and build your data subject rights request handling workflow. We assess your international transfer flows and implement Standard Contractual Clauses or EU-US Data Privacy Framework participation documentation as required.
We map your sub-processors — the vendors and tools that process EU personal data on your behalf — and ensure appropriate DPAs and transfer mechanisms are in place for each. Sub-processor management is one of the most common gaps in B2B SaaS GDPR programmes and one of the areas European enterprise buyers scrutinise most closely during due diligence.
GDPR compliance is not a one-time project. As your product evolves, new processing activities are introduced, new sub-processors are engaged, and existing documentation requires updating. We maintain your GDPR programme — reviewing and updating your ROPA annually, preparing DPA responses for new enterprise customers, and monitoring regulatory guidance from EU and UK data protection authorities.
A standalone GDPR programme is appropriate for companies whose primary immediate compliance obligation is European data protection law — for example, a US company that has signed its first EU enterprise contract and needs DPA documentation and a compliant privacy programme in place before the relationship deepens. We complete your data mapping, lawful basis documentation, DPA template, privacy notices, and transfer mechanisms as a standalone programme.
European enterprise buyers typically require both GDPR compliance documentation and ISO 27001 certification for technology vendors processing significant volumes of personal data. GDPR's security requirements under Article 32 align closely with ISO 27001 control areas — we build both programmes simultaneously, using shared security controls to satisfy both GDPR's Article 32 requirements and ISO 27001's Annex A control set. A combined programme is typically 30–40% more efficient than two sequential engagements.
For US-based companies with both North American and European enterprise customers, the full compliance stack — SOC 2 for US buyers, ISO 27001 for European buyers, and GDPR for data protection compliance — is the complete international coverage. We build all three on a single coordinated programme timeline, using shared controls across all frameworks and delivering the complete compliance portfolio your global enterprise customers require.
If your question is not here, just email us — we will give you a straight answer.
Yes. GDPR applies to any company that processes personal data from EU or UK residents — regardless of where the company is incorporated or headquartered. If you have EU or UK customers, if your website is accessible to EU residents and you collect personal data (including cookies) from those visitors, or if you have EU employees, GDPR applies to your company.
A Data Processing Agreement (DPA) is a legally required contract between a GDPR data controller (your enterprise customer) and a data processor (you) that sets out the terms under which personal data is processed. EU and UK enterprise buyers are legally required to have a DPA with every vendor that processes personal data on their behalf. A DPA that does not meet GDPR’s Article 28 requirements — or no DPA at all — exposes both parties to regulatory risk.
Standard Contractual Clauses (SCCs) are model data protection clauses approved by the European Commission that can be used to enable the transfer of personal data from the EU to third countries (like the US) that do not have an adequacy decision. SCCs are the primary mechanism used to legitimise EU-to-US data transfers for most technology companies. They must be incorporated into your DPA or signed as a standalone agreement with EU customers.
A Data Protection Officer (DPO) is required under GDPR only in specific circumstances: if you are a public authority, if your core activities require large-scale systematic monitoring of individuals, or if your core activities involve large-scale processing of special category data (health data, biometric data, etc.). Most B2B SaaS companies do not require a DPO. We will assess your processing activities and tell you definitively whether a DPO is required for your specific situation.
GDPR fines are tiered: less serious violations (such as not having appropriate records of processing) can be fined up to €10 million or 2% of global annual turnover. More serious violations (such as breaches of the lawful basis principles or international transfer rules) can be fined up to €20 million or 4% of global annual turnover — whichever is higher. In practice, significant fines have been imposed on companies of all sizes for a wide range of violations, including inadequate security measures, unlawful international transfers, and failure to respond to data subject access requests.
Book a free 30-minute consultation. A senior advisor will review your data flows and tell you exactly what GDPR compliance requires for your specific business — and the fastest path to documentation your European enterprise buyers will accept.
European enterprise buyers typically require ISO 27001 in addition to GDPR compliance. We build both programmes simultaneously, using GDPR's Article 32 security requirements and ISO 27001 controls as a shared framework.
For companies building toward a combined SOC 2 + ISO 27001 + GDPR programme, a gap assessment covering all three frameworks simultaneously gives you a single prioritised roadmap.
Financial services companies with European operations need GDPR alongside SOC 2 and ISO 27001. We build the full international compliance stack for fintech companies on a single coordinated timeline.
