GDPR · UK GDPR
Lawful basis, records of processing, data protection impact assessments, cross-border transfer mechanisms, and — where required — an outsourced Data Protection Officer function. Written for supervisory authority scrutiny, not for a landing page.
01 — Overview
GDPR compliance is a function, not a project. It requires a durable Article 30 record of processing activities, defensible lawful bases, working data subject rights procedures, and — critically — the ability to demonstrate accountability under Article 5(2) whenever a regulator asks.
Cyber Inspect operates as your privacy office. We build the artefacts, embed the processes, and — for clients requiring one — provide a named Data Protection Officer under Article 37. Our practice is led by IAPP Fellows with regulator-side experience across the EU and UK.
Where our clients face supervisory authority investigation, we sit at the table. That is the standard we work to.
02 — Engagement
A full inventory of personal data, categories of data subjects, processing purposes, recipients, and retention — populated into a Records of Processing Activities register.
A defensible lawful basis for every processing purpose, with LIAs where legitimate interests is claimed.
Working DSAR, erasure, portability, objection, and rectification workflows — with the SLAs GDPR mandates.
SCCs, UK IDTAs, transfer risk assessments post-Schrems II, and BCRs where scale justifies them.
Data Protection Impact Assessments for the processing that requires one, embedded into your product and procurement lifecycles.
An outsourced or fractional Data Protection Officer where Article 37 requires one, or where the board wants independent privacy oversight.
03 — Deliverables
04 — Timeline
Ten to sixteen weeks for a first-time program. Multinational groups with existing privacy footprints in APAC or the Americas usually require an additional discovery phase to reconcile competing regimes.
Ready to begin?
A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.
Schedule the call →05 — FAQ
A DPO is mandatory under Article 37 where you are a public authority, your core activities involve large-scale systematic monitoring, or you process special categories at scale. We help you determine whether appointment is required and — where it is — provide an outsourced DPO function.
GDPR-aligned programs typically satisfy the substantive requirements of CCPA/CPRA, VCDPA, CPA and similar state laws — but the notice, opt-out mechanics, and Sale/Sharing definitions differ. We overlay a US state-law layer onto your GDPR base.
Post-Schrems II, transfers require an appropriate mechanism plus a documented Transfer Risk Assessment. We use SCCs, the UK IDTA, or the EU–US Data Privacy Framework as appropriate, with TIAs to support each.
Call the incident response line immediately. GDPR requires notification to the supervisory authority within seventy-two hours of becoming aware. We support notification, communication to data subjects, and — where required — engagement with the ICO or lead supervisory authority.