GDPR · UK GDPR

A privacy program that will hold up.

Lawful basis, records of processing, data protection impact assessments, cross-border transfer mechanisms, and — where required — an outsourced Data Protection Officer function. Written for supervisory authority scrutiny, not for a landing page.

01 — Overview

GDPR compliance is a function, not a project. It requires a durable Article 30 record of processing activities, defensible lawful bases, working data subject rights procedures, and — critically — the ability to demonstrate accountability under Article 5(2) whenever a regulator asks.

Cyber Inspect operates as your privacy office. We build the artefacts, embed the processes, and — for clients requiring one — provide a named Data Protection Officer under Article 37. Our practice is led by IAPP Fellows with regulator-side experience across the EU and UK.

Where our clients face supervisory authority investigation, we sit at the table. That is the standard we work to.

02 — Engagement

Our approach.

  1. I

    Data mapping & ROPA

    A full inventory of personal data, categories of data subjects, processing purposes, recipients, and retention — populated into a Records of Processing Activities register.

  2. II

    Lawful basis & legitimate interests assessments

    A defensible lawful basis for every processing purpose, with LIAs where legitimate interests is claimed.

  3. III

    Data subject rights operationalisation

    Working DSAR, erasure, portability, objection, and rectification workflows — with the SLAs GDPR mandates.

  4. IV

    Cross-border transfer mechanisms

    SCCs, UK IDTAs, transfer risk assessments post-Schrems II, and BCRs where scale justifies them.

  5. V

    DPIAs & Article 35 discipline

    Data Protection Impact Assessments for the processing that requires one, embedded into your product and procurement lifecycles.

  6. VI

    DPO function

    An outsourced or fractional Data Protection Officer where Article 37 requires one, or where the board wants independent privacy oversight.

03 — Deliverables

What you receive.

  • Records of Processing Activities register (Article 30)
  • Lawful basis register and Legitimate Interests Assessments
  • Privacy notices for data subjects, employees, and candidates
  • Data subject rights procedures with regulatory-grade SLAs
  • DPIA methodology and template with worked examples
  • Transfer risk assessments and SCC / UK IDTA library
  • Vendor / processor due diligence and Article 28 contract library
  • Breach response procedure aligned to the seventy-two hour clock
  • Outsourced DPO appointment letter and register (where retained)

04 — Timeline

Expected duration.

Ten to sixteen weeks for a first-time program. Multinational groups with existing privacy footprints in APAC or the Americas usually require an additional discovery phase to reconcile competing regimes.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Do we need to appoint a Data Protection Officer?+

A DPO is mandatory under Article 37 where you are a public authority, your core activities involve large-scale systematic monitoring, or you process special categories at scale. We help you determine whether appointment is required and — where it is — provide an outsourced DPO function.

How does GDPR interact with US state privacy laws?+

GDPR-aligned programs typically satisfy the substantive requirements of CCPA/CPRA, VCDPA, CPA and similar state laws — but the notice, opt-out mechanics, and Sale/Sharing definitions differ. We overlay a US state-law layer onto your GDPR base.

What about international data transfers to the US?+

Post-Schrems II, transfers require an appropriate mechanism plus a documented Transfer Risk Assessment. We use SCCs, the UK IDTA, or the EU–US Data Privacy Framework as appropriate, with TIAs to support each.

We had a breach — what do we do now?+

Call the incident response line immediately. GDPR requires notification to the supervisory authority within seventy-two hours of becoming aware. We support notification, communication to data subjects, and — where required — engagement with the ICO or lead supervisory authority.