Framework readiness

GDPR Readiness

The EU General Data Protection Regulation (GDPR) governs how the personal data of people in the EU is handled, and it applies to companies outside the EU that serve EU residents. The penalties are real: up to €20 million or 4% of global annual turnover, whichever is higher. We get your data handling, contracts, and processes into shape so GDPR stops being a deal-blocker.

Book a discovery call See pricing & SKUs

Built for teams that...

  • SaaS and tech companies with EU users, customers, or website visitors
  • North American startups expanding into Europe who need to show GDPR compliance
  • Teams facing GDPR questions in enterprise security and privacy reviews
  • Companies that process personal data but have never mapped where it lives

What we do

  • Data mapping and records of processing to establish what data you hold and why
  • Lawful basis analysis for each processing activity
  • Data Processing Agreement (DPA) review and sub-processor management
  • Data Subject Access Request (DSAR) process design so you can respond in time
  • Breach notification procedures aligned to GDPR’s 72-hour reporting expectation
  • Privacy notice and consent review, plus a prioritized remediation plan

What you walk away with

You end up knowing exactly what personal data you process, on what lawful basis, and with the contracts and procedures to handle DSARs and breaches properly. That turns GDPR from an open-ended liability into a documented program you can point to in sales and vendor reviews.

Explore related work

Frequently asked questions

Does GDPR apply to a company outside the EU?

Yes, it can. GDPR applies if you offer goods or services to people in the EU or monitor their behaviour, regardless of where your company is based. Many North American SaaS companies are in scope simply because they have EU users.

What are the GDPR penalties?

The most serious infringements can draw fines of up to 20 million euros or 4% of a company’s total worldwide annual turnover for the preceding year, whichever is higher. That structure is why GDPR gets board-level attention.

What is a DSAR?

A Data Subject Access Request is a request from an individual to access, correct, or delete the personal data you hold about them. GDPR gives people these rights and sets time limits to respond, so you need a repeatable process to handle them.

How does GDPR relate to Canada’s PIPEDA?

Both are privacy laws with overlapping principles like lawful processing, consent, and breach handling, but they are separate regimes with different obligations. If you serve both EU and Canadian users, we align the two so you are not building privacy twice.

GDPR Readiness, on your timeline

Book a free 30-minute call. We’ll tell you whether it fits, what it costs, and when we can start.

Book a call