We turn data protection from a paperwork exercise into a defensible, audit-ready programme: GDPR and LOPD-GDD gap analysis, records of processing, impact assessments, data-subject rights and DPO support — including the new AI Act obligations for companies using artificial intelligence.
GDPR fines reach the higher of €20M or 4% of global annual turnover, and from August 2026 the EU AI Act stacks on top for companies that process personal data with artificial intelligence. Most organisations are unsure where their gaps are — until a complaint, a subject-access request or an audit forces the issue.
An out-of-date or non-existent record of processing activities that you could never produce for a regulator's inspection.
Processor agreements and international transfers without the right safeguards in place after Schrems II.
Data-subject requests (access, erasure, portability) handled manually and missing the one-month deadline.
AI and analytics projects launched with no impact assessment (DPIA) and no documented legal basis.
From the first gap analysis to ongoing DPO support, we cover every GDPR and LOPD-GDD obligation that applies to your company — and bridge them to the EU AI Act where you use artificial intelligence.
An audit of your compliance status against the GDPR and LOPD-GDD: processing activities, legal bases, consents, cookie policy and security measures. Output prioritised by risk.
We build and maintain your Article 30 record, privacy notices, consent management and processor agreements.
We run DPIAs for high-risk processing: profiling, video surveillance, special-category data and AI systems, in line with Article 35.
Outsourced DPO or support to your in-house DPO: point of contact with the supervisory authority, complaint handling, staff training and ongoing oversight.
Procedures to handle access, rectification, erasure and portability on time, plus a 72-hour breach-notification protocol.
For companies using artificial intelligence: we bridge your GDPR DPIA to the AI Act's Fundamental Rights Impact Assessment (FRIA), data governance and documentation.
The figures that define the stakes — straight from the regulations, not from us.
€20M / 4%
Maximum GDPR fine for the most serious infringements (€20M or 4% of global annual turnover, whichever is higher)
Source: GDPR (Regulation (EU) 2016/679), Art. 83
72h
Window to notify the supervisory authority of a personal-data breach
Source: GDPR (Regulation (EU) 2016/679), Art. 33
€55M
Combined exposure when a GDPR infringement stacks with the EU AI Act for AI that processes personal data (from 2 August 2026)
Source: GDPR + EU AI Act (Regulation (EU) 2024/1689), cumulative penalties
A structured programme — diagnose, document, remediate and maintain — that leaves you audit-ready, not just papered over.
We inventory every personal-data processing activity, its legal basis and data flows, and measure your gaps against the GDPR and LOPD-GDD.
We produce the record of activities, privacy notices, processor agreements and the internal policies you are required to hold.
We run the DPIAs needed for high-risk processing, including your artificial intelligence projects.
We implement the technical and organisational measures, the rights procedures and the 72-hour breach protocol.
Ongoing support as an outsourced DPO or backing your in-house DPO, with periodic reviews and team training.
It depends on the number and complexity of your processing activities. We always start with a gap-analysis diagnostic that gives you a fixed scope and budget before you commit to anything, so you know exactly what you need — and what you don't.
A DPO is mandatory if your core activities involve large-scale systematic monitoring or large-scale processing of special-category data, as well as for public authorities. We assess your case and, if you need one, we can act as your outsourced DPO.
Generic templates do not reflect your actual processing and will not survive a regulator's inspection. Our work starts from your real data flows and leaves you with defensible documentation, not just filled-in forms.
If you process personal data with AI, both frameworks usually apply. We connect your GDPR DPIA with the EU AI Act's Fundamental Rights Impact Assessment (FRIA), whose high-risk obligations are fully enforceable from 2 August 2026.
An initial diagnostic is delivered within a few weeks. Documentation and remediation for a mid-sized company typically takes one to three months depending on scope; high-risk processing requiring DPIAs takes longer.
Get a free data protection diagnostic: we map your processing activities, surface your GDPR and LOPD-GDD gaps and outline a realistic action plan.
Request free diagnosticNo commitment — a clear read on your data protection exposure.