India's DPDP Rules 2025 are now notified. EU AI Act enforcement is live. See how we can help →
Abhishek Bansiwal
Anonymised — shared with permission

From 0 to GDPR Art. 42 certified — across 5 jurisdictions.

How I took a B2B SaaS platform from no privacy documentation to full GDPR certification readiness in a multi-jurisdiction, high-risk processing environment.

Industry

Automotive / SaaS

Scope

5 jurisdictions

Duration

Ongoing

Role

Mandatory DPO (Art. 37)

The problem

A B2B SaaS platform operating across the US, Canada, UK, EU, and Australia had no formal privacy programme in place. The platform's geofencing functionality triggered mandatory obligations under GDPR that had not been identified or acted upon: mandatory DPO appointment and mandatory DPIA. International data transfers to US and Indian subprocessors lacked any transfer mechanism documentation. The company was targeting GDPR Art. 42 (EuroPrivacy) certification as a commercial differentiator but had no certification-ready documentation.

2

DPIAs authored

Core SaaS platform (geofencing + GPS) and subsidiary analytics platform

3

SCC modules executed

C2C, C2P, P2SP across EU→US and EU→India transfer routes

5

Jurisdictions covered

EU, UK, US, Canada, Australia

15

Privacy notice findings

Mandatory GDPR gaps, retention inconsistencies, missing jurisdictional coverage resolved

How the work unfolded

1

Discovery

Scoping the compliance gap

Conducted a gap assessment against GDPR, UK GDPR, CCPA, and Australian privacy requirements. Identified that the platform's geofencing operations triggered mandatory DPO appointment (Art. 37(1)(b)) and mandatory DPIA (Art. 35) — mapping five of nine EDPB WP248 criteria and preparing the legal justification for both obligations.

2

Transfer documentation

Building the international transfer framework

Drafted and executed a full IGDTA incorporating EU SCCs (Decision 2021/914) across three modules (C2C, C2P, P2SP), an India Accession Agreement with Docking Clause, and a vendor DPA with UK IDTA — covering EU→US, EU→India, and UK→US transfer routes. Conducted Transfer Impact Assessments under EDPB Recommendations 01/2020 and ICO guidance, assessing US legal framework (FISA §702, EO 12333, CLOUD Act) and Indian legal framework (IT Act §69, DPDPA 2023).

3

Risk assessment

Authoring two DPIAs

Produced DPIAs for both the core SaaS platform (10 identified risks, 7 actions — covering geofencing, GPS data processing, and international transfers) and the subsidiary analytics platform (8 risks, 7 actions — covering cross-border data residency requirements and cross-customer data aggregation). Each DPIA was structured against the EDPB DPIA methodology with documented risk ratings and mitigation accountability.

4

Agreements

DPA drafting and negotiation

Drafted and negotiated Data Processing Agreements across three models: C2P, P2SP, and a dual-part analytics platform DPA. Reviewed a vendor counterproposal with 14 findings across critical, high, and medium priorities — covering liability caps, sub-processor notification timelines, audit rights, and breach notification chains.

5

Documentation

Privacy notices and compliance artefacts

Reviewed the B2B Privacy Notice and identified 15 findings including mandatory GDPR disclosure gaps, retention period inconsistencies, and missing jurisdictional coverage across EU, UK, US, and Australian requirements. Resolved retention period misalignment across five compliance documents, establishing a unified retention ceiling enforced through cloud infrastructure lifecycle policies.

6

Certification

GDPR Art. 42 certification programme

Led the EuroPrivacy certification programme for the core platform — defining the Target of Evaluation, coordinating with certification consultants, and preparing all certification documentation across five jurisdictions. Populated Technical and Organisational Measures across all transfer documents, covering 14 security categories including encryption, RBAC/MFA, multi-region cloud architecture, and DR procedures.

Key insight

The most critical discovery was identifying that geofencing — a core feature of the platform — independently triggered two mandatory GDPR obligations that had been overlooked: the DPO appointment requirement under Art. 37(1)(b) and the mandatory DPIA under Art. 35. Without identifying these triggers upfront, the company would have proceeded to certification with unlawful processing at its core.

Have a similar challenge?

Book a free 30-minute call to talk through your specific situation.

Book Free 30-Min Call