Services

What I can help you with.

Every engagement is scoped to your specific situation. No generic templates, no checkbox compliance. Below is a breakdown of what I do and how it typically works.

DPIA & Transfer Impact Assessments

Risk-based assessments that stand up to regulatory review.

I conduct Article 35 DPIAs and Transfer Impact Assessments grounded in EDPB Recommendations 01/2020 (EU TIA) and ICO guidance (UK TRA). This includes assessing third-country legal frameworks — US (FISA §702, EO 12333, CLOUD Act), India (IT Act §69, DPDPA 2023), and others — with documented supplementary measures where needed.

Deliverables

Full DPIA report (risks, mitigating actions, DPO sign-off)
EU TIA under EDPB 6-step methodology
UK Transfer Risk Assessment (ICO guidance)
Supplementary measures documentation
Legitimate Interest Assessments (LIAs)

Best suited for

Platforms processing sensitive data, using geofencing/tracking, or transferring data outside the EEA/UK.

International Data Transfer Documentation

Transfer documentation that covers every route and module.

International transfers require precision — the wrong module, a missing docking clause, or an unaddressed transfer route creates real regulatory exposure. I draft and negotiate the full documentation suite: IGDTA incorporating EU SCCs (Decision 2021/914) across all applicable modules (C2C, C2P, P2SP), UK IDTA, India Accession Agreements, and third-party DPAs.

Deliverables

EU SCCs (Decision 2021/914) — correct module selection
UK IDTA and Addendum
India Accession Agreement (Docking Clause)
Integrated Global Data Transfer Agreement (IGDTA)
Supplementary measures and TOM annexes

Best suited for

Companies with EU→US, UK→US, EU→India, or similar international transfer routes.

Fractional DPO Services

DPO expertise without the full-time headcount.

As a mandatory DPO under Art. 37(1)(b) GDPR, I understand what the role actually requires. For companies that need a qualified DPO but aren't ready for a full-time hire, I provide fractional DPO services — from formal appointment and regulatory correspondence to ongoing programme oversight and staff guidance.

Deliverables

Formal DPO appointment documentation
DPO mandate and terms of reference
Regulatory correspondence (ICO, DPA authorities)
Ongoing compliance oversight and reporting
Staff awareness and guidance

Best suited for

Scale-ups, SaaS companies, and SMEs who need a qualified DPO under Art. 37 or as a strategic governance measure.

Privacy Operations & DSAR Management

High-volume privacy ops that actually hit SLAs.

Privacy operations break down in practice when intake is unclear, SLAs aren't tracked, and handoffs between teams aren't documented. I design and implement DSAR programmes that scale — from intake triage and identity verification through to response drafting, SLA tracking, and backlog clearance.

Deliverables

DSAR intake and triage process design
SLA/KPI framework and tracking dashboards
Response templates and guidance
SOP documentation
Backlog reduction programme

Best suited for

B2C and B2B platforms experiencing DSAR volume, ICO complaints, or compliance audit pressure.

Privacy by Design & Privacy Engineering

Privacy embedded where it matters — in the product.

Privacy by design isn't a box to tick at the end of a sprint. I work cross-functionally with Product, Engineering, and Support teams to embed privacy controls into the development lifecycle — data flow mapping, data minimisation reviews, geofencing analysis, and privacy-aware feature design.

Deliverables

Data flow mapping and inventory
Privacy review for new features (pre-build)
Data minimisation and retention recommendations
Privacy notice drafting and review (Art. 13/14)
ROPA development and maintenance

Best suited for

Product and engineering teams building or scaling data-intensive features.

Compliance Artefacts & Policy Review

Documentation that closes gaps, not just fills pages.

Compliance documentation is only useful if it reflects actual practice and covers every legal requirement. I draft, review, and remediate privacy notices, cookie policies, retention schedules, ROPAs, and DPAs — identifying gaps against GDPR, UK GDPR, CCPA, and HIPAA with specific, actionable findings.

Deliverables

Privacy notice review and drafting (Art. 13/14 compliance)
Cookie policy review and remediation
Retention schedule development
ROPA (Record of Processing Activities)
Art. 28 DPA drafting and negotiation

Best suited for

Companies preparing for audits, certification, or responding to regulatory enquiries.

EU AI Act Compliance

AI governance that satisfies regulators, not just legal.

The EU AI Act is in force. GPAI model providers and high-risk AI system operators face real obligations — including conformity assessments, technical documentation, and transparency requirements. I map your AI systems against the Act's risk classification framework, identify applicable obligations, and build the documentation and governance structures you need.

Deliverables

AI system inventory and risk classification
Fundamental rights impact assessment (FRIA) for high-risk systems
Technical documentation under Annex IV
GPAI model transparency and copyright obligations
AI governance policy and internal oversight structure

Best suited for

SaaS platforms deploying AI features into EU markets, GPAI model providers, and companies with high-risk AI system obligations.

Not sure which service fits?

Book a free 30-min call. We'll talk through your situation and I'll tell you honestly what you need — even if it's not something I offer.

Book Free 30-Min Call

What I can help you with.

GDPR Article 42 Certification

DPIA & Transfer Impact Assessments

International Data Transfer Documentation

Fractional DPO Services

Privacy Operations & DSAR Management

Privacy by Design & Privacy Engineering

Compliance Artefacts & Policy Review

EU AI Act Compliance

Not sure which service fits?