Comforma Compliance
← Back to Regulations

GDPR

EU’s General Data Protection Regulation: Privacy for personal data.

Enforced
25 May 2018

Applicable across the EU

Who this affects
Organisations processing personal data in the EU

Also non-EU companies offering goods/services to people in the EU or monitoring their behaviour.

Penalty ceiling
Up to €20M or 4% global turnover

For severe infringements

Obligations

  • Implement Risk-Appropriate Measures

    Apply and maintain technical and organisational safeguards proportionate to your processing risks, ensuring they operate effectively in practice.

  • Maintain Records of Processing Activities (RoPA)

    Keep a formal register of processing purposes, data categories, recipients, retention periods, and security measures, as required by GDPR Article 30.

  • Conduct Data Protection Impact Assessments (DPIAs)

    Carry out and document DPIAs before launching any high-risk processing, ensuring risk mitigation is designed and implemented before go-live.

  • Ensure Processor & Vendor Governance

    Use compliant contracts, monitor processor performance, and maintain oversight of processors and sub-processors as required by GDPR Article 28.

  • Embed Privacy by Design & Default

    Integrate privacy safeguards into systems, processes, and products from the start, ensuring compliance is part of the design process.

  • Demonstrate Accountability

    Keep evidence of compliance and ongoing monitoring so you can prove adherence to the law at any time.

  • And more

What we offer

Targeted, high-impact services that embed privacy-by-design and produce audit-ready evidence.

External Data Protection Officer (DPO)

We act as your independent DPO: advise management, monitor compliance, train staff, oversee DPIAs, liaise with authorities, and report risks with practical remediation paths.

Speak with a DPO

EU Market Entry & Client Readiness

Make your business contract-ready for EU clients: lawful bases, privacy notices, transfer assessments, vendor clauses, and evidence packs that pass procurement and due-diligence reviews.

Plan your EU entry

Records of Processing (RoPA) Programme

We establish your Article-30 Records of Processing Activities—what you process, why, with whom, where, retention, and security measures—and set a lightweight routine to keep it current.

Discuss your RoPA setup

DPIA — Company-Specific Assessment

A thorough, personalised DPIA for high-risk processing: scope, stakeholder interviews, risk analysis tailored to your systems and business model, mitigation design, and sign-off documentation.

Plan your DPIA

Incident & Breach Readiness

Design and embed a 72-hour response playbook with roles, decision trees, and notification templates. We train teams and set up the evidence you’ll need if an incident occurs.

Strengthen readiness

Retention & Deletion Operating Model

Define lawful retention by data category, implement deletion routines in systems, and set up audit logs to prove execution.

Design your model

Processor & Vendor Oversight

Practical onboarding and periodic review of processors: requirement baselines, Article-28 clauses, transfer assessments, and an oversight cadence that fits your vendor landscape.

Build vendor oversight

GDPR for AI Systems

Align AI features and workflows with GDPR: controller/processor role mapping, lawful bases, transparency to users, RoPA updates, DPIA triggers, and acceptable-use guidance for teams.

Align AI with GDPR

Why now

Active enforcement

Supervisory authorities continue to open investigations, issue orders, and levy fines; clients increasingly require evidence of controls.

Pre-launch duties

High-risk processing requires DPIA before deployment; this must be scheduled and evidenced to avoid delays and non-compliance.

Transfers scrutiny

Standard Contractual Clauses require documented transfer assessments and safeguards; partners ask for proof during due diligence.

How we work

Diagnose

Focused discovery across product features, data flows, and vendors to baseline actual practice.

Design

Co-create bespoke controls and workflows (minimisation, DPIA cadence, vendor intake, breach playbooks) aligned to your reality.

Implement & Evidence

Embed changes with your teams and produce evidence packs that stand up in audits and client reviews.

Assure

Quarterly tune-ups: RoPA updates, transfer reassessments, spot checks, and change logs that prove control over time.

See our full compliance process

Avoid fines. Protect trust. Keep your business running.

We design GDPR controls that fit your organisation and generate evidence you can stand behind.

Talk to us