Building a defensible privacy programme — from scratch.
How I take a B2B SaaS platform from no privacy documentation to full regulatory readiness across multiple jurisdictions.
Industry
B2B SaaS
Scope
Multi-jurisdiction
Duration
Ongoing
Role
Mandatory DPO (Art. 37)
The problem
A B2B SaaS platform operating across multiple jurisdictions had no formal privacy programme in place. Core product processing operations triggered mandatory obligations under GDPR that had not been identified or acted upon: mandatory DPO appointment and mandatory DPIA. International data transfers to non-EU subprocessors lacked any transfer mechanism documentation. The company was targeting GDPR Art. 42 (EuroPrivacy) certification as a commercial differentiator but had no certification-ready documentation.
Full
DPIA programme
Authored across primary and ancillary product lines, structured against the EDPB DPIA methodology
3
SCC modules executed
C2C, C2P, and P2SP transfer flows fully documented
Multi
Jurisdictions covered
EU, UK, and non-EU regimes harmonised under one programme
All
Privacy notice findings resolved
Mandatory disclosure gaps, retention inconsistencies, and jurisdictional coverage remediated
How the work unfolded
Discovery
Scoping the compliance gap
Conducted a gap assessment against GDPR, UK GDPR, and applicable non-EU privacy regimes. Identified that core product processing operations triggered mandatory DPO appointment (Art. 37(1)(b)) and mandatory DPIA (Art. 35) — mapping the relevant EDPB WP248 criteria and preparing the legal justification for both obligations.
Transfer documentation
Building the international transfer framework
Drafted and executed a full IGDTA incorporating EU SCCs (Decision 2021/914) across applicable modules (C2C, C2P, P2SP), supporting agreements for non-EU jurisdictions, and a vendor DPA suite with UK IDTA where needed. Conducted Transfer Impact Assessments under EDPB Recommendations 01/2020 and ICO guidance, assessing relevant third-country legal frameworks (FISA §702, EO 12333, CLOUD Act, IT Act §69, DPDPA 2023, and similar).
Risk assessment
Authoring DPIAs
Produced DPIAs for primary and ancillary product lines, structured against the EDPB DPIA methodology with documented risk ratings, mitigation actions, and DPO sign-off. Risks covered the full processing scope — data collection design, cross-border movement, retention, and downstream sharing.
Agreements
DPA drafting and negotiation
Drafted and negotiated Data Processing Agreements across multiple controller-processor and processor-sub-processor models. Reviewed vendor counterproposals with structured findings across critical, high, and medium priorities — covering liability caps, sub-processor notification timelines, audit rights, and breach notification chains.
Documentation
Privacy notices and compliance artefacts
Reviewed the B2B privacy notice and remediated mandatory disclosure gaps, retention period inconsistencies, and jurisdictional coverage gaps. Resolved retention misalignment across the compliance document suite, establishing a unified retention ceiling enforced through cloud infrastructure lifecycle policies.
Certification
GDPR Art. 42 certification programme
Led the EuroPrivacy certification programme — defining the Target of Evaluation, coordinating with certification consultants, and preparing all certification documentation. Populated Technical and Organisational Measures across all transfer documents, covering encryption, RBAC/MFA, multi-region cloud architecture, and DR procedures.
Key insight
The most critical discovery was identifying that a core product processing operation independently triggered two mandatory GDPR obligations that had been overlooked: the DPO appointment requirement under Art. 37(1)(b) and the mandatory DPIA under Art. 35. Without identifying these triggers upfront, the company would have proceeded to certification with unlawful processing at its core.
Have a similar challenge?
Book a free 30-minute call to talk through your specific situation.
Book Free 30-Min Call