How We Work

The Qala Methodology

Four phases. Measurable outcomes. No guesswork. A repeatable process designed so that compliance becomes an operational capability, not a one-time project.

Structured compliance review session with documents and data visualisation on laptop
01

Assess

Establish a clear, documented picture of your current data landscape — what data you process, where it lives, how it moves, and what compliance obligations apply to it.

Typical Duration 2–4 weeks
Your Involvement Data team lead, DPO or legal representative, key system owners
Inputs Required System inventory, existing ROPA (if any), data flow diagrams, current policies
  • Data inventory — systems, categories, volumes, sensitivity levels
  • Gap analysis report — GDPR and FADP obligations vs. current state
  • Risk register — prioritised by likelihood and regulatory consequence
  • Remediation roadmap — sequenced, resourced, with effort estimates
02

Map

Produce accurate, maintainable documentation of your data flows, legal bases, processing activities, and processor relationships — the foundation of a defensible compliance posture.

Typical Duration 3–6 weeks
Your Involvement Data architects, product leads for each processing activity, procurement (for processors)
Tools Referenced Open-source lineage tooling, metadata catalog (vendor-neutral guidance)
  • Records of Processing Activities (ROPA) — Art. 30 compliant, technically grounded
  • Data flow diagrams — source-to-destination with transformation points annotated
  • Lawful basis register — purpose, basis, data subject category, retention
  • Processor inventory — DPA status, SCCs, sub-processor list
03

Remediate

Address identified gaps through a prioritised programme of technical fixes and procedural changes — implemented in order of risk, not in order of convenience.

Typical Duration 4–12 weeks (depends on scope and severity)
Your Involvement Engineering team for technical fixes; legal/HR for policy updates; DPO for sign-off
Format Sprint-based delivery with weekly progress reviews and documented evidence at each milestone
  • Technical remediation — consent capture fixes, data access controls, retention enforcement
  • Procedural remediation — DSAR workflows, breach response playbook, DPA templates
  • Policy updates — privacy notices, data handling policies, vendor onboarding checklist
  • Evidence pack — documented proof of remediation for audit purposes
04

Monitor

Deploy observability tooling and establish ongoing review processes so that your compliance posture stays current as your data infrastructure evolves — catching drift before it becomes a violation.

Typical Duration Ongoing — typically 4 weeks to instrument, then continuous
Your Involvement Data platform team for tooling; DPO for monthly review cadence
Tools Referenced Open-source observability frameworks; integration with existing alerting
  • Schema change alerting — new fields with personal data trigger review workflow
  • Pipeline health dashboard — SLA monitoring with compliance-relevant annotation
  • Regulatory change monitoring — GDPR guidance updates, FADP circulars
  • Quarterly compliance health review — posture assessment and gap refresh

What Guides the Work

Three operating constraints, not aspirational statements. They determine how we structure deliverables, what we build, and what we refuse to sign off on.

Evidence over assertion

Compliance documentation should reflect what your systems actually do. We build it from data flows and lineage evidence, not from interview notes alone. If your pipeline data says one thing and your ROPA says another, we correct the ROPA to reflect reality — not the other way around. A compliant-looking document built on an incorrect factual base is a liability, not an asset.

Regulation-native, not bolt-on

GDPR and FADP obligations are embedded in our process from day one. Art. 30, Art. 35, nDSG processing register requirements — these appear in our deliverable templates as structural requirements, not as a post-hoc review layer. We do not apply a compliance checklist after the technical work is done. We design technical work so that compliance is a property of the output.

Sustainable over one-time

An engagement that requires another engagement to maintain its output has not succeeded. We design documentation structures, process triggers, and tooling configurations that your team can operate and maintain without external consultants. We track this as an explicit success criterion — alongside the regulatory outcome — and will say so in the proposal if the scope does not support it.

Apply this methodology to your compliance challenge

Not every engagement starts at Phase 1. We begin with a brief assessment call to understand your current state and identify where in the four-phase process your situation requires us to start — and what the realistic path forward looks like from there.

Schedule Consultation Our services →