For DPOs & Compliance Teams

GDPR Compliance Consulting

Art. 35 DPIAs, Art. 30 ROPAs, consent architecture review, DSAR workflow design, and DPA / processor agreement support. We build compliance documentation that reflects your actual data flows — not a filing cabinet version of last year's systems.

Art. 35 DPIA mandatory for high-risk processing activities
30 days DSAR response deadline under Art. 12 GDPR
Art. 30 ROPA required for processors with 250+ employees or risk-based triggers

GDPR Compliance as a Working Programme

Many organisations have completed enough GDPR work to satisfy an initial audit. Fewer have built a programme that remains accurate as their data infrastructure evolves. Every schema migration, every new sub-processor, every new processing activity is a potential ROPA update that does not happen. Qala's GDPR service is built around a simple premise: compliance documentation should reflect what your systems actually do, not what was described in a workshop twelve months ago.

Our GDPR advisory combines regulatory framework knowledge with direct technical access to your data flows. Where documentation-only consultants produce a ROPA from interviews, we produce one from lineage data — then design the maintenance process so it stays current without requiring another engagement.

  • Data Protection Impact Assessment (Art. 35 DPIA) — scoping, assessment, and documentation
  • Records of Processing Activities (Art. 30 ROPA) — current-state mapping and maintenance design
  • Consent architecture review — lawful basis mapping, consent capture design, preference management
  • Data Subject Request (DSR) workflow — triage, verification, fulfilment, and audit trail design
  • Data Protection Agreement (DPA) review for processors and sub-processors
  • Standard Contractual Clauses (SCCs) and international transfer mechanism review
  • DPA appointment and regulatory engagement support
GDPR compliance framework diagram showing ROPA, DPIA, DSR, and consent management components

Built for Both Teams

Compliance documentation that your legal team can stand behind, and that your data team can actually maintain.

For Data Teams

Documentation your team can maintain

  • ROPA structures mapped to your actual data sources, not generic categories
  • Change triggers defined: what schema change requires a ROPA update?
  • DSAR technical playbook: which systems to query, in what order
  • New vendor onboarding checklist with DPA requirements
  • Lineage-based evidence for processing activity documentation
For Compliance Teams

A defensible compliance posture

  • DPIA reports that meet regulatory expectations — not template fill-ins
  • Lawful basis register with processing purpose justification
  • Consent records management design with withdrawal workflows
  • Regulatory audit readiness: what to produce, in what timeframe
  • Supervisory authority communication guidance (FDPIC/DPA)

Start with a GDPR compliance assessment

We review your current documentation against your actual data flows, identify the gaps most likely to attract supervisory authority attention, and propose a prioritised remediation plan with realistic timelines.

Schedule Consultation FADP for Swiss companies →