Practice I — Corporate Strategy & Legal Architecture
GDPR audits, DPIA scaffolding, and architecture for cross-border data transfers.
NIS2 perimeter scoping. Records of processing. Vendor due-diligence framework. The discipline is structural — not advisory.
01
The European data-protection regime — GDPR (Regulation (EU) 2016/679) reinforced by NIS2, the Data Act, and Schrems II jurisprudence — is no longer a checklist. It is an operating constraint on architecture: data flows, vendor selection, third-country transfers, and incident response are all decisions made under the regulation, not against it.
Data Protection delivers the structural posture required to operate within this constraint defensibly. The mandate produces a current-state map of data flows, a remediation programme, transfer-mechanism architecture, and the documentation required for both supervisory inquiry and customer due-diligence. The output is permanent infrastructure, not a one-off audit memo.
02
The mandate components delivered under this engagement.
01
Current-state assessment against the full GDPR obligation set, with a remediation roadmap calibrated to risk and timeline.
02
Transfer-mechanism selection, design, and execution for data flowing outside the EEA.
03
Data Protection Impact Assessment design under Article 35, and NIS2 perimeter scoping for in-scope organisations.
03
Data-protection mandates are conducted in close coordination with the General Counsel, the DPO, and the relevant operational owners. The mandate produces deliverables in three forms: technical-legal reports for internal audit, executable templates and policies for operational deployment, and structured documentation for regulator and customer inquiry.
All work is performed under bilateral confidentiality. Where the engagement crosses into adversarial territory — supervisory authority inquiry, regulatory enforcement, or contested transfer architecture — the engagement is escalated by written notice to the Managing Partner.