Numerique
Structure your GDPR compliance methodically: from auditing your processing activities to defending you during a CNIL inspection.
Context
The General Data Protection Regulation, together with the French Data Protection Act (loi Informatique et Libertés), governs every processing of personal data carried out by a business, whatever its size. Since 2018, this framework has imposed an accountability logic: it is no longer for the authorities to prove a breach, but for the organisation to demonstrate its compliance at any time.
In practice, any organisation that collects, stores or uses data relating to clients, prospects or employees is concerned. The most exposed businesses are those whose activity relies on data: software publishers, SaaS platforms, marketplaces, e-commerce businesses, fintechs, healthcare operators or agencies. There, compliance often becomes a commercial prerequisite, required during fundraising rounds, due diligence audits or calls for tenders.
Problem
Compliance is rarely addressed until an event makes it urgent: a CNIL inspection, a security breach, a request from a major client or a compliance clause imposed by a principal. At that stage, the business often discovers that its foundations are incomplete.
The most frequent shortcomings are always the same: no records of processing activities, a generic or copied privacy policy, data processing agreements without clauses compliant with Article 28, loose handling of data subjects' rights, poorly collected cookie consent. Each of these points is grounds for a penalty, which may reach 20 million euros or 4% of worldwide turnover, not to mention reputational damage and the loss of client trust.
Solutions
My support follows a proven method, designed to produce genuine and documented compliance, not a mere façade.
The first step is a comprehensive audit of your practices: mapping of data flows, analysis of processing activities, purposes, retention periods and transfers. This audit precisely identifies the gaps against GDPR requirements and prioritises the actions to be taken according to their criticality.
Next comes implementation: drafting or overhauling the records of processing activities, privacy policies and cookie banner, bringing data processing agreements into compliance, formalising procedures for handling rights requests and data breaches. For high-risk processing, I carry out the impact assessments (DPIA) required by the regulation.
Finally, I provide ongoing support: appointment as external DPO with the CNIL, training of your teams, and full assistance in the event of an inspection or a formal notice. The aim is to make your compliance an asset, enforceable against your partners and reassuring for your clients.
It all starts with a comprehensive assessment. I map all your data processing activities: purposes, categories of data and of individuals, flows, retention periods, recipients and any transfers outside the EU. This audit highlights the precise gaps against GDPR requirements and forms the documentary basis of the entire process.
From the audit, I draw up a clear roadmap that prioritises the work according to its criticality and level of risk. You know exactly what to fix, in what order and with what level of urgency. This plan turns an abstract obligation into concrete, actionable steps, calibrated to the reality of your activity.
I produce and deploy all the deliverables: records of processing activities, privacy policies, cookie banner, clauses and data processing agreements compliant with Article 28, procedures for handling rights requests and breaches, impact assessments (DPIA) for high-risk processing. Each document is enforceable and tailored to your organisation, not a generic template.
Compliance is maintained over time. I monitor your processing activities, train your teams in the right reflexes and can act as an external DPO declared with the CNIL. In the event of an inspection, a formal notice or a data breach, I assist you at every stage, through to the defence before the authority.
FAQ
Any organisation that processes personal data is concerned, with no size or turnover threshold. As soon as you manage a client file, prospect data, employment contracts or a website collecting information, the GDPR applies. Very small businesses and SMEs benefit from no general exemption: only certain obligations, such as keeping the records of processing activities, are eased for organisations with fewer than 250 employees, and only under conditions.
The cost depends on the size of the organisation, the complexity of the processing activities and the level of compliance already in place. A business with simple data flows requires a budget well below that of a group managing international transfers or sensitive data. In every case, the investment remains far below the cost of a CNIL penalty or the loss of a contract conditioned on compliance. A precise quote is drawn up after the initial audit.
Appointing a data protection officer is mandatory for public bodies, as well as for businesses whose core activity involves regular and large-scale monitoring of individuals, or the processing of sensitive data. Outside these cases, it remains strongly recommended. The DPO may be internal or external: outsourcing this function to a lawyer ensures the independence required by the regulation while providing direct access to legal expertise.
The CNIL's administrative penalties may reach 20 million euros or 4% of annual worldwide turnover, whichever is higher. Beyond the fine, the CNIL may issue injunctions, restrictions on processing and make its decisions public. To this are added civil risk, through actions by the data subjects concerned, and a growing contractual risk where principals include compliance clauses in their purchasing terms.
An inspection may be on site, online, by hearing or on documents. The CNIL examines the compliance documentation: records of processing activities, policies, data processing agreements, security measures and handling of rights requests. A business whose documentation is up to date approaches the inspection with peace of mind. I assist you at every stage, from preparing the documents to responding to requests, through to the defence in the event of penalty proceedings.
The records of processing activities list all the data processing carried out by the business: purposes, categories of data and of individuals, recipients, retention periods and security measures. They are the cornerstone of compliance and the first document requested during an inspection. They are mandatory for the vast majority of organisations and must be kept continuously up to date.
Yes. Article 28 of the GDPR requires that any use of a processor, host, IT provider or SaaS tool be governed by a contract containing precise clauses on security, confidentiality and the obligations of each party. Missing or non-compliant contracts expose you to a twofold risk, regulatory towards the CNIL and contractual towards your clients. Reviewing and updating these contracts is an integral part of the process.
The timeframe depends on the starting point and the complexity of the processing activities. An audit is generally conducted within a few weeks, followed by an action plan whose roll-out spans a few weeks to a few months depending on the work to be carried out. Compliance is not a fixed state but a continuous process: once the foundations are laid, the challenge is to keep them up to date as your activity and the regulations evolve.
Nous accompagnons les entreprises de la tech et du commerce avec une double compétence juridique et technique, de l'analyse à la mise en œuvre.

Ressources
Need to secure a contract, manage compliance, or anticipate a dispute? Our first meeting is designed to understand your needs and clearly explain how we can help.