GDPR compliance for business

GDPR preparation for working with the EU: data map, privacy documents, contracts with contractors, data transfers, and processes for passing client audits.

GDPR is not "about pieces of paper", but about trust, speed of deals, and business readiness for client requirements. When there are gaps in privacy or data security, a contract can be stopped, complicated with additional requirements, or its terms revised.

We help turn GDPR from a potential obstacle for deals into an understandable system that strengthens trust in the business. You receive documents and processes that help you pass partner checks faster, answer GDPR questionnaires, work more confidently with contractors, and reduce the risk of delays, additional requirements, or revision of contract terms.

We support technological and international businesses for which personal data is a part of the product, sales, or operational model. At the consultation, we will identify critical gaps and form a priority action plan — from basic documents to preparation for due diligence, requirements of banks, PSPs, or investors.

GDPR Compliance Packages

Quick logic of the packages

Package Price Term Who it suits Key result
GDPR Start from 900 EUR 7-10 w.d. small business, landing pages, MVP, simple e-commerce projects minimum set of documents and basic risk map
GDPR Business from 2,500 EUR 15-20 w.d. SaaS, e-commerce, marketplaces, IT companies, agencies working GDPR package for partners, investors, banks, and PSPs
GDPR Pro / Investor Ready from 5,000 EUR 25-35 w.d. FinTech, HealthTech, EdTech, AI/ML, HR-tech, projects with due diligence full-fledged GDPR system with risk matrix and roadmap

Package 1 — GDPR Start

Price: from 900 EUR | Term: 7–10 working days

For whom: small business, websites, landing pages, simple e-commerce projects, MVP, services without complex processing of personal data and without a significant volume of users from the EU.

More about the package

 

Block What we do Result for the client
Initial checklist Checking the business model, website or product, and basic data collection points. Understanding the minimum level of GDPR risk.
Privacy Policy Preparation of a basic privacy policy for the website or product. A document for publication on the website or in the application.
Cookie Policy Basic policy for cookies and tracking technologies. Clear description of the use of cookies.
Cookie banner Recommendations on the structure of the cookie banner without technical setup. Understanding of how the banner should look legally.
DPA template Data Processing Agreement template for contractors and processors. A basic contractual tool.
Consultation One consultation up to 60 minutes. Analysis of the client’s questions and next steps.

Result: the client receives a minimum set of documents and an understanding of basic risks. The package is suitable for a quick start but does not cover complex data processing operations.

Not included: deep audit of processes, DPIA, TIA, cross-border transfers, negotiations with counterparties, technical setup of a cookie banner.

Package 2 — GDPR Business

Price: from 2,500 EUR | Term: 15–20 working days

For whom: SaaS, e-commerce, marketplaces, IT companies, agencies, companies with clients or users from the EU that need not just a set of documents, but an understandable compliance structure.

More about the package

 

Block What we do Result for the client
GDPR audit Analysis of the business model, data flows, and main risk points. A working picture of where and why data is processed.
Roles mapping Defining the roles of controller / processor / joint controller. Understanding contractual and regulatory responsibility.
Data map Map of personal data processing. The basis for internal processes and negotiations with counterparties.
RoPA Record of Processing Activities. Basic register of processing operations.
Core documents Privacy Policy, Cookie Policy, Data Processing Agreement. Main set of external documents.
Vendor clauses Basic contractual clauses for contractors and processors. Protection in contracts with suppliers.
DSAR procedure Procedure for processing data subject requests. Procedure for responding to access / deletion / portability / objection requests.
Data breach procedure Incident response procedure. Algorithm of actions in case of a leak or security breach.
Retention matrix Data retention period matrix. Control over data storage and deletion.
Risk memo A brief memorandum on key legal risks. Clear risk map for management.
Workshop One internal call or workshop up to 90 minutes. Transfer of logic to the client’s team.

Result: the client receives a working GDPR package that can be shown to partners, investors, banks, payment providers, and large counterparties.

Not included: DPIA, TIA, EU representative, DPO-as-a-Service, local opinion of a lawyer from a specific EU country.

Package 3 — GDPR Pro / Investor Ready

Price: from 5,000 EUR | Term: 25–35 working days

For whom: companies with active sales in the EU, FinTech, HealthTech, EdTech, AI/ML, HR-tech, marketplaces, services with a large volume of user data or preparation for due diligence.

More about the package

 

Block What we do Result for the client
Extended audit Extended GDPR audit and interviews with key team members. A real picture of processes, not “policies for the sake of policies”.
Data flows Full map of data flows and key systems. Understanding the data route inside and outside the company.
RoPA Record of Processing Activities. Formalized register of processing operations.
Core documents Privacy Policy, Cookie Policy, Data Processing Agreement. External compliance set.
Vendor DPA Vendor Data Protection Addendum. Control over contractors and processors.
Transfers SCC template or transfer clauses if necessary. Base for non-EEA data transfers.
DPIA screening Assessment of the need for a DPIA. Understanding high-risk processing.
DPIA One DPIA for one key process. Documented risk assessment regarding a critical process.
Policies Data breach procedure, DSAR procedure, retention policy, internal data protection policy. Internal procedure for working with data.
Employees Employee privacy notice. Document for staff and contractors.
Security checklist Basic technical and organisational measures checklist. Basic legal + security bundle.
Risk matrix GDPR risk matrix. Prioritization of risks.
Roadmap Compliance roadmap for 3–6 months. Step-by-step implementation plan.
Workshops Two consultations or workshops for the team. Transfer of the model to the client.

Result: the client receives not just documents, but a full-fledged GDPR system suitable for due diligence, working with large partners, investors, and international counterparties.

Not included: official appointment of a DPO, continuous support, local registrations or communication with the supervisory authority, technical implementation of IT solutions.

Comparison of GDPR Packages

What is included GDPR Start GDPR Business GDPR Pro / Investor Ready
Cost from 900 € from 2,500 € from 5,000 €
Estimated term 7–10 working days 15–20 working days 25–35 working days
Who it suits Landing pages, MVP, small websites, simple e-commerce projects. SaaS, e-commerce, marketplaces, IT companies, agencies. FinTech, HealthTech, EdTech, AI/ML, HR-tech, projects with due diligence.
Business model and risk assessment Basic checklist GDPR audit Extended audit and interview with the team
Data map / data flows Full map of data flows
Privacy Policy and Cookie Policy
Cookie banner Legal recommendations Legal recommendations Legal recommendations
DPA and documents for contractors DPA template DPA + vendor clauses DPA + Vendor DPA
RoPA — register of data processing
DSAR procedure
Data breach response procedure
Retention policy / matrix
International data transfers SCC / transfer clauses if necessary
DPIA DPIA screening + 1 DPIA
Internal policies and documents for staff Basic procedures Internal policy + Employee Privacy Notice
Risk memo / risk matrix / roadmap Basic recommendations Risk memo Risk matrix + roadmap for 3–6 months
Consultations / workshops 1 consultation up to 60 min. 1 workshop up to 90 min. 2 consultations / workshops

Prices for additional services

Need to prepare a business for GDPR?

We will check what documents and processes are missing and help prepare for a client request, GDPR questionnaire, DPA, or partner audit — without the chaotic creation of policies right before a deadline.
Discuss a request with a lawyer
Specializes in GDPR, personal data protection, and legal support of technological and international projects. Helps businesses prepare privacy documents, DPAs, processes for working with contractors, international data transfers, and materials for due diligence.

When GDPR may apply even if you are not in the EU

GDPR may apply to a business outside the EU if it offers goods or services to people in the EU or monitors their behavior. What matters is not only the country of company registration but the actual operational model with the European audience.

  • You offer goods or services in the EU: for example, SaaS, a mobile application, e-commerce, a subscription, or an online service.
  • You track user behavior: through analytics, profiling, cookies, advertising identifiers, SDKs, or other tracking tools.

Quick self-assessment

  • Do you have clients or users from the EU?
  • Does the website or application have prices in euros, delivery to the EU, or localization in the languages of EU countries?
  • Do you use cookies, SDKs, analytics, advertising, or profiling?

If the answer is “yes” to at least one question, this is a reason to conduct an assessment of GDPR applicability. One indicator does not always mean automatic application of the Regulation, but ignoring it is already risky.

What most often stops deals and GDPR checks

In practice, problems arise not because of the absence of a single document, but because of a gap between policies, contracts, and the actual business processes.

  • No data map: it is unclear what data is collected, why, where it is stored, and to whom it is transferred.
  • Undefined roles: the company does not understand when it is a controller, processor, or joint controller.
  • Absence of DPA or other contractual terms: with cloud services, CRM, analytics, support, payment providers, and other contractors.
  • Unregulated data transfers: personal data is transferred outside the EU/EEA without a proper mechanism or risk assessment.
  • No DSAR process: the team does not know how to respond to requests regarding access, deletion, portability, or objection to data processing.
  • No incident scenario: there is no clear course of action in the event of a leak or data security breach.

Roles: controller, processor, and joint controller

A correctly defined role is the basis for contracts, policies, responsibility, and the architecture of GDPR documents.

Controller: determines why and how personal data is processed.

Processor: processes data on behalf of the controller and according to its instructions.

Joint controllers: two or more parties jointly determine the purposes and key means of data processing.

Example for SaaS

  • If a client uploads the contacts of their users into your service, the client is often the controller, and the SaaS company is the processor.
  • If you collect user data for your own marketing, analytics, or sales, you usually act as a controller.

Practical framework for GDPR preparation: 10 directions

  1. Data mapping. We determine what data is processed, where it comes from, where it is stored, and to whom it is transferred.
  2. RoPA. If necessary, we prepare or update the register of processing operations: purposes, data categories, retention periods, recipients, transfers, and security measures.
  3. Lawful basis. We define the legal basis for each key process: contract, legal obligation, legitimate interest, consent, etc.
  4. Transparency. We prepare a Privacy Notice, Cookie Notice, and other documents explaining to the user exactly how data processing works.
  5. Cookie and tracking management. We check the banner, consent logic, and the use of analytical or advertising tools.
  6. Vendors and contracts. We prepare DPAs, vendor clauses, and other contractual mechanisms for working with contractors and processors.
  7. Data subject rights. We build a DSAR process and response templates to typical user requests.
  8. Security and incidents. We form basic rules for access, incident response, and internal escalation logic.
  9. DPIA. We assess whether a specific process requires a Data Protection Impact Assessment due to a high risk to the rights and freedoms of users.
  10. Data transfers. We analyze transfers outside the EU/EEA and determine the appropriate mechanism: adequacy decision, SCC, DPF, or other safeguards depending on the situation.

gdpr compliance

Data transfers: SCC, DPF, and TIA

If personal data is transferred outside the EU/EEA, it is necessary to assess the data route, the recipient, and the legal transfer mechanism.

  • Adequacy decision: for individual countries or mechanisms recognized by the European Commission as providing an adequate level of protection.
  • EU–US Data Privacy Framework: can apply to American companies participating in the Framework.
  • Standard Contractual Clauses: are used when there is no corresponding adequacy mechanism for the transfer.
  • Transfer Impact Assessment: helps to assess the risks of a specific transfer and the need for additional protection measures.

Documents without a real process do not solve the problem. If data is actually transferred via CRM, cloud, analytics, or support services, this must be reflected in the data map, contracts, and internal procedures.

Fines and commercial risks

For certain GDPR violations, administrative fines of up to 20 million euros or 4% of total worldwide annual turnover of the preceding financial year can be applied — whichever is higher.

For business, the practical risk often arises earlier: a check from a client, bank, PSP, investor, or a large counterparty can delay the deal, increase the volume of legal requests, or change the terms of cooperation.

How Prikhodko & Partners helps

We analyze actual processes of working with personal data and prepare documents and procedures that can be used in work with clients, contractors, and during audits.

  • Audit and data map: sources, systems, vendors, transfers, and key risks.
  • Roles and contracts: controller / processor, DPA, and terms for contractors and sub-processors.
  • Policies and internal processes: Privacy Notice, Cookie Notice, retention, DSAR, and incident response.
  • Complex cases: SCC / DPF, international transfers, and DPIA — if necessary.

GDPR is like a seat belt: it seems unnecessary exactly until the first sudden braking. It is better to have your own, rather than one imposed by the client’s lawyer right when the deal is “almost signed”.

Frequently asked questions

Does GDPR apply to a Ukrainian company?

GDPR can apply to a business outside the EU if the company offers goods or services to people in the EU or tracks their behavior through analytics, cookies, advertising tools, SDKs, or profiling. The final assessment depends on the actual operational model, the audience, and data processing processes.

What documents are required for basic GDPR preparation?

For a website, MVP, or simple e-commerce project, usually required are a Privacy Policy, Cookie Policy, legally correct cookie banner logic, a basic DPA template for contractors, and an initial risk assessment. For an operational business, the list is supplemented with a data map, RoPA, DSAR procedure, retention policy, and an incident response plan.

How does a DPA differ from SCC?

A DPA regulates the relationship between a company and a contractor processing personal data on its behalf. SCCs are used as one of the mechanisms for transferring personal data outside the EU / EEA. In some projects, both documents may be required.

When does a company need DPIA and TIA?

A DPIA may be required for processes with a high risk to the rights and freedoms of individuals, particularly when working with sensitive data, profiling, or large-scale data processing. A TIA is used to assess the risks of international data transfer, particularly when working with suppliers outside the EU / EEA.

Can you just use ready-made GDPR templates?

Ready-made templates can be a starting point, but in themselves, they do not create GDPR compliance. Documents must match the actual processes of the company, the composition of vendors, the role of the business as a controller or processor, methods of data collection, and international transfers.

Our clients

Our awards

Need professional legal advice on GDPR compliance?

Send a request and we will call you back:
Or call us personally:
By submitting this form, you agree to the privacy and data usage policy on this site.