Services

DATA PROTECTION & GDPR SERVICES

Professional data protection services tailored to SMEs and law firms.

Solicitar Consultar

1. Overview

We provide independent frontend and backend GDPR audits focused on observable risk, consent validity, and data-processing transparency.

  • observing how your website behaves
  • identifying potential GDPR-relevant gaps or risks
  • documenting findings with context and evidence

The purpose of the audit is to inform, not to change your systems.

  • modifying website code or configurations
  • Instead, the audit shows how your website behaves for users, highlights potential GDPR and cookie-related risks, and explains them in clear terms — so you can decide what to do next.
  • changing consent banners or tracking behaviour
  • updating policies or contracts
  • adjusting internal processes or retention practices

It also does not replace a lawyer or legal advice. We do not act on your behalf with regulators or authorities.

  • Risk of invalid or ineffective consent due to banner design, missing refusal options, or pre-consent tracking
  • Risk of transparency gaps between observed website behaviour and disclosures in the privacy or cookie policy
  • Risk related to data collection via forms, including over-collection, unclear purposes, or implicit data capture
  • Risk of third-party data exposure through scripts, embeds, or external resources loaded in the browser
  • Risk of frontend data security weaknesses, including missing cookie attributes or misconfigured security headers
  • Structural frontend issues that may affect multiple pages or user journeys, increasing overall exposure

You gain a clear, factual picture of how personal data is handled behind the scenes, allowing you to prioritise documentation, compliance, or legal follow-up without guesswork.

2. Frontend GDPR Audit

The Frontend GDPR Audit is a technical and legal-aligned review of what your website does in the user’s browser — before, during, and after consent.:

  • Cookies
  • Privacy Policy
  • Data Collection Forms
  • Data Security Setttings
  • This audit does not test your website for hacking or security weaknesses.
  • It also does not replace a lawyer or legal advice. We do not act on your behalf with regulators or authorities.
  • Instead, the audit shows how your website behaves for users, highlights potential GDPR and cookie-related risks, and explains them in clear terms — so you can decide what to do next.
  • Risk of invalid or ineffective consent due to banner design, missing refusal options, or pre-consent tracking
  • Risk of transparency gaps between observed website behaviour and disclosures in the privacy or cookie policy
  • Risk related to data collection via forms, including over-collection, unclear purposes, or implicit data capture
  • Risk of third-party data exposure through scripts, embeds, or external resources loaded in the browser
  • Risk of frontend data security weaknesses, including missing cookie attributes or misconfigured security headers
  • Structural frontend issues that may affect multiple pages or user journeys, increasing overall exposure

It is an evidence-based compliance review of publicly accessible frontend behaviour, as experienced by real users. The audit reflects how regulators typically assess consent and tracking in real-world enforcement scenarios.

3. Backend / Processing Audit

The Backend / Processing Audit reviews how personal data is collected, handled, stored, and shared behind the scenes once a user interacts with your website.

It focuses on what happens after a user submits data, rather than what happens in the browser.

  • Forms and inputs
  • Data flow paths
  • Processing roles
  • Purpose alignment
  • Third-party processors and integrations
  • does not involve hacking or security testing
  • does not replace legal advice or legal representation
  • does not include drafting or rewriting contracts or policies
  • does not certify GDPR compliance
  • a clear, end-to-end view of how personal data moves through backend systems (from submission to storage, sharing, and retention)
  • item-level compliance classification (Compliant / Partially Compliant / Not Compliant) for concrete backend processing activities
  • risk profiling (Low / Medium / High) aligned to observed behaviour and scope of impact
  • documented gaps between declared practices (policies, notices, internal assumptions) and actual system behaviour
  • a structured, prioritised findings report suitable for legal, technical, or compliance follow-up
  • a strong factual basis for GDPR accountability documentation, without prescribing implementation actions

Each finding is assessed individually and classified by compliance status and relative risk, based on observed backend behaviour and available information at the time of review.

The review is based on observable behaviour, configuration, and available documentation, not assumptions. We provide technical and operational inputs describing how data is processed in reality.


Legal partners may use these inputs to draft or update documents such as privacy notices or Data Processing Agreements, where required.

4. Privacy By Design

Technical evaluation focused on data minimization and privacy-by-design controls.

It focuses on what happens after a user submits data, rather than what happens in the browser.

  • Relevant system architecture and configurations
  • Access controls, permissions, and segregation
  • Unnecessary or excessive data processing
  • Structural risks arising from system design

5. Technical implementation

Technical implementation focuses on applying specific, scoped changes based on audit findings or agreed technical requirements.
This phase is separate from the audit and only performed where explicitly requested.

Implementation is limited to technical execution. It does not include legal drafting, policy authorship, or regulatory representation.

  • Consent banner and CMP configuration adjustments
  • Tag management updates (Google Tag Manager, analytics triggers, firing conditions)
  • Cookie behavior alignment with consent signals
  • Form handling and submission logic changes
  • Script loading controls and conditional execution
  • Basic frontend security configuration (headers, cookie attributes)
  • WordPress-specific configuration and plugin adjustments
  • Legal advice or legal interpretation
  • does not replace legal advice or legal representation
  • Drafting or rewriting privacy policies, cookie policies, or contracts
  • Acting on your behalf with regulators or authorities
    • Penetration testing or security hacking
  • Certification or guarantees of GDPR compliance
  • Evidence-driven — based on observed system behavior
  • Minimal and scoped — only what is necessary is changed
  • Traceable — changes can be mapped back to findings or requirements
  • Reversible — no irreversible architectural decisions without agreement

The goal is to reduce risk, not to redesign systems unnecessarily.

Collaboration with your team or partners

Implementation can be carried out: Directly on WordPress-based websites (where access is provided), or In coordination with your internal technical team or external developers Clear technical guidance is provided to ensure changes are implemented correctly and consistently.

Frequently Asked Questions (FAQs)

How long does an initial GDPR project take?

It depends on the size and complexity of the digital systems (frontend and backend), but usually between 1 and 3 weeks.

Do you work with small businesses?

Yes, most of my clients are SMEs or startups without an internal compliance department.

Can I hire only the initial audit?

Yes. The audit is an independent service.

Do you work remotely?

Sí. Todos los servicios pueden realizarse en remoto, con reuniones por videollamada.

Do you provide the documentation in our country’s official language?

Yes. Documentation can be provided in English or adapted to your country’s official language, depending on your regulatory and operational needs.

This is common for organisations operating in multiple EU countries or working with local regulators, legal advisors, or national supervisory authorities.

Who implements the GDPR technical changes on my website?

I can coordinate with your current provider, or handle the implementation myself if the technology stack falls within my or my team’s area of expertise.

Request initial audit