Navigating Regulatory Compliance

The challenge

The launch of General Data Protection Regulation (GDPR) across the EU exposed our North American multinational client to a $2.2bn risk.

Our client lacked the specialist European regulatory experience necessary to deliver the required changes, and with limited knowledge of regulatory change, and a lack of standardised processes, they needed external support. We were brought in to help the client to navigate the intricacies of their EU regulatory compliance and data requirements.


We began by using an evaluation process to assess the scale of the requirement, incorporating the business throughout. By combining the assessment with a strategy and under-pinned plan, we could quickly start to mobilise.

Partnering with internal SMEs and other external resources across the 15 European company entities, our team designed and established strict governance and controls, monitoring more than 100 stakeholders and helping them to meet the legal obligations of GDPR.

We created a metric-based set of tools within a framework designed to objectively measure compliance adherence, and a detailed operating model that ensured data protection was prioritised both during and post project.

Risk reviews were regularly undertaken at a Steering Committee, with documented mitigation elements under active management control. What’s more, every two weeks we gave an evidenced status report against the baseline plan.

Our team effectively managed 15 group companies across Europe, reporting status to the US-based parent company throughout.


risk mitigation


potential risk mitigated through our client’s adherence to GDPR legislation
data records


data records and over 200 standard operating procedures reviewed and re-documented
website delivery

30 websites

across Europe updated to reflect regulatory changes
Process implementation

New processes implemented

including data breach, impact assessment and subject access requests, in order to meet new compliance legislation
operating model

New standard operating model

designed and launched to sustain GDPR practices and continuously meet regulatory demand requirements after our tenure