Background

When we were engaged by the UK subsidiary of a US medical devices company, responsibility for data privacy had been assigned internally without dedicated expertise. An executive assistant had taken on the role of data privacy officer alongside other responsibilities, with limited clarity on how to implement GDPR requirements in practice.

The organisation was aware of its obligations but did not have a structured framework in place. This created uncertainty at leadership level and concern that gaps in compliance could expose the business to regulatory risk.

The LS Law Approach

We approached the engagement by establishing a clear and practical route to GDPR compliance. Our focus was to identify risks, prioritise actions, and embed a governance structure that could be maintained over time.

We assigned a senior data privacy specialist with extensive regulatory and in-house experience to lead the work. We began with a structured risk assessment, using a combination of questionnaires, policy reviews, and interviews with key stakeholders to understand how personal data was being collected, used, and managed across the organisation.

From this, we identified areas of non-compliance and operational gaps. We then developed a prioritised roadmap to address these issues, ensuring that actions were proportionate to the level of risk.

This included implementing core GDPR requirements such as a Data Protection Impact Assessment (DPIA) process and a Record of Processing Activities (ROPA). We also provided guidance on governance structures to support ongoing compliance.

Following the initial phase, we continued to support the organisation through a fixed monthly retainer, providing ongoing oversight and advice as their data practices evolved.

The Outcome

The organisation moved from a position of uncertainty to a structured and managed approach to data privacy.

Key risks were identified and addressed through a clear roadmap, enabling the business to prioritise actions and allocate responsibility effectively. Core GDPR processes were established, providing greater visibility over data use and improving accountability.

With ongoing support in place, data governance became an embedded part of the organisation’s operations rather than an isolated exercise. This reduced exposure to regulatory risk and provided a foundation for continuous improvement.