Overview
What it is, in plain English.
The General Data Protection Regulation governs how any organization — anywhere in the world — handles the personal data of people in the EU and UK. Penalties reach 4% of global annual turnover, and enforcement is now routine. Lyra builds GDPR programs that are operational, not theatrical: data mapping, lawful basis analysis, data subject rights workflows, vendor governance, and cross-border transfer mechanisms.
GDPR readiness, Data Protection Impact Assessments (DPIAs), data mapping, and ongoing privacy operations.
Who needs it
Built for organizations that have to get this right.
Companies with EU/UK customers, employees, or website visitors
B2B SaaS processing personal data on behalf of EU controllers
Marketers running EU campaigns or using EU data brokers
US companies receiving EU personal data (Data Privacy Framework, SCCs)
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Data Mapping & ROPA
We inventory every processing activity, data category, and data flow — and build the Article 30 Record of Processing Activities.
- 02
Lawful Basis & Risk
We document lawful basis for every processing activity and run DPIAs for high-risk processing.
- 03
Operationalize Rights & Vendors
We implement DSAR workflows, consent management, vendor DPAs, and SCCs / DPF transfer mechanisms.
- 04
Sustain & Monitor
We operate the program — handling DSARs, breach response, vendor reviews, and regulator inquiries.
Key controls
What's actually in scope.
Article 30 Record of Processing Activities (ROPA)
Lawful basis documentation per processing activity
Data Protection Impact Assessments (DPIAs) for high-risk processing
Data Subject Access Request (DSAR) workflow with 30-day SLA
72-hour breach notification process
Cross-border transfer mechanisms — SCCs, DPF, BCRs, transfer impact assessments
Deliverables
What you walk away with.
ROPA and data flow diagrams
Privacy notice library (web, employee, candidate, customer)
DPIA template and completed DPIAs
DPA / SCC contract package and vendor inventory
DSAR and breach response runbooks
Optional Data Protection Officer (DPO-as-a-Service)
Timeline
Initial readiness: 3–6 months. Ongoing program operation is continuous.
Questions we hear
Straight answers to the real questions.
- Do US-only companies need to care about GDPR?
- If you have an EU website visitor, EU customer, or EU employee — yes. Territorial scope under Article 3 is broad and routinely enforced.
- What about the EU-US Data Privacy Framework?
- DPF (replacing Privacy Shield) lets self-certified US companies receive EU personal data without Standard Contractual Clauses for those flows. We help with DPF self-certification and the underlying program requirements.
- Do we need a DPO?
- Mandatory only for public authorities and certain large-scale processors. We provide DPO-as-a-Service for clients who want the role filled by an experienced privacy professional.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.