No one builds a company to deal with data privacy.
GDPR should help your business move forward, not get in the way.
GDPR is often ignored until it blocks deals or creates legal problems. Missing documentation slows down sales and due diligence.
Weak GDPR setups expose companies to fines, claims, and enforcement in the EU.
But it doesn’t have to be like that.
Your legal partner for EU compliance
Hi, I’m Kolja Strübing, German-qualified lawyer and data protection officer (DPO). I’ve been specializing in data protection, IT law and information security since 2021.
As CEO of a legal tech startup, external DPO, and head of a compliance team at a consultancy, I have guided 50+ companies through GDPR across Europe, the US, and Asia; from mid-sized businesses to international enterprises.
My clients are typically international companies dealing with GDPR for the first time or businesses that have outgrown their current setup and need a more structured approach.
Let’s Turn GDPR into Something That Actually Works
Not sure where you stand?
Find out in days (not months).
Most companies don’t need a full compliance project to get started. They need to know where they stand.
That’s what the Quick Check is for. We look at the six areas that account for most GDPR fines and enforcement actions. You get a plain-English report, a prioritised list of what to fix, and a 30-minute call to walk through it.
No retainer, no commitment. And if you decide to go further, the fee comes off the next project.
Entry offer
GDPR Quick Check
A focused two day review of the six areas that account for most GDPR fines. Delivered as a clear, actionable report.
€ 1.500
credited toward any larger package
Below are three GDPR implementation packages, designed to fit different stages of growth and regulatory complexity.
At the beginnging, we will determine together which building blocks your company actually needs.
Implementation packages
The right package for every stage
Click on a module to see what's included.
GDPR Foundation
For startups & small teams
- Final definition of scope (company, products, markets)
- Role clarification: controller vs. processor
- Governance baseline
- Record of Processing Activities (core processes)
- Data categories, purposes, recipients
- Focus on real processing activities, not formal completeness
- Identification of relevant processors
- Classification under Art. 26 / 28 GDPR
- Gap list
- DSAR intake process
- Responsibility matrix
- Deadlines and workflow definition
- 72-hour breach response process
- Decision tree
- Responsibilities
GDPR Business
For growing companies
Everything from Foundation, plus:
- RoPA covering support, marketing, HR, and product processes
- Ongoing maintenance process
- Clear ownership per processing activity
- Review of existing DPAs
- Role clarification with partners
- Actionable recommendations per gap
- Identification of all third-country elements
- Risk classification (high / medium / low)
- Decision framework for SCCs / TIAs
- Threshold analysis logic
- Decision support: "DPIA required or not"
- Full DPIAs optional
- Data protection concept / policy
- DPO requirement assessment + documentation
- Management readout
GDPR Premium
For regulated industries & scale-ups
Everything from Business, plus:
- SCC setup or review
- Transfer Impact Assessments
- Additional legal safeguards
- Binding Corporate Rules optional
- Embedding privacy into decision-making
- Review of products with regard to the principle of privacy by design
- Product and change management processes
- Management briefing
- Training of key teams (e.g. Product, Marketing, Operations)
- Focus on decision-making capability, not legal theory
- Executive summary
- 12-month roadmap
- Optional preparation for DPO onboarding
The regulatory environment around data is changing.
Especially if you work with AI or provide connected products or services.
This is why we need a legal data strategy.
What is a data strategy?
I know this isn’t what you want to hear, but
GDPR no longer stands alone.
Today, data is governed by overlapping rules: GDPR, the EU Data Act, the AI Act, contract law and trade secret protection. They regulate different aspects of the same question: who may access, use, and control data.
Also, they interfere with one another and this interplay should be considered when it comes to data governance. For example, AI systems affect personal data or trade secrets and the same is true for Data Act access requests.
A legal data strategy is the structure that connects these rules in one place and makes them workable in practice.
That is why this site is called datastrategy.law and that’s why I offer additional packages to consider those regulations (the Data Strategy Add Ons).
While you can book each package and module seperately, these are not to be considered optional, because compliance with these regulations is required by the law.
Data Strategy Add Ons
Extend your data strategy
IT Contract Law
Legal support for software development, cloud and outsourcing projects:
Data Act
Legal support for implementing the EU Data Act and structuring data governance:
AI Law
Legal advice on the AI Act for the use and development of AI systems:
Data protection doesn’t end when the project does, it’s a process. Someone needs to own it long-term.
DPO as a Service
Once the new structure is in place, data protection becomes an ongoing responsibility. Your internal Data Protection Officer takes over this role and acts as a central point of reference for your company.
- Acting as internal Data Protection Officer
- Ongoing legal support for GDPR
- Monitoring data protection decisions in day-to-day operations
- Support in handling data subject requests
- Communicating with supervisory authorities
- Training & awareness for relevant teams
Or maybe you just want to solve one very concrete issue
„Is my website actually GDPR-compliant?“
Website Check
I analyse your website and tell you exactly what to fix — including tools, cookie banners and opt-ins, your privacy policy, and the impact on your marketing.
- Cookie banner & consent management
- Privacy policy & legal notices
- Third-party tools & tracking scripts
- Marketing & analytics compliance
- Written audit report with action items
- Delivered within 5 business days
A quick reality check
As a lawyer working with international tech companies and fast-growing startups, I often see the same situation: Teams know they have to “do something about GDPR”; they just don’t know where to start. At the same time, GDPR – fines can be up to 20 Mio. € or 4 % of the annual turnover, whichever is higher.
The truth is, filling out endless compliance checklists and using pre-made templates won’t get you anywhere if you don’t know what they are for.
What you need is a clear, practical structure that fits your business and scales with it.
If you’re scaling in Europe, now is the right time to build the legal foundation that supports your growth instead of slowing it down.
This looks like:
✍️ Making sure your GDPR setup actually matches how your product and data flows work.
✍️ Reviewing your commercial contracts, data processing agreements, and vendor terms before you expand.
✍️ Setting up a consistent legal framework that keeps your product launch-ready for new markets.
You don’t want to lose a deal or delay an investor meeting because of a missing clause or an outdated privacy setup.
Good legal protection should be clear, practical, and affordable, something that makes your next step easier, not harder.
I help you understand exactly what you need to operate confidently in the European market.
Let’s get in touch