Data Protection and Privacy Services

A Gap Analysis identifies the difference between your current data protection practices and what is required under the GDPR, local laws, national authority guidelines, and industry best practices. It helps you understand where your organisation stands today, where it needs to be, and the steps required to close the gap.

A maturity assessment goes a step further by evaluating how effectively data protection is embedded in your organisation in practice, across processes, tools, and governance. 

We apply a combined gap analysis and maturity assessment, based on authoritative regulatory guidance, including the CNIL’s data protection maturity model. This approach allows us to identify both compliance gaps and structural weaknesses, and to translate findings into a clear and actionable roadmap.

Whether your organisation has not yet implemented a structured data protection framework or is seeking external support to ensure that existing practices remain aligned with evolving legal and regulatory expectations, Grant Thornton supports you throughout the compliance journey.

The GDPR requires organisations to ensure that employees who process personal data understand and apply data protection principles in their daily work. In practice, most data protection incidents result not from technical failures, but from human error or insufficient awareness.

Our GDPR training is designed to be practical, accessible, and directly relevant to employees’ daily activities. 

The training covers, in particular building a solid foundation of GDPR knowledge, raising awareness of high-risk situations and answering questions arising from work practice.

We adapt our training to your organisation’s needs by offering flexible delivery formats, including online sessions and in-person (on-site) training.

Contact us today to schedule a tailored training session and strengthen your organisation’s data protection culture.

A Data Protection Officer (DPO) is a mandatory role under the GDPR for certain organisations, particularly public authorities and entities that carry out large-scale processing of personal data. Beyond regulatory requirements, appointing a DPO demonstrates to clients, employees, and external stakeholders that data protection is taken seriously and that your organisation is compliant with data protection and related digital regulations.

The DPO supports the organisation in complying with data protection law and must act independently, without receiving instructions on how to perform their tasks, and without any conflict of interest. The DPO reports directly to senior management and is involved in all key privacy matters.

For many organisations, appointing an external DPO is more effective and ensure independence, access to specialised expertise, cost efficiency and flexibility, immediate availability and continuity.

We act as your trusted external Data Protection Officer, combining legal expertise with practical, business-oriented guidance.

Not sure whether you are required to appoint a Data Protection Officer? Contact us, and we will guide you through the requirements and help you gain clarity on your obligations.

Companies that process personal data are subject to a set of core obligations under the GDPR including fair and transparent processing, data accuracy and storage limitation, accountability and documentation, data subject rights, risk management and impact assessments, and data breach management.

We can support your Legal, Compliance, or internal Data Protection teams on specific GDPR compliance matters, including: gap analysis and remediation roadmaps, GDPR documentation review, data breach risk assessments and notifications, Data Protection Impact Assessments (DPIA) for high-risk processing activities, Registers of Processing Activities (RoPA), Legitimate Interest Assessments (LIAs), data subject request handling, Data Retention Obligations & Implementation, internal awareness and GDPR training sessions, and cross-border transfers of personal data (including BCRs, SCCs and TIAs).

Whether you need one-off support or ongoing compliance assistance, we adapt our involvement to your operational reality.

The EU Artificial Intelligence Act (EU AI Act) is the European Union’s first comprehensive regulatory framework governing the development, placing on the market, and use of AI systems, ensuring that AI systems used in the EU are safe, transparent, trustworthy, and respectful of fundamental rights.

The AI Act introduces a uniform framework across all EU countries, based on a forward-looking definition of AI and a risk-based approach. The AI Act also introduces rules for so-called general-purpose AI models, which are highly capable AI models designed to perform a wide variety of tasks like generating human-like text.

At Grant Thornton, we believe that AI should be viewed as a positive tool to enhance competitiveness. There is no “one-size-fits-all” approach to compliance, your compliance journey depends on the risk level of your AI system as well as your role, whether as a provider, developer, or deployer.

Not sure how your AI system is classified? Contact us, and we will guide you through the legislation, making it easy to understand your legal obligations.