“I was really impressed with how Lexoo managed the whole project. They broke it down and made it feel manageable.”

Data protection

Head of Legal, Sally Britten

When to run a GDPR audit


At the point where a company begins to scale, it’s a good time to look at GDPR compliance. For every company there is the risk of fines and investigations but there are day-to-day concerns such as legacy data and Subject Access Requests. Trying to rectify mistakes and implement processes can become more difficult later down the line when the company has grown and gaps have become wider. 

As a fast-growing company, ComplyAdvantage was starting to work with more and more sophisticated clients who expect a higher level of demonstrable GDPR compliance. They also wanted to create scalable GDPR processes for the company as it grows.

 The legal team, headed by Sally Britten, decided that it was time to run an internal GDPR audit to find any gaps and get their processes up to scratch. They considered a range of suppliers but decided to go with Lexoo for our cost-effective offering and focus on business goals and outcomes. 

To secure the budget for the project, we created a business case for Sally to share with her CFO;

ComplyAdvantage high-growth Regtech scale up based in London. They provide SaaS products to fintechs which revolutionises the way companies protect themselves from criminals, terrorists and money launderers. 

Having raised their Series C funding round in 2020, they are now scaling the business globally.

“The business case was really well presented. It was concise and I felt comfortable sending it to our CFO. I didn't even need to rework anything before sending it along.”

Head of Legal, Sally Britten

Project kick-off

As with any project, our goal is to make the process as easy as possible for our clients. So when the project got the green light we organised a kick-off call with Sally to agree on the timelines and how we’d like to work together. We agreed to;

  • Set up a Slack channel for general communications, updates and check-ins to prevent a barrage of email chains and to make communications frictionless;
  • Work in Google Docs as that is how the team likes to work internally; and 
  • Schedule a weekly call where we could catch up on the project, and if there was nothing to discuss, we’d simply cancel it. 

Co-ordinating internal stakeholders

A GDPR audit involves input from internal stakeholders across a number of departments such as human resources, sales, IT and marketing. To collate information about the status quo quickly and efficiently, we created a tailored questionnaire that was circulated to the relevant stakeholders. 

Once the questionnaires were completed, we arranged follow up calls with each stakeholder so our data protection specialist could get the extra information and context required to tailor his report to the company’s risk profile.

The internal team reported that the process “wasn’t nearly as painful as they expected”.

“The data protection specialist was very personable and was able to take a really commercial approach. The internal team found him very approachable on the calls.”


With the information we gathered, our lawyer was able to compile a gap analysis of ComplyAdvantage’s GDPR compliance, which covered the current position, gaps and remedial action points. 

The Lexoo team designed a clear, business friendly deliverable so our lawyer could set out his findings in a format suitable for Sally and the other internal stakeholders. We wanted Sally to be able to share the report internally without needing to rework or explain the document. 

Every company’s risk profile is different so there is no one-size-fits-all approach to implementing a remediation strategy. That’s why we plotted each remedial step in the report against the company’s internal risk scoring system so they could prioritise the most urgent, high risk steps.

“I was really impressed with how Lexoo managed the whole project. They broke it down and made it feel manageable. It's been very business friendly and the advice was spot on and well tailored.”


Get in touch with us

If you could use a hand with your commercial contracts or with a multi-country project leave us a message and we’ll get back to you asap (usually same day!)

In-house legal newsletter

One useful idea or insight per week for in-house lawyers.



Tech & Services


Copyright © 2024 Lexoo.

Lexoo Limited is registered and incorporated in England and Wales, company registration number 08900002.

1-45 Durham Street, London SE11 5JH.  Lexoo Limited is registered as a Data Controller under the ICO: ZA073304.