Most SMEs aren't non-compliant on paper — they're non-compliant in how they actually collect, share and store data every day: IDs over WhatsApp, contracts in personal inboxes, client files on shared drives. We find those real gaps in your sector and fix them.
Built around your profession
Every sector handles personal data differently — and makes different mistakes. Pick yours for the real-world problems we see and how we fix them.
Client IDs, payslips and contracts collected over WhatsApp and personal email — no consent basis, no retention limit.
See how we help → 🏖️Guest passports scanned to phones and booking platforms, shared with cleaners and owners, kept forever.
See how we help → ⚖️Highly sensitive case files sent as unencrypted email attachments and stored on personal devices.
See how we help → 📜Identity, family and financial documents handled with no access control and an unclear legal basis.
See how we help → 🩺Health data — a special category under Art. 9 — exchanged on WhatsApp and stored unprotected.
See how we help → 📊Financial and personal data flowing through inboxes, shared drives and consumer file-sharing tools.
See how we help → 🛒Customer and payment data plus marketing sent without valid consent or proper cookie compliance.
See how we help → 🏨Guest registration data and marketing lists shared across booking channels and staff with no controls.
See how we help →Don't see your sector? Tell us how you handle data — the principles are the same.
Why it matters
Article 32 of the GDPR requires appropriate technical and organisational measures to protect personal data — encryption, pseudonymisation, access control and systems that guarantee ongoing confidentiality, integrity and availability.
It isn't a legal checkbox. Data controllers and processors are directly liable, and EU authorities increasingly act on technical failures — not just missing paperwork. Most SME cases start with a complaint or a breach.
Personal data encrypted at rest and in transit, with least-privilege access and audit logs — not files on a shared drive everyone can open.
A clear legal basis for every data flow, valid consent where required, and a retention policy so data isn't kept forever "just in case".
The ability to detect, contain and notify a personal-data breach to the DPA within 72 hours — with the documentation regulators expect.
Webristle is a full cybersecurity agency, not only a compliance advisor. Beyond the audit and the paperwork, our engineers implement the real fix: secure client intake, encryption, access control, consent and retention design, DPAs with your tools, breach procedures and staff training. One team from assessment to a genuinely compliant, secure operation.
How we work
A practical, sector-aware path — no 80-page report you'll never read.
We map how personal data really enters, moves and is stored in your business — the tools, the messages, the spreadsheets.
We identify the non-compliant flows and the concrete risks for your sector, prioritised by likelihood and impact.
We implement the fixes: secure intake, encryption, consent and retention, access control, DPAs and policies.
Records of processing, breach procedures and short staff training — so it stays compliant after we leave.
FAQ
Straight answers, no legalese.
Tell us how you handle data and we'll show you the gaps and the fix. No commitment, response within 4 working hours.
EN
IT
ES