Skip to main content
DataSouv
Audit
Turnkey audit follow-up

Compliance roll-out support — from audit report to execution

Documentation localised to Law 09-08 (no GDPR copy-paste), compliant cookie banner with real runtime blocking, technical hardening toward an Observatory A+ score, training of operational teams. Four parallel workstreams over 90 days.

Start an engagementAudit first

Four workstreams

Documentation, consent, technical, human

The four pillars on which a compliance roll-out rests. Taken separately, each is useful; taken together, they create compliance that holds over time.

Localised documentation

Custom drafting of the privacy policy, legal notice and records of processing. No European GDPR copy-paste: each document explicitly references Law 09-08 and decree 2-09-165, with the right articles and the right terminology.
  • Privacy policy (Law 09-08 + GDPR if applicable)
  • Legal notice compliant with Moroccan and Belgian law
  • Records of processing (usable template, CSV and MDX formats)
  • Internal data subject rights procedure (articles 7 to 11)
  • Standard DPA to use with your processors
  • Incident management policy and CNDP notification

Banner and consent

Deployment of a compliant cookie banner with effective runtime blocking. No tracker fires before consent, category-level granularity, persistent choices, consent withdrawal as easy as collection.
  • Banner compliant with article 5(3) ePrivacy + CNDP doctrine
  • True runtime blocking (not mere display)
  • Categorisation (strictly necessary, analytics, marketing, etc.)
  • Consent storage with timestamp and version
  • “Manage my cookies” page accessible at all times
  • Integration with no US SaaS dependency (EU self-hosting)

Technical hardening

Deployment or correction of HTTP security headers, TLS configuration, email anti-spoofing (SPF, DKIM, DMARC), DNS hardening, security.txt (RFC 9116). Explicit goal: Mozilla Observatory A or A+.
  • Strict Content-Security-Policy (report then enforcement)
  • HSTS preload, systematic HTTPS redirection
  • Cross-Origin Isolation (COOP, COEP, CORP)
  • SPF + DKIM + DMARC reject configuration
  • DNS hardening (CAA, DNSSEC where relevant)
  • security.txt RFC 9116 and responsible disclosure channel

Team training

Awareness sessions for operational teams (marketing, HR, support, IT) on daily compliance reflexes. No indigestible slide deck: targeted 90-minute workshops with case studies drawn from your real activity.
  • Marketing workshop: consent, mailing, targeting
  • HR workshop: candidates, video surveillance, BYOD
  • Support workshop: rights requests, reports
  • IT workshop: logging, backups, incidents
  • Executive workshop: responsibilities, compliance committee
  • Persistent learning materials delivered after every session

90-day format

Five contracted milestones, no scope creep

  1. 1

    Weeks 1-2

    Scoping and prioritisation

    Re-use of the audit report (or short audit included if not yet done), prioritisation of workstreams, load allocation between DataSouv and your internal teams.

  2. 2

    Weeks 2-5

    Documentation and filings

    Drafting of documentation (policy, notices, records, DPA), preparation of the required CNDP filings, signing of DPAs with existing processors.

  3. 3

    Weeks 4-8

    Technical hardening

    Deployment of security headers, anti-spoofing configuration, rollout of the compliant banner with runtime blocking. Progressive testing in pre-production, then switch-over.

  4. 4

    Weeks 8-11

    Training and adoption

    Business workshops, delivery of persistent materials, deployment of internal procedures (rights, reports, incidents). First iteration of the living records of processing.

  5. 5

    Week 12

    Re-test and closing

    Technical re-test to verify fixes, consistency check on the documentation, debrief to the executive committee and shift to recurring mode (outsourced DPO option or full autonomy).

Frequently asked questions

What we are asked about the roll-out

Must I have run the audit with you to benefit from the roll-out?

No. We gladly pick up the report of another auditor or a law firm, provided it is detailed enough to be actionable. If not, a short audit (1 week) is included at kickoff to calibrate the work.

How long does the engagement last?

The standard format is 90 days. For organisations over 100 people or with a complex IT estate, the engagement typically extends over 4 to 6 months. Milestones are contracted to avoid mission creep.

Do you work with my teams or autonomously?

Always with your teams. Durable compliance cannot be delivered out-of-house by an external provider. Our role is to bring expertise, method and templates, and to coach your teams. We never create dependency.

What is the total investment?

For a standard 90-day package, from 80,000 MAD depending on scope. For organisations over 100 people or with group GDPR constraints, dedicated quote. Possibility of spreading workstreams over several quarters if cash flow or internal availability requires.

And after 90 days?

Three options. (1) You take over full autonomy, with an optional annual review. (2) Outsourced DPO mission to ensure operational continuity. (3) On-demand support package for occasional questions, no commitment.

Can you work with our lawyers?

Yes, and it is even common. We coordinate the operational and technical side with your legal counsel on qualification of sensitive processing. Our deliverables are reviewed jointly with the firm when the topic requires.

Free scoping

Which workstream to prioritise at your place?

45 minutes of scoping to understand your starting point and identify the most urgent workstream. You leave with a first prioritisation, even if you do not follow up.

Request scopingSee all services