GDPR and ePrivacy compliance as a continuous state, not an annual snapshot.
Technical consent management, daily tracking validation, server-side tag management compliant by design. Designed for sectors where not being able to afford a violation is a business requirement — pharma, regulated food, finance, healthcare. At the centre of the service is GDPR Daily, our proprietary platform that validates tracking compliance every day, not once a year.
GDPR and ePrivacy are regulations that look static but operate in an ecosystem that changes every day. EDPB guidelines and Italian DPA (Garante Privacy) decisions are updated regularly. Browsers change their behaviour on cookies and tracking. CMPs release new versions that modify consent handling. Marketing adds scripts for new campaigns, IT integrates new tools, advertising partners change their pixels.
Each of these events can alter a site’s compliance posture without anyone noticing.
For most companies, the compliance snapshot is taken once or twice a year by a law firm or a consultant. Between one snapshot and the next eight, ten, twelve months can go by — during which the site has moved on, scripts have multiplied, the consent banner has stopped working properly on Safari, a third-party pixel has started firing without consent.
When the DPA’s measure arrives — or even just a report from an active user — the gap is measured in months, and remediation is measured in panic mode.
We approach compliance differently: we validate tracking every day. When something drifts, we know about it within 24 hours, not at year-end.
Initial audit of the state of compliance: complete mapping of the tags firing on the site, inventory of cookies and third-party scripts, gap analysis against the EDPB guidelines and the Italian DPA’s decisions, risk register with intervention priorities.
Setup and operating management of Consent Management Platforms (iubenda, OneTrust, Cookiebot, Didomi), integration with Google Consent Mode v2, UX optimisation of the banner to maximise consent rate without compromising compliance.
Server-side GTM architecture with consent-conditioned tag firing, IP anonymisation, data minimisation, endpoint servers in EU. We work server-side from day one because it is the tracking mode that allows granular control of compliance.
Our proprietary platform: every 24 hours we automatically validate that tracking behaves as it should. Which tags are firing, in which consent state, with which payloads, from which domain. When it detects a deviation, immediate alerting to the DPO and to the Fortop team in charge of the client.
Operational management of data subject rights (access, erasure, portability, rectification) is handled by the client’s CMP. GDPR Daily monitors that the consent banner and rights links are properly exposed, in every consent state and on every domain, with immediate alerting in case of anomaly.
Full documentary support: records of processing (Art. 30), DPIA for high-risk processing, updated cookie and privacy policies, documentation ready in case of inspection by the Italian DPA. We work alongside the client’s Legal teams — not in their place.
We open the project with a full audit: what you collect, from where, under which legal basis, in which consent state, with which vendors involved. Prioritised risk register with severity estimates for each exposure.
We build an intervention plan with priorities, internal and external owners, timing. Discussed in a workshop with the client’s Legal, IT and Marketing team. Output: a 3–6 month operational roadmap.
Technical execution: CMP, server-side tagging, anonymisation, data subject rights workflows, regulatory documentation. We work with the client’s internal teams, with weekly reviews.
We activate the platform on the domain. From this point on every 24 hours tracking is automatically validated. Dashboard accessible in real time to the client, alerting configurable.
Quarterly posture review, updates on regulatory news (EDPB guidelines, Italian DPA decisions, case law), incident response in case of anomalies. The client’s DPO always has a Fortop technical contact available.
| KPI | What it measures |
|---|---|
| Consent Compliance Rate | % of users whose consent state is managed correctly |
| Tag Firing Compliance | % of tags firing strictly in line with consent |
| Third-party Script Coverage | % of third-party scripts inventoried and tied to consent |
| Time to Detect | Time between a compliance deviation and its detection |
| Time to Remediate | Time between detection and correction |
| Audit Readiness Score | State of documentation ready for inspection by the Italian DPA |
> 99%
Tag Firing Compliance
24h
Time to Detect via GDPR Daily
60days
Complete third-party inventory
Audit Readiness brought to “inspection-ready” status within the first quarter.
Records of processing (Art. 30), DPIA where required, cookie and privacy policies updated and legally coherent, GDPR Daily dashboard, monthly posture report, incident response playbook, technical documentation of the data flow.
Platform GDPR Daily (proprietary) · Google Tag Manager + GTM Server-Side · Consent Mode v2 · CMPs iubenda, OneTrust, Cookiebot, Didomi · GA4 with anonymisation · OneTrust Data Subject Rights · documentary templates updated to the EDPB guidelines and the Italian DPA’s decisions.
We are the right partner if you operate in pharma, regulated food, finance, healthcare, or in any sector where a GDPR violation becomes a reputational and business risk well before a regulatory risk.
We are the right partner if you manage multiple domains or multiple countries and need a single partner maintaining a coherent compliance standard.
We are the right partner if you have an in-house DPO looking for a technical operating partner to integrate with, rather than another law firm.
We are not the right partner if you are looking for strict legal advice: we manage the technical and operational side of compliance, we work alongside specialist law firms but we do not replace them.
If you need qualified legal advice on the legal basis of a processing operation, we point you to top-tier partners we collaborate with regularly.
We are not the right partner if you are looking for a “tickbox GDPR” minimum-effort setup: our model assumes active compliance, not symbolic compliance.